According to ISACA, the CISM certification is changing to reflect the new CISM job practice analysis. (Source: ISACA’s CISM Review Manual 2012 p. iii)
ISACA has reformatted the CISM changing it from five domains to four domains. They have combined the Information Security Program Development and Information Security Program Management domains into one domain entitled Information Security Program Development and Management. The weighting of the domains has also changed. Domain 1 – Information Security Governance has been raised to 24% from 23%; Domain 2 – Information Risk Management and Compliance has been raised from 22% to 33%; the combined Domain 3 – Information Security Program Development and Management has been dropped from a combined total of 41% to 25% and the last domain, Domain 4 – Information Security Incident Management has been raised from 14% to 18%.
Domain 1 changes include expanded task and knowledge statements with the emphasis being on “Establishing and maintaining” versus “Developing and Identifying.”
Domain 2 changes include a substantial increase in the focus on Compliance. Additional task and knowledge statements have been added which, as in Domain 1, shift the focus to “Establishing and maintaining” as well as adding in the statements for “Managing information risk to an acceptable level to meet the business and compliance requirements of the organization.” (Source: ISACA’s CISM Review Manual 2012 p. 76)
Domain 3 combined the old domain 3 and domain 4 and we now find that Information Security Program Development and Management is in a single domain. As is the case with the first two domains, the emphasis has shifted here as well, going from establishing to establishing and maintaining.
Domain 4 – even here we find the same shift in emphasis, for example 6 of the 10 task statements start with “Establish and Maintain” whereas in the 2011 version, not a single task statement started that way.
Clearly the emphasis for management has taken on a more active role in Information Security Management, and it is clear in the expanded role definitions in Domain 1 that management is being tasked with active participation in information security.