ISACA Changes CISM Exam for 2012

April 23, 2012 by Kenneth Magee

According to ISACA, the CISM certification is changing to reflect the new CISM job practice analysis. (Source: ISACA’s CISM Review Manual 2012 p. iii)

ISACA has reformatted the CISM changing it from five domains to four domains. They have combined the Information Security Program Development and Information Security Program Management domains into one domain entitled Information Security Program Development and Management. The weighting of the domains has also changed. Domain 1 – Information Security Governance has been raised to 24% from 23%; Domain 2 – Information Risk Management and Compliance has been raised from 22% to 33%; the combined Domain 3 – Information Security Program Development and Management has been dropped from a combined total of 41% to 25% and the last domain, Domain 4 – Information Security Incident Management has been raised from 14% to 18%.

Domain 1 changes include expanded task and knowledge statements with the emphasis being on “Establishing and maintaining” versus “Developing and Identifying.”

Domain 2 changes include a substantial increase in the focus on Compliance. Additional task and knowledge statements have been added which, as in Domain 1, shift the focus to “Establishing and maintaining” as well as adding in the statements for “Managing information risk to an acceptable level to meet the business and compliance requirements of the organization.” (Source: ISACA’s CISM Review Manual 2012 p. 76)

Domain 3 combined the old domain 3 and domain 4 and we now find that Information Security Program Development and Management is in a single domain. As is the case with the first two domains, the emphasis has shifted here as well, going from establishing to establishing and maintaining.

Domain 4 – even here we find the same shift in emphasis, for example 6 of the 10 task statements start with “Establish and Maintain” whereas in the 2011 version, not a single task statement started that way.

Clearly the emphasis for management has taken on a more active role in Information Security Management, and it is clear in the expanded role definitions in Domain 1 that management is being tasked with active participation in information security.

Posted: April 23, 2012
Kenneth Magee
View Profile

Ken is President and owner of Data Security Consultation and Training, LLC. He has taught cybersecurity at the JAG school at the University of Virginia, KPMG Advisory University, Microsoft and several major federal financial institutions and government agencies. As CISO for the Virginia Community College System, Ken’s focus was the standardization of security around the ISO 27000 series framework. Writing is one of his passions and he has authored and/or co-authored several courses, including CISSP, CISA, CISM, CGEIT, CRISC, DoD Cloud Computing SRG and a course for training Security Control Assessors using NIST SP 800-53A. Ken has also achieved a number of certifications, including CISSP, SSCP, CCSP, CAP, ISSMP, ISSAP, ISSEP, CISM, CISA, CAC, CEH, ISO9000LA, ISO14001LA, ISO27001PA, Security+, CySA+, CASP, CTT+, CPT, GSEC, GSNA, GWAPT, CIA, CGAP, CFE, MCP, MCSA, MCSE and MCT.

Leave a Reply

Your email address will not be published.