ISACA CISM

CISM domain 3: Information security program development and management [2022 update]

July 8, 2022 by Dan Virgillito

Certified Information Security Manager (CISM) is a key certification that validates your knowledge and experience around enterprise information security. Attaining CISM requires passing the CISM exam, which tests you on four knowledge areas (aka. CISM domains). This post will give you an overview of CISM domain 3, Information security program development and management. 

Information Security Program includes designing, implementing, managing and optimizing a security program in accordance with organizational objectives. Expertise in this domain proves that you can help a company protect its information assets while minimizing its legal and liability exposure. 

Let’s take a closer look at the domain and how its contents have changed after the recent CISM exam update.

Information security program overview

Before the updated CISM exam that went into effect on June 1, 2022, the information security program had a 27% exam weightage and 40 questions. With the new CISM syllabus, its weightage has increased to 33% with 50 exam questions. ISACA, the exam creator, now gives more weight to the information security program domain, which is crucial to designing effective program management plans.

Good planning leads to acceptable levels of information security at a reasonable cost. To achieve this, you must familiarize yourself with the core elements of a security program:

  • It should be well-developed. The program should support and be tailored to the organization’s objectives.
  • It needs to be well-designed. The program should be designed with cooperation and support from stakeholders and management. 
  • Effective metrics must be developed. KPIs should be formed for the program design and implementation phase and subsequent management phases to assess performance and guide teams to achieve the desired outcomes. 

Knowledge of these elements shows that you can transform strategy and reality. 

Additionally, depending on the circumstances, you must be prepared and able to modify or reconsider certain elements during program administration and design and development. This could signal changes in the underlying infrastructure, business requirements, topology or even technologies.

What’s new in the information security program domain?

ISACA has divided the information security program domain into two parts:

Part A: Information security program development

Part B: Information security program management

The refreshed exam also features a few new topics in this domain:

  • Integration with DevOps and DevSecOps. Candidates don’t need to get into the architecture’s nitty-gritty, but they need to know the pros and cons of these two development frameworks. 
  • Applying architectures to build a security program roadmap. This part was lacking in the previous version of the CISM exam. The objective is to test a candidate’s ability to develop a program roadmap using frameworks like TOGAF and SABSA. The topic also talks about controls for the architecture and how to achieve clarity via modulization and layering. 
  • Security awareness education and training. This is now a separate module in domain 3. It covers building an information awareness training program and evaluating its effectiveness through training and education metrics. The objective is to address the internal threats facing an organization’s information security program.
  • Information asset identification and classification. This topic was a part of domain 2 in the older version of the CISM exam. It’s now added to domain 3 because aspiring security managers should know what assets need to be protected as they work toward building the security program.
  • Common information security program constraints. Previously included in domain 1, security program constraints are now a part of domain 3. ISACA moved it here to ensure candidates cover all the bases of the information security program.

Information security program exam outline

The updated CISM exam outline features new subtopics for the information security program domain. Here’s an overview of testing topics: 

CISM Domain 3: Information Security Program

Section A: Information Security Program Development Section B: Information Security Program Management
3A1 Information Security Program Resources (tools, technologies, people) 3B1 Information Security Control Design and Selection
3A2 Information Asset Identification and Classification 3B2 Information Security Control Integrations and Implementation  
3A3 Industry Standards and Frameworks for Information Security 3B3 Information Security Control Testing and Evaluation
3A4 Information Security Policies, Procedures, and Guidelines 3B4 Information Security Awareness and Training
3A5 Information Security Program Metrics 3B5 Management of External Services (third parties, fourth parties, providers, suppliers)
3B6 Information Security Program Communications and Reporting

Summary of information security program

CISM domain 3 covers a robust set of strategies required to implement a security program in the most cost-effective manner possible. Candidates should be able to do this while maximizing the support of business functions and minimizing operational disruptions. Some exam questions may test you on frameworks required to satisfy regulatory compliance, while others may ask about security control and reporting.

If you’re preparing to take the CISM exam, learning information security program development & management will help you ace 33% of the exam. Hopefully, this overview will help you focus on what’s essential to develop, implement, and manage a high-level security program. View our ISACA CISM hub for a comprehensive insight into all CISM domains and everything related to the CISM exam.

Sources

Posted: July 8, 2022
Dan Virgillito
View Profile

Dan Virgillito is a blogger and content strategist with experience in cyber security, social media and tech news. Visit his website or say hi on Twitter.