Certified Information Security Manager (CISM)

Certified Information Security Manager (CISM)

Course Overview

This course teaches students about information security governance, information risk management, information security program management. It enables students to see information risk management as the basis of information security and know the tools how to use tools that mitigate some of the risk as they arise. Additionally, material on broader issues are included, such as how to govern information security, and information on practical issues, which include developing and managing information security program that enables quick and rapid respond to incidents and risk mitigation. This hands-on training course is designed to prepare students with the skills they need both to pass the CISM certification and be equipment to assume and maintain security management level

Course Objectives


Course Learning Outcomes

CompTIA Certification

Security +

Associate Level


Module 1

Module 2

Module 3

Module 4

Module 1        Introduction

Module 2 Domain 01 - Information Security Governance

Module 3 Domain 02 - Information Risk Management

Module 4 Domain 03 - Information Security Program Development

Module 5 Domain 04 - Information Security Incident Management

Module 6 Conclusion 

Course Learning Syllabus

Introduction Lecturer Introduction

Importance of this course

What you will learn in this course

Domain 01 - Information Security Governance Lesson 1: Information Security Governance Overview

Information Security Governance Overview

Importance of Information Security Governance

Outcomes of Information Security Governance

Lesson 2: Effective Information Security Governance

Business Goals and Objectives

Roles and Responsibilities of Senior Management

Governance, Risk Management and Compliance

Business Model for Information Security

Dynamic Interconnections

Lesson 3: Information Security Concepts and Technologies

Information Security Concepts and Technologies


Lesson 4: Information Security Manager


Senior Management Commitment

Obtaining Senior Management Commitment

Establishing Reporting and Communication Channels

Lesson 5: Scope and Charter of Information Security Governance

Assurance Process Integration and Convergence


Governance and Third-Party Relationships

Lesson 6: Information Security Governance Metrics


Effective Security Metrics

Security Implementation Metrics

Strategic Alignment

Risk Management

Value Delivery

Resource Management

Performance Measurement

Assurance Process Integration/Convergence

Lesson 7: Information Security Strategy Overview

Another View of Strategy

Lesson 8: Creating Information Security Strategy

Information Security Strategy

Common Pitfalls

Objectives of the Information Security Strategy

What is the Goal?

Defining Objectives

Business Linkages

Business Case Development

Business Case Objectives

The Desired State


COBIT Controls

COBIT Framework

Capability Maturity Model

Balanced Scorecard

Architectural Approaches

ISO/IEC 27001 and 27002

Risk Objectives

Lesson 9: Determining Current State Of Security

Current Risk


Lesson 10: Information Security Strategy Development

Elements of a Strategy

The Roadmap

Strategy Resources and Constraints

Lesson 11: Strategy Resources

Policies and Standards


Enterprise Information Security Architectures





Organizational Structure

Employee Roles and Responsibilities



Compliance Enforcement

Threat Assessment

Vulnerability Assessment

Risk Assessment


Business Impact Assessment

Outsourced Security Providers

Lesson 12: Strategy Constraints

Legal and Regulatory Requirements

Physical Constraints

The Security Strategy

Lesson 13: Action Plan to Implement Strategy

Gap Analysis

Policy Development

Standards Development

Training and Awareness

Action Plan Metrics

General Metric Considerations

CMM4 Statements

Objectives for CMM4


Domain 02 - Information Risk Management Lesson 1: Risk Management Overview

Types of Risk Analysis

The Importance of Risk Management

Risk Management Outcomes

Risk Management Strategy

Lesson 2: Good Information Security Risk Management

Context and Purpose

Scope and Charter


Other Risk Management Goals

Roles and Responsibilities

Lesson 3: Information Security Risk Management Concepts


Lesson 4: Implementing Risk Management

The Risk Management Framework

The External Environment

The Internal Environment

The Risk Management Context

Gap Analysis

Other Organizational Support

Risk Analysis

Lesson 5: Risk Assessment

NIST Risk Assessment Methodology

Aggregated or Cascading Risk

Other Risk Assessment Approaches

Identification of Risks




Analysis of Relevant Risks

Risk Analysis

Semi-Quantitative Analysis

Quantitative Analysis Example

Evaluation of Risks

Risk Treatment Options


Lesson 6: Controls Countermeasures


Residual Risk

Information Resource Valuation

Methods of Valuing Assets

Information Asset Classification

Determining Classification


Lesson 7: Recovery Time Objectives

Recovery Point Objectives

Service Delivery Objectives

Third-Party Service Providers

Working with Lifecycle Processes

IT System Development

Project Management

Lesson 8: Risk Monitoring and Communication

Risk Monitoring and Communication

Other Communications


Domain 03 - Information Security Program Development Lesson 1: Development of Information Security Program

Importance of the Program

Outcomes of Security Program Development

Effective Information Security Program Development

Lesson 2: Information Security Program Objectives

Program Objectives

Defining Objectives

Cross Organizational Responsibilities

Lesson 3: Information Security Program Development Concepts

Technology Resources

Information Security Manager

Lesson 4: Scope and Charter of Information Security Program Development

Assurance Function Integration

Challenges in Developing Information Security Program


Objectives of the Security Program

Program Goals

The Steps of the Security Program

Defining the Roadmap

Elements of the Roadmap

Gap Analysis

Lesson 5: Information Security Management Framework

Security Management Framework


ISO/IEC 27001

Lesson 6: Information Security Framework Components

Operational Components

Management Components

Administrative Components

Educational and Informational Components

Lesson 7: Information Security Program Resources



Enterprise Architecture

Controls as Strategy Implementation Resources

Common Control Practices




Security Awareness

Awareness Topics

Formal Audits

Compliance Enforcement

Project Risk Analysis

Other Actions

Other Organizational Support

Program Budgeting

Lesson 8: Implementing an Information Security Program

Policy Compliance

Standards Compliance

Training and Education

ISACA Control Objectives

Third-party Service Providers

Integration into Lifecycle Processes

Monitoring and Communication


The Plan of Action

Lesson 9: Information Infrastructure and Architecture

Managing Complexity

Objectives of Information Security Architectures

Physical and Environmental Controls

Lesson 10: Information Security Program

Information Security Program Deployment Metrics


Strategic Alignment

Risk Management

Value Delivery

Resource Management

Assurance Process Integration

Performance Measurement

Security Baselines

Lesson 11: Security Program Services and Operational Activities

IS Liaison Responsibilities

Cross-Organizational Responsibilities

Security Reviews and Audits

Management of Security Technology

Due Diligence

Compliance Monitoring and Enforcement

Assessment of Risk and Impact

Outsourcing and Service Providers

Cloud Computing

Integration with IT Processes


Domain 04 - Information Security Incident Management Lesson 1: Incident Management Overview

Incident Management Overview

Types of Events

Goals of Incident Management

Lesson 2: Incident Response Procedures

Incident Response Procedures

Importance of Incident Management

Outcomes of Incident Management

Incident Management


Incident Management Systems

Lesson 3: Incident Management Organization

Incident Management Organization


Senior Management Commitment

Lesson 4: Incident Management Resources

Policies and Standards

Incident Response Technology Concepts


Roles and Responsibilities (eNotes)


Awareness and Education


Lesson 5: Incident Management Objectives

Defining Objectives

The Desired State

Strategic Alignment

Other Concerns

Lesson 6: Incident Management Metrics and Indicators

Implementation of the Security Program Management

Management Metrics and Monitoring

Other Security Monitoring Efforts

Lesson 7: Current State of Incident Response Capability



Lesson 8: Developing an Incident Response Plan

Elements of an Incident Response Plan

Gap Analysis


Escalation Process for Effective IM

Help Desk Processes for Identifying Security Incidents

Incident Management and Response Teams

Organizing, Training, and Equipping the Response Staff

Incident Notification Process

Challenges in making an Incident Management Plan

Lesson 9: BCP/DRP

Goals of Recovery Operations

Choosing a Site Selection

Implementing the Strategy

Incident Management Response Teams

Network Service High-availability

Storage High-availability

Risk Transference

Other Response Recovery Plan Options

Lesson 10: Testing Response and Recovery Plans

Periodic Testing

Analyzing Test Results

Measuring the Test Results

Lesson 11: Executing the Plan

Updating the Plan

Intrusion Detection Policies

Who to Notify about an Incident

Recovery Operations

Other Recovery Operations

Forensic Investigation

Hacker / Penetration Methodology


Conclusion Wrap-Up