CISM Domain 2: Information Risk Management (IRM) [Updated 2019]
This domain tests the knowledge base that CISM candidates must understand in order to show the ability to appropriately apply risk management principles and practices to an organization’s information security program.
IRM involves the systematic application of management policies, procedures and practices to the tasks of identifying, analysing, evaluating, reporting and monitoring information-related risk.
In our article, “CISM Domain Overview,” we obtained an overview of the different domains that the CISM candidate encounters while taking the exam, discussing IRM slightly, but in this one, we gain a deeper understanding of the domain and discuss what candidates will need to know in preparation for the examination.
Information Risk Management Objectives
The importance of this domain is to ensure that the CISM candidate understands the importance of risk management as a tool for meeting business needs and developing a security management program to support these needs.
As opposed to ISG (Information Security Governance), information security risk management (IRM) defines the extent of protection, and is based on business requirements, objectives and priorities of the organization.
Candidates will be required to show the ability of identifying, analyzing, quantifying, reporting and managing information security-related risk in order to achieve business objectives through a number of tasks by utilizing an information security manager’s knowledge of key risk management techniques.
The techniques, methods and metrics used may need to be viewed from a broader context of organizational risk since information security is one component of enterprise risk management.
Information security risk management therefore needs to incorporate human resource, operational, physical, geopolitical and environmental risk.
Importance of Information Risk Management
The management of risks to information security resources provides justification for the information security activities carried out within the organization. It is when risks are managed to levels that are acceptable and appropriate to the mission of the business or organization that assurance is provided for business activities. Otherwise, without proper risk management, it would not be possible to determine the potential cost or impact of particular risks or the necessary mitigation measures.
Candidates will need to understand the factors that influence the design and implementation process of risk management within an organization in great detail. These may include:
- The organization’s culture. This will influence how the employees take in new ideas. They might support or reject the idea.
- The organization’s mission and objective. The organization’s mission and objective needs to be aligned with the need to implement risk management, or else a lot of opposition will be met.
- The organizational structure. In most organizations, processes and bureaucracies slow down the implementation of solutions and ideas. This is something that should be taken into account.
- The implementation of effective risk management will be dependent on specific organizational policies and practices. For instance, a certain level of qualification might be required for certain personnel etc.
- The physical, environmental and regulatory conditions also may influence the implementation of risk management.
Outcomes of Risk Management
Candidates will be required to show a detailed understanding of the benefits of effective risk management. For example, effective risk management may be able to provide:
- Understanding of the threats likely to have been faced or that might be faced in future along with their risk profiles
- Understanding of the risk exposure and the potential consequences of compromise
- Awareness of risk management priorities based on potential consequences
- Organizational risk mitigation strategy sufficient to achieve acceptable consequences from residual risk
- Organizational acceptance or deference based on an understanding of the potential consequence of residual risk
- Measurable evidence that risk management resources are used in an appropriate and cost-effective manner.
Once candidates are comfortable with the details of the benefits above, they can be comfortable in convincing management of the benefits of risk management through the different available strategies.
Risk Management Strategies
For a risk management strategy to be effective, it must be an integrated business process with clearly defined objectives which incorporate all of the organization’s risk management processes, activities, methodologies and policies. It must determine the optimal approach to align processes, technology and behaviour and must take to account the credible risk and full range of options for its appropriate management.
Risk management strategies are determined by a number of internal and external factors, being both internal and external factors to the organization. Candidates are going to be required to understand in detail how the internal and external factors may influence the outcome of risk management. The possible internal factors would include organizational maturity, history, culture, structure and risk tolerance. Some external factors would include industry sector and legal and regulatory requirements.
Candidates will also be tested on the initial steps required in the development of a risk management program. These are going to include:
- Establishing a context and purpose of the program
- Defining a scope and charter that will be required within the program
- Performing asset identification, classification and ownership
- Establishing objectives
- Determining the methodology to be used
- Establishing the implementation team
Establishing Context and Purpose
There are a variety of risks that organizations must deal with whether formally or on an ad hoc basis. Candidates will be required to show the ability to determine the purpose for creating an information security risk management program and define the desired outcome and objectives.
Defining a Scope and Charter
Managing risk is everyone’s responsibility within the organization, however, it is important for candidates to be able to clearly understand the scope of responsibility and authority that specifically fall to the information security manager and stakeholders. Defining the scope prevents gaps in the process, improves overall consistency of risk management efforts, and reduces unnecessary duplication of efforts.
Candidates need to understand the main areas of security interference and the issues that result from lack of common goals and poorly defined scope of responsibilities. For instance, something that needs to be clearly defined is who is responsible for ensuring that sensitive material (confidential documents) or information is not left at print stations, which would otherwise result in unintended disclosure of information. Such should be shredded before being discarded for instance. The example above might seem trivial, however it is important from an information security perspective.
Asset Identification, Classification and Ownership
Candidates will also be tested on asset classification and the roles of an information security manager in relation to information classification.
The importance of classification of assets in terms of sensitivity and criticality to the organization needs and their identified owner will be revisited. For example, one importance would be that asset classification assists in promoting accountability for complying with policy and risk management requirements within the organization.
While the overall objective might be to mitigate all risk to acceptable levels, resource limitations would make that highly unlikely, thus requiring for priorities to be set accordingly. Candidates will be required to show an understanding of risk classification as an objective. For instance, they will be given scenarios and will be tested where applicable on how some risks cannot be addressed and must be accepted, and how others can wait, while still others require immediate attention.
Candidates will therefore be required to understand risk prioritization and analysis.
Information Risk Management Roles and Responsibilities
IRM is an integral part of governance and requires the board of directors or equivalent to ensure that the efforts are effective. To ensure that management intent, direction and expectations are realized, periodic reports on the efforts and effectiveness of risk management activities should be required in order to provide the feedback needed.
Candidates here will be tested on the steps required in developing, collaborating and managing the information security risk management program to meet the defined objectives.
Candidates will also need to familiarise with the roles involved within IRM. The US National Institute of Science and Technology (NIST) Publication 800-30 describes the key roles of the personnel that must support and participate in the risk management process.
Some of the roles involved within IRM include the following:
System and Information Owners
System and information owners are responsible for ensuring that proper controls are in place to ensure a high degree of integrity, confidentiality and availability of IT systems and data contained therein. They are responsible for changes performed on their IT systems and therefore are required to perform sign-offs on changes made to their systems, such as system enhancements and major changes to hardware and software.
Other roles that candidates will require an overview of are Governing Boards and Senior Management, Chief Information Officer, and Information Security Manager.
Risk Assessment and Analysis Methodologies
Risk assessment is the process of analysing the threat landscape and the vulnerabilities of the organization’s information assets to determine whether or not the organization is exposed.
In this section, candidates will face questions requiring them to show knowledge of the actions to take in order to highlight the importance of integrating information security. For instance, as a newly hired information security officer, it would be important to carry out a risk assessment exercise in order to discover the unknown security issues and update management.
There is no right or wrong approach to the methods used for risk assessment, nevertheless, the results must meet the goals and objectives of the organization in identifying the relative risk rating of critical assets to the business. The analysis resulting from the assessment is used.
To register for the course, follow the link below to get an overview of what the course offers you and the current pricing:
The course will allow students to develop the necessary skill set to fit into the current and ever-growing information security industry and is in line with today’s accepted industry standards.
After passing the examination, candidates will possess the ability to appropriately apply risk management principles and practices to an organization’s information security program, and understand the importance of risk management as a tool for meeting business needs.