CISM Overview of Domains - Infosec Resources

Download as pdf or txt
Download as pdf or txt
You are on page 1of 10

CISM: Overview of domains - Infosec Resources http://web.archive.org/web/20220815192710/https://resources.infosecinstitute.com/certification/cis...

The Wayback Machine - http://web.archive.org/web/20220815192710/https://resources.infosecinstitute.com/certifi…

Certifications / ISACA CISM / View our ISACA CISM hub

ISACA CISM

CISM: Overview of domains


July 5, 2019 by

Share:

Although CISM certification is multi-faceted and requires knowledge of a number of academic, technical, and
career-based subjects, the core of the exam is to understand the four primary domains that make up the CISM
certification. Future articles will drill deeper into each of these domains, but this article should provide you with a
high-altitude look at the domains and what knowledge they represent.

Dual pentesting certifications


Learn the tools and techniques used by cybercriminals to perform a white-hat, ethical hack on your
organization.

What domains are covered on the CISM exam?


CISM candidates should expect to cover four job practice areas of the CISM domains. These are structured to
contain 200 multiple-choice questions, which are to be completed in four hours. For candidates to pass the
exam, a scaled score of 450 or higher is required. If the student passes, the results will be mailed within eight
weeks. The four domains are:

Information Security Governance


Information Risk Management


Information Security Program Development and Management


Information Security Incident Management


How often are the domains updated?

1 de 10 13/05/2023, 02:38 p. m.
CISM: Overview of domains - Infosec Resources http://web.archive.org/web/20220815192710/https://resources.infosecinstitute.com/certification/cis...

To remain relevant, the CISM domains are updated frequently; however, major changes that would result in a
significant impact on the examination are seldom made. As of this writing, ISACA has not made any significant
changes to the domains themselves.

How much is each domain covered on the


exam?
Domain coverage within an examination is quite important in helping candidates to make an accurate estimate
of the amount of time and energy to focus on each aspect of study. Candidates who properly plan their study
end up spending less energy on lower-priority topics and are most likely to pass the examination.

The CISM exam is structured as follows:

Information Security Governance domain covers 24%


Information Risk Management and Compliance domain covers 30%


Information Security Program Development and Management domain covers 27%


Information Security Incident Management domain covers 19% of the entire examination

What topics (tasks/knowledge statements) are


covered in each domain?
Candidates will encounter a number of task and knowledge statements in the exam. Task statements describe
the activities that CISMs may be required to perform at an organization, while knowledge statements are the
standards that are used to measure, assess, and manage risks. Each domain has its own set of task and
knowledge statements and we shall have a look at a summary of these. Note that the complete listing of task and
knowledge statements can be found here.

ISACA has reorganized the CISM manual, categorizing each of the chapters into two main sections. In Section
One, the manual covers the corresponding knowledge and task statements that are tested within the
examination. In Section Two, the manual contains reference material and content that supports knowledge
statements. These two sections are important in preparing for the examination.

Information security governance (ISG)


In this domain, CISM candidates will need to know the relationship between the outcomes of effective ISG and
management responsibilities. They will want to also take a look at the business model for information security
and understand the interrelations among organization design and strategy, people, process and technology
elements. Candidates will need to understand the interconnections of governance, culture, enabling and
support, emergence, human factors and architecture.

Among the concepts that are considered important for candidates is Security Metrics, which involves the
description of how a quantitative and periodic assessment of security performance is to be effectively measured.

The domain also features a way of measuring the effectiveness of its outcomes. For example, if we are to
consider Value Delivery as an outcome, effectiveness can be measured by considering the following:

2 de 10 13/05/2023, 02:38 p. m.
CISM: Overview of domains - Infosec Resources http://web.archive.org/web/20220815192710/https://resources.infosecinstitute.com/certification/cis...

Is the cost of security proportional to the value of the asset? We would not be delivering value if the cost of

the security is twice the value of the asset, for example.

Is periodic testing done on the controls? Here, we would not be delivering value if the controls we put in

place are not being adequately tested.

In COBIT, candidates will need to understand the concept of the Capability Maturity Model, particularly Levels

3, 4 and 5.

Within Strategy Resources, candidates will need to know the two security frameworks of Zachman and SABSA.
Also, ISACA includes a few questions from EA2F. Candidates will therefore need to understand “Defense in Depth,”
which tests on the actions that should be taken during prevention, containment, detection, evidence collection,
and recovery or even restoration of business processes.

Candidates will need to finally understand metrics. This often will involve knowing how to define metrics and
produce them for upper management.

ISG as of 2018 has nine task statements and 20 knowledge statements. The task statements are:

Establish and/or maintain an information security strategy in alignment with organizational goals and

objectives to guide the establishment and/or ongoing management of the information security program.

Establish and/or maintain an information security governance framework to guide activities that support the

information security strategy.

Integrate information security governance into corporate governance to ensure that organizational goals

and objectives are supported by the information security program.

Establish and maintain information security policies to guide the development of standards, procedures and

guidelines in alignment with enterprise goals and objectives.

Develop business cases to support investments in information security.


Identify internal and external influences to the organization (e.g., emerging technologies, social media,

business environment, risk tolerance, regulatory requirements, third-party considerations, threat landscape)
to ensure that these factors are continually addressed by the information security strategy.

Gain ongoing commitment from senior leadership and other stakeholders to support the successful

implementation of the information security strategy.

Define, communicate, and monitor information security responsibilities throughout the organization (e.g.,

data owners, data custodians, end users, privileged or high-risk users) and lines of authority.

Establish, monitor, evaluate and report key information security metrics to provide management with

accurate and meaningful information regarding the effectiveness of the information security strategy.

Information risk management (IRM)


Candidates will need to understand the organization’s risk management strategy and how it relates to
information technology. In order for this to be done, they will be required to understand the organization’s
priorities regarding risk. Clear roles and responsibilities therefore need to be defined and included within
different job descriptions at the organization.

Various concepts will be important to memorize for candidates. These concepts include threats, vulnerabilities,
exposures, impact, recovery time objective (RTO), recovery point objective (RPO), service delivery Objectives
(SDOs) and acceptable interruption window (AIW). All of these topics are found in the 2018 CISM review manual.

3 de 10 13/05/2023, 02:38 p. m.
CISM: Overview of domains - Infosec Resources http://web.archive.org/web/20220815192710/https://resources.infosecinstitute.com/certification/cis...

A few basic steps should be observed while implementing IRM. Normally, the scope and boundaries need to be
determined, followed by a risk assessment. Once this is done, a risk treatment plan is designed to reduce risk to
an acceptable level. The residual risk is then accepted and communicated, while watching to see whether the
controls that are in place actually work.

Candidates should bear in mind that there is actually no qualitatively right or wrong way to select a methodology
and conduct a risk assessment. It is mostly a progressive exercise that begins with asset valuation and then
moves on to vulnerability and threat assessment. The risk is then assessed and the right controls to be enforced
determined. The residual risk is discussed and communicated to management.

After the risk assessment is complete, candidates have the option of avoiding, mitigating, transferring or
accepting the risk. The value placed on information resources determines how much you will be willing to spend
on that resource.

CISMs can set control baselines that allow them to measure how effective their IRM programs are.

Regarding the topics, IRM has nine task statements and 19 knowledge statements. The task statements are:

Establish and/or maintain a process for information asset classification to ensure that measures taken to

protect assets are proportional to their business value.

Identify legal, regulatory, organizational and other applicable requirements to manage the risk of

noncompliance to acceptable levels.

Ensure that risk assessments, vulnerability assessments and threat analyses are conducted consistently, at

appropriate times, and to identify and assess risk to the organization’s information.

Identify, recommend or implement appropriate risk treatment/response options to manage risk to


acceptable levels based on organizational risk appetite.

Determine whether information security controls are appropriate and effectively manage risk to an

acceptable level.

Facilitate the integration of information risk management into business and IT processes (e.g., systems

development, procurement, project management) to enable a consistent and comprehensive information


risk management program across the organization.

Monitor for internal and external factors (e.g., key risk indicators [KRIs], threat landscape, and geopolitical,

regulatory change) that may require reassessment of risk to ensure that changes to existing, or new, risk
scenarios are identified and managed appropriately.

Report noncompliance and other changes in information risk to facilitate the risk management decision-

making process.

Ensure that information security risk is reported to senior management to support an understanding of

potential impact on the organizational goals and objectives.

Information Security Program Development and Management (ISPDM)Candidates should also note that
everything that is performed on IRM must be documented. Small things come in handy, such as keeping a risk
registry or a controls registry, as well as records on an annual statement given to management detailing the
current state of risk at the organization.

Candidates should note that, for an information security program to be effective, it must mitigate information
and information technology risk at all costs, balancing against the magnitude and frequency of the potential loss.
Candidates should be aware that the challenges that are most often met by CISMs in organizations are people,
processes, and policy issues that conflict with program objectives.

4 de 10 13/05/2023, 02:38 p. m.
CISM: Overview of domains - Infosec Resources http://web.archive.org/web/20220815192710/https://resources.infosecinstitute.com/certification/cis...

The CISM manual outlines the constraints on developing an InfoSec roadmap. The most important of these are
legal and regulatory requirements, ethics, and personnel. For example, some personnel challenges might be that
HR is doing sporadic background checks while untrained staff members are doing the screenings.

ISACA pays a lot of attention to the SABSA methodology, so candidates should prepare for that. Candidates
should also note that the objective of ISPDM is to implement the strategy in the most cost-effective manner,
while at the same time minimizing the impact to business functions. Candidates will need to know how to define
the goal or desired outcome, define the objectives that should be met, define the residual risk, and define the
desired state.

ISPDM has 10 task statements and 16 knowledge statements. The task statements:

Establish and/or maintain the information security program in alignment with the information security

strategy.

Align the information security program with the operational objectives of other business functions (e.g.,

human resources [HR], accounting, procurement and IT) to ensure that the information security program
adds value to and protects the business.

Identify, acquire and manage requirements for internal and external resources to execute the information

security program.

Establish and maintain information security processes and resources (including people and technologies) to

execute the information security program in alignment with the organization’s business goals.

Establish, communicate and maintain organizational information security standards, guidelines, procedures

and other documentation to guide and enforce compliance with information security policies.

Establish, promote and maintain a program for information security awareness and training to foster an

effective security culture.

Integrate information security requirements into organizational processes (e.g., change control, mergers and

acquisitions, system development, business continuity, disaster recovery) to maintain the organization’s
security strategy.

Integrate information security requirements into contracts and activities of third parties (e.g., joint ventures,

outsourced providers, business partners, customers) and monitor adherence to established requirements in
order to maintain the organization’s security strategy.

Establish, monitor and analyze program management and operational metrics to evaluate the effectiveness

and efficiency of the information security program.

Compile and present reports to key stakeholders on the activities, trends and overall effectiveness of the IS

program and the underlying business processes in order to communicate security performance.

Information security incident management (ISIM)


This domain is considered by many to be the most important in that recovery from an incident ensures
continuity of business. The importance of incident management is that its goal is to manage and to respond to
unexpected disruptive events with the objective of controlling impacts within acceptable levels. ISIM is a part of
business continuity planning, just as disaster recovery is part of business continuity planning.

One of the outcomes of ISIM is that, with adequate training, planning and testing, candidates will ensure that
incidents are identified and contained, and the root cause is addressed. This will allow for recovery within an
acceptable interruption window (AIW).

5 de 10 13/05/2023, 02:38 p. m.
CISM: Overview of domains - Infosec Resources http://web.archive.org/web/20220815192710/https://resources.infosecinstitute.com/certification/cis...

There are three technologies that candidates should associate with ISIM. These are network incident detection
systems (NIDSs), host intrusion detection systems (HIDSs), and logs (these can be for a system, database,
operating system or application.) Just to note, it is important to know that SIEM (system information and event
management) is a way of managing the HIDSs, NIDSs, and logs.

Candidates should be familiar with the advantages and disadvantages as well as the contents of the six types of
recovery sites (hot, cold, warm, mobile, mirror and duplicate information processing facilities). Familiarity with
the concepts of network recovery, such as redundancy, alternative routing, diverse routing, long-haul network
diversity, and voice recovery, is also encouraged.

ISIM has 10 task statements and 18 knowledge statements. The task statements are:

Establish and maintain an organizational definition of, and severity hierarchy for, information security

incidents to allow accurate classification and categorization of and response to incidents.

Establish and maintain an incident response plan to ensure an effective and timely response to information

security incidents.

Develop and implement processes to ensure the timely identification of information security incidents that

could impact the business.

Establish and maintain processes to investigate and document information security incidents in order to

determine the appropriate response and cause while adhering to legal, regulatory and organizational
requirements.

Establish and maintain incident notification and escalation processes to ensure that the appropriate

stakeholders are involved in incident response management.

Organize, train and equip incident response teams to respond to information security incidents in an

effective and timely manner.

Test, review and revise (as applicable) the incident response plan periodically to ensure an effective

response to information security incidents and to improve response capabilities.

Establish and maintain communication plans and processes to manage communication with internal and

external entities.

Conduct post-incident reviews to determine the root cause of information security incidents, develop

corrective actions, reassess risk, evaluate response effectiveness and take appropriate remedial actions.

Establish and maintain integration among the incident response plan, business continuity plan and disaster

recovery plan.

Candidates need to note that, in some cases within this domain, the availability of evidence will be a
requirement, especially in cases where the incident is malicious and may possibly go to trial. As a result, in the
ISIM plan, evidence needs to be accounted for, it needs to be protected, and a chain of custody maintained, in
preparation for going to court.

FREE role-guided training plans

6 de 10 13/05/2023, 02:38 p. m.
CISM: Overview of domains - Infosec Resources http://web.archive.org/web/20220815192710/https://resources.infosecinstitute.com/certification/cis...

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

Conclusion
This overview creates an expectation of what candidates should cover and what they need to know before taking
the CISM exam. It has discussed the topics that are to be covered in the examination, the percentage weight of
each domain covered, and the important concepts in each that should be emphasized. We hope that this
overview will prove to be a valuable time-saver for candidates who see the benefit of strategizing their study for
the examination.

28:39

Posted: July 5, 2019

Share:

Author

Lester Obbayi is a Cyber Security Consultant with one of the largest Cyber Security Companies in East and Central Africa. He has a deep interest
in Cyber Security and spends most of his free time doing freelance Penetration Tests and Vulnerability Assessments for numerous organizations.

In this in-depth course you’ll learn:

Capturing Windows Password Hashes

Understanding Windows Passwords

Cracking Windows Password Hashes with


Cain & Abel

7 de 10 13/05/2023, 02:38 p. m.
CISM: Overview of domains - Infosec Resources http://web.archive.org/web/20220815192710/https://resources.infosecinstitute.com/certification/cis...

Cracking Password Hashes with Rainbow


Tables

ISACA CISA

ISACA CISM

ISACA CRISC

ISACA CGEIT

ISACA CDPSE

COBIT

Live instruction

8 de 10 13/05/2023, 02:38 p. m.
CISM: Overview of domains - Infosec Resources http://web.archive.org/web/20220815192710/https://resources.infosecinstitute.com/certification/cis...

Exam Pass Guarantee

CompTIA, ISACA, (ISC)², Cisco, Microsoft and


more!

Leave a Reply
Your email address will not be published. Required fields are marked *

Post Comment

Related Articles

ISACA CISM ISACA CISM

Common CISM job titles [updated How to earn CISM CPE credits
2022] [updated 2022]

Author Image July 12, 2022 Author Image July 11, 2022

9 de 10 13/05/2023, 02:38 p. m.
CISM: Overview of domains - Infosec Resources http://web.archive.org/web/20220815192710/https://resources.infosecinstitute.com/certification/cis...

ISACA CISM ISACA CISM

CISM certification: Overview and 9 tips for CISM exam success


career path [Updated 2022] [updated 2022]

Author Image July 8, 2022 Author Image July 4, 2022

Hacking CISSP IT auditor Contact us


Penetration testing CCSP Cybersecurity architect About Infosec
Cyber ranges CGEIT Cybercrime investigator Work at Infosec
Capture the flag CEH Penetration tester Newsroom
Malware analysis CCNA Cybersecurity consultant Partner program
Professional development CISA Cybersecurity analyst
General security CISM Cybersecurity engineer
News CRISC Cybersecurity manager
Security awareness A+ Incident responder
Phishing Network+ Information security auditor
Management, compliance & Security+ Information security manager
auditing CASP+ View all careers
Digital forensics PMP
Threat intelligence CySA+
DoD 8570 CMMC
View all topics Microsoft Azure
View all certifications

Get the latest news, updates and offers straight to your inbox.

©2022 Infosec Institute, Inc.


Trademarks
Privacy Policy

Infosec, part of Cengage Group

10 de 10 13/05/2023, 02:38 p. m.

You might also like