CISM Domain 4: Information Security Incident Management (ISIM) [2022 update]
When it comes to proving technical competency and business skills in enterprise information security, IT professionals have no better option than becoming CISM certified. The route to attaining CISM involves a crucial exam, which tests a candidate on four knowledge areas (otherwise known as CISM domains).
Incident management (IM) identifies, evaluates, manages and documents security risks that may adversely affect an organization’s information assets. Expertise in IM proves that you can help an organization become more resilient to security incidents while reducing liability and legal exposure.
Let’s dive into the specifics of the IM domain and how it has changed after the latest CISM exam update.
Incident management overview
Before the updated CISM exam that became effective on June 1, 2022, incident management had a 19% weightage with 29 exam questions. But after the exam refresh, its weightage increased to 30% with 45 exam questions. This points to the fact that ISACA (the exam creator) now emphasizes the incident management domain, which is crucial to mitigating security events and preventing disruptions in operations.
Candidates will have to demonstrate the ability to contain and manage disruptions, including environmental disruptions (e.g., earthquakes, storms), technical disruptions (e.g., DDoS and malware intrusions), and the broad category of mistakes and intentional acts (e.g., fraud and espionage). The primary cause of each disruption must be clearly defined, and the incident response must be consistent and easy to understand for relevant stakeholders (IT department, management, incident handlers and end users).
Organizations look for proficiency in incident management because such expertise can help them:
- Diagnose incidents quickly and accurately
- Identify root causes
- Minimize and contain the damage
- Document and report
- Deploy improvements to prevent a recurrence
- Restore affected systems and services
CISM candidates should also note that employers will expect them to balance incident management capabilities with baseline security, disaster recovery, and business continuity. For example, if the incident response will take a while to execute, it would be wise to raise the baseline security level. Additionally, candidates should know when the inability to effectively manage a security event calls for a disaster declaration.
What’s new in the incident management domain?
ISACA has divided the incident management domain into two sections:
- Section 1: Incident management readiness
- Section 2: Incident management operations
The updated exam also adds a few new topics to the IM domain:
- Incident Response Concepts. Candidates must show a general understanding of the different concepts relevant to incident response. Examples include basic security principles (e.g., confidentiality and availability), network protocols (e.g., Address Resolution Protocol), and network applications and services (e.g., network file system and secure shell).
- Incident Management and Incident Response Plans. A new addition to CISM domain 4, this module includes everything from IM resources and objectives to metrics, procedures, and the status of incident response capability.
- Business Continuity Plan (BCP). This is a new section in domain 4 and includes important measurements like BIA (Business Impact Analysis), MTD (Maximum Tolerable Downtime), and RPO (Recovery Time Objective).
- Incident Management Systems. A new, independent module in CISM domain 4, incident management systems, explores areas like endpoint detection and response and managed incident strategies.
- Incident Containment Methods. Candidates may be asked to elaborate on the procedures and strategies for containing an incident (e.g., disabling certain functions, shutting down a system etc.)
- Incident Eradication and Recovery. This covers both eradication activities and recovery as they relate to the operational areas of the business.
Incident management exam outline
The new CISM exam outline contains a few subtopics that previously weren’t present in the incident management knowledge domain. Here’s a brief overview of what you need to prepare for:
CISM Domain 4: Incident Management
|Section 1: Incident Management Readiness||Section 2: Incident Management Operations|
|1.1. Incident Response Plan||2.1 Incident Management Techniques and Tools|
|1.2 Business Impact Analysis||2.2 Incident Investigation and Evaluation|
|1.3 Business Continuity Plan||2.3 Incident Containment Methods|
|1.4 Disaster Recovery Plan||2.4 Incident Response Communications (e.g., notification, reporting, escalation)|
|1.5 Incident Categorization/ Classification||2.5 Incident Recovery and Eradication|
|1.6 Incident Management Testing, Evaluation, and Training||2.6 Post-incident Review Practices|
Summary of incident management
CISM domain 4 covers all the strategies required to manage and respond to unexpected disruptive events. Candidates should be able to do this within an acceptable interruption window (AIM) to minimize the impact on clients and their trust in the organization. The domain may traverse through disaster recovery and business continuity procedures, so candidates should also be prepared for those.
If you’re scheduled to take the CISM exam, familiarizing yourself with the intricate details of incident management will help you ace 30% of the assessment. Hopefully, this domain overview will broaden your horizon and help you develop an effective incident management plan. Check the ISACA CISM hub for a detailed overview of all CISM domains and other topics related to the CISM exam.