CISM: Overview of domains
Although CISM certification is multi-faceted and requires knowledge of a number of academic, technical, and career-based subjects, the core of the exam is to understand the four primary domains that make up the CISM certification. Future articles will drill deeper into each of these domains, but this article should provide you with a high-altitude look at the domains and what knowledge they represent.
What domains are covered on the CISM exam?
CISM candidates should expect to cover four job practice areas of the CISM domains. These are structured to contain 200 multiple-choice questions, which are to be completed in four hours. For candidates to pass the exam, a scaled score of 450 or higher is required. If the student passes, the results will be mailed within eight weeks. The four domains are:
- Information Security Governance
- Information Risk Management
- Information Security Program Development and Management
- Information Security Incident Management
How often are the domains updated?
To remain relevant, the CISM domains are updated frequently; however, major changes that would result in a significant impact on the examination are seldom made. As of this writing, ISACA has not made any significant changes to the domains themselves.
How much is each domain covered on the exam?
Domain coverage within an examination is quite important in helping candidates to make an accurate estimate of the amount of time and energy to focus on each aspect of study. Candidates who properly plan their study end up spending less energy on lower-priority topics and are most likely to pass the examination.
The CISM exam is structured as follows:
- Information Security Governance domain covers 24%
- Information Risk Management and Compliance domain covers 30%
- Information Security Program Development and Management domain covers 27%
- Information Security Incident Management domain covers 19% of the entire examination
What topics (tasks/knowledge statements) are covered in each domain?
Candidates will encounter a number of task and knowledge statements in the exam. Task statements describe the activities that CISMs may be required to perform at an organization, while knowledge statements are the standards that are used to measure, assess, and manage risks. Each domain has its own set of task and knowledge statements and we shall have a look at a summary of these. Note that the complete listing of task and knowledge statements can be found here.
ISACA has reorganized the CISM manual, categorizing each of the chapters into two main sections. In Section One, the manual covers the corresponding knowledge and task statements that are tested within the examination. In Section Two, the manual contains reference material and content that supports knowledge statements. These two sections are important in preparing for the examination.
Information security governance (ISG)
In this domain, CISM candidates will need to know the relationship between the outcomes of effective ISG and management responsibilities. They will want to also take a look at the business model for information security and understand the interrelations among organization design and strategy, people, process and technology elements. Candidates will need to understand the interconnections of governance, culture, enabling and support, emergence, human factors and architecture.
Among the concepts that are considered important for candidates is Security Metrics, which involves the description of how a quantitative and periodic assessment of security performance is to be effectively measured.
The domain also features a way of measuring the effectiveness of its outcomes. For example, if we are to consider Value Delivery as an outcome, effectiveness can be measured by considering the following:
- Is the cost of security proportional to the value of the asset? We would not be delivering value if the cost of the security is twice the value of the asset, for example.
- Is periodic testing done on the controls? Here, we would not be delivering value if the controls we put in place are not being adequately tested.
- In COBIT, candidates will need to understand the concept of the Capability Maturity Model, particularly Levels 3, 4 and 5.
Within Strategy Resources, candidates will need to know the two security frameworks of Zachman and SABSA. Also, ISACA includes a few questions from EA2F. Candidates will therefore need to understand “Defense in Depth,” which tests on the actions that should be taken during prevention, containment, detection, evidence collection, and recovery or even restoration of business processes.
Candidates will need to finally understand metrics. This often will involve knowing how to define metrics and produce them for upper management.
ISG as of 2018 has nine task statements and 20 knowledge statements. The task statements are:
- Establish and/or maintain an information security strategy in alignment with organizational goals and objectives to guide the establishment and/or ongoing management of the information security program.
- Establish and/or maintain an information security governance framework to guide activities that support the information security strategy.
- Integrate information security governance into corporate governance to ensure that organizational goals and objectives are supported by the information security program.
- Establish and maintain information security policies to guide the development of standards, procedures and guidelines in alignment with enterprise goals and objectives.
- Develop business cases to support investments in information security.
- Identify internal and external influences to the organization (e.g., emerging technologies, social media, business environment, risk tolerance, regulatory requirements, third-party considerations, threat landscape) to ensure that these factors are continually addressed by the information security strategy.
- Gain ongoing commitment from senior leadership and other stakeholders to support the successful implementation of the information security strategy.
- Define, communicate, and monitor information security responsibilities throughout the organization (e.g., data owners, data custodians, end users, privileged or high-risk users) and lines of authority.
- Establish, monitor, evaluate and report key information security metrics to provide management with accurate and meaningful information regarding the effectiveness of the information security strategy.
Information risk management (IRM)
Candidates will need to understand the organization’s risk management strategy and how it relates to information technology. In order for this to be done, they will be required to understand the organization’s priorities regarding risk. Clear roles and responsibilities therefore need to be defined and included within different job descriptions at the organization.
Various concepts will be important to memorize for candidates. These concepts include threats, vulnerabilities, exposures, impact, recovery time objective (RTO), recovery point objective (RPO), service delivery Objectives (SDOs) and acceptable interruption window (AIW). All of these topics are found in the 2018 CISM review manual.
A few basic steps should be observed while implementing IRM. Normally, the scope and boundaries need to be determined, followed by a risk assessment. Once this is done, a risk treatment plan is designed to reduce risk to an acceptable level. The residual risk is then accepted and communicated, while watching to see whether the controls that are in place actually work.
Candidates should bear in mind that there is actually no qualitatively right or wrong way to select a methodology and conduct a risk assessment. It is mostly a progressive exercise that begins with asset valuation and then moves on to vulnerability and threat assessment. The risk is then assessed and the right controls to be enforced determined. The residual risk is discussed and communicated to management.
After the risk assessment is complete, candidates have the option of avoiding, mitigating, transferring or accepting the risk. The value placed on information resources determines how much you will be willing to spend on that resource.
CISMs can set control baselines that allow them to measure how effective their IRM programs are.
Regarding the topics, IRM has nine task statements and 19 knowledge statements. The task statements are:
- Establish and/or maintain a process for information asset classification to ensure that measures taken to protect assets are proportional to their business value.
- Identify legal, regulatory, organizational and other applicable requirements to manage the risk of noncompliance to acceptable levels.
- Ensure that risk assessments, vulnerability assessments and threat analyses are conducted consistently, at appropriate times, and to identify and assess risk to the organization’s information.
- Identify, recommend or implement appropriate risk treatment/response options to manage risk to acceptable levels based on organizational risk appetite.
- Determine whether information security controls are appropriate and effectively manage risk to an acceptable level.
- Facilitate the integration of information risk management into business and IT processes (e.g., systems development, procurement, project management) to enable a consistent and comprehensive information risk management program across the organization.
- Monitor for internal and external factors (e.g., key risk indicators [KRIs], threat landscape, and geopolitical, regulatory change) that may require reassessment of risk to ensure that changes to existing, or new, risk scenarios are identified and managed appropriately.
- Report noncompliance and other changes in information risk to facilitate the risk management decision-making process.
- Ensure that information security risk is reported to senior management to support an understanding of potential impact on the organizational goals and objectives.
Information Security Program Development and Management (ISPDM)Candidates should also note that everything that is performed on IRM must be documented. Small things come in handy, such as keeping a risk registry or a controls registry, as well as records on an annual statement given to management detailing the current state of risk at the organization.
Candidates should note that, for an information security program to be effective, it must mitigate information and information technology risk at all costs, balancing against the magnitude and frequency of the potential loss. Candidates should be aware that the challenges that are most often met by CISMs in organizations are people, processes, and policy issues that conflict with program objectives.
The CISM manual outlines the constraints on developing an InfoSec roadmap. The most important of these are legal and regulatory requirements, ethics, and personnel. For example, some personnel challenges might be that HR is doing sporadic background checks while untrained staff members are doing the screenings.
ISACA pays a lot of attention to the SABSA methodology, so candidates should prepare for that. Candidates should also note that the objective of ISPDM is to implement the strategy in the most cost-effective manner, while at the same time minimizing the impact to business functions. Candidates will need to know how to define the goal or desired outcome, define the objectives that should be met, define the residual risk, and define the desired state.
ISPDM has 10 task statements and 16 knowledge statements. The task statements:
- Establish and/or maintain the information security program in alignment with the information security strategy.
- Align the information security program with the operational objectives of other business functions (e.g., human resources [HR], accounting, procurement and IT) to ensure that the information security program adds value to and protects the business.
- Identify, acquire and manage requirements for internal and external resources to execute the information security program.
- Establish and maintain information security processes and resources (including people and technologies) to execute the information security program in alignment with the organization’s business goals.
- Establish, communicate and maintain organizational information security standards, guidelines, procedures and other documentation to guide and enforce compliance with information security policies.
- Establish, promote and maintain a program for information security awareness and training to foster an effective security culture.
- Integrate information security requirements into organizational processes (e.g., change control, mergers and acquisitions, system development, business continuity, disaster recovery) to maintain the organization’s security strategy.
- Integrate information security requirements into contracts and activities of third parties (e.g., joint ventures, outsourced providers, business partners, customers) and monitor adherence to established requirements in order to maintain the organization’s security strategy.
- Establish, monitor and analyze program management and operational metrics to evaluate the effectiveness and efficiency of the information security program.
- Compile and present reports to key stakeholders on the activities, trends and overall effectiveness of the IS program and the underlying business processes in order to communicate security performance.
Information security incident management (ISIM)
This domain is considered by many to be the most important in that recovery from an incident ensures continuity of business. The importance of incident management is that its goal is to manage and to respond to unexpected disruptive events with the objective of controlling impacts within acceptable levels. ISIM is a part of business continuity planning, just as disaster recovery is part of business continuity planning.
One of the outcomes of ISIM is that, with adequate training, planning and testing, candidates will ensure that incidents are identified and contained, and the root cause is addressed. This will allow for recovery within an acceptable interruption window (AIW).
There are three technologies that candidates should associate with ISIM. These are network incident detection systems (NIDSs), host intrusion detection systems (HIDSs), and logs (these can be for a system, database, operating system or application.) Just to note, it is important to know that SIEM (system information and event management) is a way of managing the HIDSs, NIDSs, and logs.
Candidates should be familiar with the advantages and disadvantages as well as the contents of the six types of recovery sites (hot, cold, warm, mobile, mirror and duplicate information processing facilities). Familiarity with the concepts of network recovery, such as redundancy, alternative routing, diverse routing, long-haul network diversity, and voice recovery, is also encouraged.
ISIM has 10 task statements and 18 knowledge statements. The task statements are:
- Establish and maintain an organizational definition of, and severity hierarchy for, information security incidents to allow accurate classification and categorization of and response to incidents.
- Establish and maintain an incident response plan to ensure an effective and timely response to information security incidents.
- Develop and implement processes to ensure the timely identification of information security incidents that could impact the business.
- Establish and maintain processes to investigate and document information security incidents in order to determine the appropriate response and cause while adhering to legal, regulatory and organizational requirements.
- Establish and maintain incident notification and escalation processes to ensure that the appropriate stakeholders are involved in incident response management.
- Organize, train and equip incident response teams to respond to information security incidents in an effective and timely manner.
- Test, review and revise (as applicable) the incident response plan periodically to ensure an effective response to information security incidents and to improve response capabilities.
- Establish and maintain communication plans and processes to manage communication with internal and external entities.
- Conduct post-incident reviews to determine the root cause of information security incidents, develop corrective actions, reassess risk, evaluate response effectiveness and take appropriate remedial actions.
- Establish and maintain integration among the incident response plan, business continuity plan and disaster recovery plan.
Candidates need to note that, in some cases within this domain, the availability of evidence will be a requirement, especially in cases where the incident is malicious and may possibly go to trial. As a result, in the ISIM plan, evidence needs to be accounted for, it needs to be protected, and a chain of custody maintained, in preparation for going to court.
This overview creates an expectation of what candidates should cover and what they need to know before taking the CISM exam. It has discussed the topics that are to be covered in the examination, the percentage weight of each domain covered, and the important concepts in each that should be emphasized. We hope that this overview will prove to be a valuable time-saver for candidates who see the benefit of strategizing their study for the examination.