OnlineAnywhere – On-Demand Official ISACA CISM

CISM Self-Assessment
Video Content
Interactive Content
Downloadable Workbooks and Job Aids
Case Study Activities
Practice Exam

Domain 1 – Information Security Governance 

• Describe the role of governance in creating value for the enterprise.
• Explain the importance of information security governance in the context of overall enterprise governance.
• Describe the influence of enterprise leadership, structure and culture on the effectiveness of an information security strategy.
• Identify the relevant legal, regulatory and contractual requirements that impact the enterprise.
• Describe the effects of the information security strategy on enterprise risk management.
• Evaluate the common frameworks and standards used to govern an information security strategy.
• Explain why metrics are critical in developing and evaluating the information security strategy.

Domain 2 – Information Security Risk Management

• Apply risk assessment strategies to reduce the impact of information security risk.
• Assess the types of threats faced by the enterprise.
• Explain how security control baselines affect vulnerability and control deficiency analysis.
• Differentiate between application of risk treatment types from an information security perspective.
• Describe the influence of risk and control ownership on the information security program.
• Outline the process of monitoring and reporting information security risk.

Domain 3 – Information Security Program 

• Outline the components and resources used to build an information security program.
• Distinguish between common IS standards and frameworks available to build an information security program.
• Explain how to align IS policies, procedures and guidelines with the needs of the enterprise.
• Describe the process of defining an IS program road map.
• Outline key IS program metrics used to track and report progress to senior management.
• Explain how to manage the IS program using controls.
• Create a strategy to enhance awareness and knowledge of the information security program.
• Describe the process of integrating the security program with IT operations and third-party providers.
• Communicate key IS program information to relevant stakeholders.

Domain 4 – Incident Management

• Distinguish between incident management and incident response
• Outline the requirements and procedures necessary to develop an incident response plan.
• Identify techniques used to classify or categorize incidents.
• Outline the types of roles and responsibilities required for an effective incident management and response team
• Distinguish between the types of incident management tools and technologies available to an enterprise.
• Describe the processes and methods used to investigate, evaluate and contain an incident.
• Identify the types of communications and notifications used to inform key stakeholders of incidents and tests.
• Outline the processes and procedures used to eradicate and recover from incidents.
• Describe the requirements and benefits of documenting events.
• Explain the relationship between business impact, continuity and incident response.
• Describe the processes and outcomes related to disaster recovery.
• Explain the impact of metrics and testing when evaluating the incident response plan.