In this article
CISM: Overview of Domains
- Information Risk Management in CISM
- Information Security Governance in CISM
- Information Security Incident Management in CISM
- Information Security Program Development Management in CISM
In this article
Although CISM certification is multi-faceted and requires knowledge of a number of academic, technical, and career-based subjects, the core of the exam is to understand the four primary domains that make up the CISM certification. Future articles will drill deeper into each of these domains, but this article should provide you with a high-altitude look at the domains and what knowledge they represent.
CISM candidates should expect to cover four job practice areas of the CISM domains. These are structured to contain 200 multiple-choice questions, which are to be completed in four hours. For candidates to pass the exam, a scaled score of 450 or higher is required. If the student passes, the results will be mailed within eight weeks. The four domains are:
To remain relevant, the CISM domains are updated frequently; however, major changes that would result in a significant impact on the examination are seldom made. As of this writing, ISACA has not made any significant changes to the domains themselves.
Domain coverage within an examination is quite important in helping candidates to make an accurate estimate of the amount of time and energy to focus on each aspect of study. Candidates who properly plan their study end up spending less energy on lower-priority topics and are most likely to pass the examination.
The CISM exam is structured as follows:
Candidates will encounter a number of task and knowledge statements in the exam. Task statements describe the activities that CISMs may be required to perform at an organization, while knowledge statements are the standards that are used to measure, assess, and manage risks. Each domain has its own set of task and knowledge statements and we shall have a look at a summary of these. Note that the complete listing of task and knowledge statements can be found here.
ISACA has reorganized the CISM manual, categorizing each of the chapters into two main sections. In Section One, the manual covers the corresponding knowledge and task statements that are tested within the examination. In Section Two, the manual contains reference material and content that supports knowledge statements. These two sections are important in preparing for the examination.
In this domain, CISM candidates will need to know the relationship between the outcomes of effective ISG and management responsibilities. They will want to also take a look at the business model for information security and understand the interrelations among organization design and strategy, people, process and technology elements. Candidates will need to understand the interconnections of governance, culture, enabling and support, emergence, human factors and architecture.
Among the concepts that are considered important for candidates is Security Metrics, which involves the description of how a quantitative and periodic assessment of security performance is to be effectively measured.
The domain also features a way of measuring the effectiveness of its outcomes. For example, if we are to consider Value Delivery as an outcome, effectiveness can be measured by considering the following:
Within Strategy Resources, candidates will need to know the two security frameworks of Zachman and SABSA. Also, ISACA includes a few questions from EA2F. Candidates will therefore need to understand “Defense in Depth,” which tests on the actions that should be taken during prevention, containment, detection, evidence collection, and recovery or even restoration of business processes.
Candidates will need to finally understand metrics. This often will involve knowing how to define metrics and produce them for upper management.
ISG as of 2018 has nine task statements and 20 knowledge statements. The task statements are:
Candidates will need to understand the organization’s risk management strategy and how it relates to information technology. In order for this to be done, they will be required to understand the organization’s priorities regarding risk. Clear roles and responsibilities therefore need to be defined and included within different job descriptions at the organization.
Various concepts will be important to memorize for candidates. These concepts include threats, vulnerabilities, exposures, impact, recovery time objective (RTO), recovery point objective (RPO), service delivery Objectives (SDOs) and acceptable interruption window (AIW). All of these topics are found in the 2018 CISM review manual.
A few basic steps should be observed while implementing IRM. Normally, the scope and boundaries need to be determined, followed by a risk assessment. Once this is done, a risk treatment plan is designed to reduce risk to an acceptable level. The residual risk is then accepted and communicated, while watching to see whether the controls that are in place actually work.
Candidates should bear in mind that there is actually no qualitatively right or wrong way to select a methodology and conduct a risk assessment. It is mostly a progressive exercise that begins with asset valuation and then moves on to vulnerability and threat assessment. The risk is then assessed and the right controls to be enforced determined. The residual risk is discussed and communicated to management.
After the risk assessment is complete, candidates have the option of avoiding, mitigating, transferring or accepting the risk. The value placed on information resources determines how much you will be willing to spend on that resource.
CISMs can set control baselines that allow them to measure how effective their IRM programs are.
Regarding the topics, IRM has nine task statements and 19 knowledge statements. The task statements are:
Information Security Program Development and Management (ISPDM)Candidates should also note that everything that is performed on IRM must be documented. Small things come in handy, such as keeping a risk registry or a controls registry, as well as records on an annual statement given to management detailing the current state of risk at the organization.
Candidates should note that, for an information security program to be effective, it must mitigate information and information technology risk at all costs, balancing against the magnitude and frequency of the potential loss. Candidates should be aware that the challenges that are most often met by CISMs in organizations are people, processes, and policy issues that conflict with program objectives.
The CISM manual outlines the constraints on developing an InfoSec roadmap. The most important of these are legal and regulatory requirements, ethics, and personnel. For example, some personnel challenges might be that HR is doing sporadic background checks while untrained staff members are doing the screenings.
ISACA pays a lot of attention to the SABSA methodology, so candidates should prepare for that. Candidates should also note that the objective of ISPDM is to implement the strategy in the most cost-effective manner, while at the same time minimizing the impact to business functions. Candidates will need to know how to define the goal or desired outcome, define the objectives that should be met, define the residual risk, and define the desired state.
ISPDM has 10 task statements and 16 knowledge statements. The task statements:
This domain is considered by many to be the most important in that recovery from an incident ensures continuity of business. The importance of incident management is that its goal is to manage and to respond to unexpected disruptive events with the objective of controlling impacts within acceptable levels. ISIM is a part of business continuity planning, just as disaster recovery is part of business continuity planning.
One of the outcomes of ISIM is that, with adequate training, planning and testing, candidates will ensure that incidents are identified and contained, and the root cause is addressed. This will allow for recovery within an acceptable interruption window (AIW).
There are three technologies that candidates should associate with ISIM. These are network incident detection systems (NIDSs), host intrusion detection systems (HIDSs), and logs (these can be for a system, database, operating system or application.) Just to note, it is important to know that SIEM (system information and event management) is a way of managing the HIDSs, NIDSs, and logs.
Candidates should be familiar with the advantages and disadvantages as well as the contents of the six types of recovery sites (hot, cold, warm, mobile, mirror and duplicate information processing facilities). Familiarity with the concepts of network recovery, such as redundancy, alternative routing, diverse routing, long-haul network diversity, and voice recovery, is also encouraged.
ISIM has 10 task statements and 18 knowledge statements. The task statements are:
Candidates need to note that, in some cases within this domain, the availability of evidence will be a requirement, especially in cases where the incident is malicious and may possibly go to trial. As a result, in the ISIM plan, evidence needs to be accounted for, it needs to be protected, and a chain of custody maintained, in preparation for going to court.
This overview creates an expectation of what candidates should cover and what they need to know before taking the CISM exam. It has discussed the topics that are to be covered in the examination, the percentage weight of each domain covered, and the important concepts in each that should be emphasized. We hope that this overview will prove to be a valuable time-saver for candidates who see the benefit of strategizing their study for the examination.