ISACA® CISM® study guide mind map

Laten we beginnen. Het is Gratis
of registreren met je e-mailadres
ISACA® CISM® study guide mind map Door Mind Map: ISACA® CISM® study guide mind map

1. CISM Exam Passing Principles

2. The job profile of the CISM® (Certified Information Security Manager) published at the autumn of 2002 is a reaction to the continuously changing market requirements and is addressed to individuals who are responsible for managing information security.

2.1. Covers

2.1.1. It covers 4 domains, 37 tasks and 60 knowledge statements (statements covering the required technical knowledge).

2.2. Designation

2.2.1. The CISM® certification / designation reflects a solid achievement record in managing information security, as well as in such areas as risk analyses, risk management, security strategy, security organisation etc.

2.3. The CISM® job profile was published at the end of 2002 and was revised for a second time for the 2012 examination.

3. Official Recommended exam study materials

3.1. Glossary


3.2. Development Guides

3.2.1. ISACA® CISM® Item Development Guide

3.2.2. ISACA® CISM® QAE Item Development Guide

3.3. ISACA® CISM® Review Manual 2015


3.4. ISACA® CISM® Review Questions, Answers & Explanations Manual 2014


3.5. ISACA® CISM® Review Questions, Answers & Explanations Manual 2015 Supplement


3.6. ISACA® CISM® Practice Question Database


4. CISM® Official website


5. Basic security related definitions (from ISACA® CISM® perspective)

5.1. Access

5.2. Architecture

5.3. Attacks

5.4. Auditability

5.5. Authentication

5.6. Authorization

5.7. Availability

5.8. Business Model for Information Security (BMIS)

5.8.1. Has 4 elements Organization Design and Strategy People Process Technology

5.9. Business dependency analysis

5.10. Business impact analysis

5.11. Confidentiality

5.12. Countermeasures

5.13. Criticality

5.14. Data classification

5.15. Enterprise Architecture

5.16. Exposures

5.17. Gap analysis

5.18. Governance

5.19. Identification

5.20. Impact

5.21. Integrity

5.22. Layered security

5.23. Management

5.24. Nonrepudiation

5.25. Risk / Residual risk

5.26. Security

5.26.1. A structured deployment of risk-based controls related to People Processes Technology

5.26.2. Security is a business-driven activity.

5.27. Security domains

5.28. Security metrics

5.29. Sensitivity

5.30. Standards

5.31. Strategy

5.32. Threats

5.33. Trust models

5.34. Vulnerabilities

6. Domain 1: Information Security (InfoSec) Governance

6.1. Domain 1 - CISM® Exam Relevance

6.1.1. The content area for Domain 1 will represent ... 24% of the CISM® examination 62 questions

6.2. Security is here to support the interests and needs of the organization – not just the desires of security

6.3. Security is always a balance between cost and benefit; security and productivity

6.4. Corporate Governance

6.4.1. What is it? Corporate governance is the set of responsibilities and practices exercised by the board and executive management

6.4.2. Goals Providing strategic direction Reaching security and business objectives Ensure that risks are managed appropriately Verify that the enterprise’s resources are used responsibly

6.5. Goal of Information Security

6.5.1. The goal of information security is to protect the organization’s assets, individuals and mission requires Asset identification Classification of data and systems according to criticality and sensitivity Application of appropriate controls

6.6. Business Case Development

6.6.1. The Business case for initiating a project must be captured and communicated: Reference Context Value Proposition Focus Deliverables Dependencies Project metrics Workload Required resources Commitments The Business case for Security must address the same criteria

6.7. Security Integration

6.7.1. Security needs to be integrated INTO the business processes

6.7.2. Goal The goal is to reduce security gaps through organizational-wide security programs

6.7.3. Integrate IT with Physical security Risk Management Privacy and Compliance Business Continuity Management

6.8. Information Security Governance

6.8.1. Outcomes of effective InfoSec Governance Strategic alignment Risk management Value delivery Resource management Performance measurement Integration

6.8.2. Benefits of effective InfoSec Governance Compliance and protection from litigation or penalties Cost savings through better risk management Avoid risk of lost opportunities Better oversight of systems and business operations Opportunity to leverage new technologies to business advantage Improved trust in customer relationships Protecting the organization’s reputation Better accountability for safeguarding information during critical business activities Reduction in loss through better incident handling and disaster recovery

6.9. Information Security Architecture

6.9.1. Information security architecture is similar physical architecture Requirements definition Design / Modeling Creation of detailed blueprints Development, deployment

6.9.2. Architecture is planning and design to meet the needs of the stakeholders

6.9.3. Security architecture is one of the greatest needs for most organizations

6.10. Information Security Frameworks

6.10.1. Effective information security is provided through adoption of a security framework Defines information security objectives Aligns with business objectives Provides metrics to measure compliance and trends Standardizes baseline security activities enterprise-wide

6.10.2. Examples of Other Security Frameworks SABSA (Sherwood Applied Business Security Architecture) Business Model for Information Security Model originated at the Institute for Critical Information Infrastructure Protection COBIT COSO ISO27001:2013 Goal Contains

6.11. Information Security Program

6.11.1. Objectives Ensure the availability of systems and data e.g. Protect the integrity of data and business processes e.g. Protect confidentiality of information e.g.

6.11.2. Priorities Achieve high standards of corporate governance Treat information security as a critical business issue Create a security positive environment Have declared responsibilities

6.11.3. Security versus Business Security must be aligned with business needs and direction Security is woven into the business functions Strength Resilience Protection Stability Consistency

6.11.4. Starts with theory and concepts Policy

6.11.5. Interpreted through Procedures Baselines Standards

6.11.6. Measured through audit

6.11.7. Information Security Concepts

6.11.8. Evaluating the Security Program Audit and Assurance of Security Metrics are used to measure results Measure security concepts that are important to the business Use metrics that can be used for each reporting period Compare results and detect trends Key Performance Indicators (KPIs) Thresholds to measure A KPI is set at a level that indicates action should / must be taken

6.11.9. End to End Security Security must be enabled across the organization – not just on a system by system basis Performance measures should ensure that security systems are integrated with each other Layered defenses

6.12. Information Security Strategy

6.12.1. Developing Information Security Strategy Long term perspective Standard across the organization Aligned with business strategy / direction Understands the culture of the organization Reflects business priorities

6.12.2. Achieving the desired state is a long-term goal of a series of projects

6.12.3. Goal Protect the organization’s information assets

6.12.4. Objectives 6 defined outcomes of security governance will provide high-level guidance to Information Security Strategy Defined Supported by metrics (measurable) Provide guidance The long-term objectives describe the “desired state” Should describe a well-articulated vision of the desired outcomes for a security program Security strategy objectives should be stated in terms of specific goals directly aimed at supporting business activities

6.12.5. Elements Road map Includes people, processes, technologies and other resources A security architecture: defining business drivers, resource relationships and process flows Resources Policies Standards Procedures Guidelines Architectire Controls Countermeasures Layered defenses Technologies Personnel security Organizational structure Roles and responsibilities Skills Training Awareness and education Audits Compliance enforcement Vulnerability analysis Risk assessment Business impact assessment Resource dependency analysis Third party service providers Other organizational support and assurance providers Facilities Environmental security Constraints Legal Physical Ethics Culture Costs Personnel Organizational structure Resources Capabilities Time Risk tolerance

6.12.6. Information Security Strategy Business Linkages Start with understanding the specific objectives of a particular line of business Take into consideration all information flows and processes that are critical to ensuring continued operations Enable security to be aligned with and support business at strategic, tactical and operational levels

6.12.7. Desired State of Security The “desired state of security” must be defined in terms of attributes, characteristics and outcomes It should be clear to all stakeholders what the intended security state is Available approaches to provide a framework to achieve a well-defined “desired state“ COBIT (Control Objectives for Information and related Technology) Capability Maturity Model (CMM) Balanced Scorecard (BSC) Enterprise Architecture approaches

6.13. Effective Security Metrics

6.13.1. Criteria Meaningful Accurate Cost-effective Repeatable Predictive Actionable Genuine

6.13.2. Types Performance metrics Risk management metrics Value delivery metrics Resource management metrics Strategic alignment metrics

6.13.3. Set metrics that will indicate the health of the security program Incident management Degree of alignment between security and business development Was security consulted Were controls designed in the systems or added later

6.13.4. Choose metrics that can be controlled Measure items that can be influenced or managed by local managers / security Not external factors such as number of viruses released in the past year Have clear reporting guidelines Monitor on a regular scheduled basis

6.14. The Maturity of the Security Program Using CMM

6.14.1. 0: Nonexistent—No recognition by organization of need for security

6.14.2. 1: Ad hoc—Risks are considered on an ad hoc basis—no formal processes

6.14.3. 2: Repeatable but intuitive—Emerging understanding of risk and need for security

6.14.4. 3: Defined process—Companywide risk management policy/security awareness

6.14.5. 4: Managed and measurable—Risk assessment standard procedure, roles and responsibilities assigned, policies and standards in place

6.14.6. 5: Optimized—Organization-wide processes implemented, monitored and managed

6.15. Roles and Responsibilities

6.15.1. Senior Management Senior Management Commitment / Buy in To be successful, information security must have the support of senior management (top-down) A bottom-up management approach to information security activities is much less likely to be successful Give tone at the top

6.15.2. Board of directors / Senior Management Information security governance / Accountability

6.15.3. Steering committee Ensuring that all stakeholders impacted by security considerations are involved Oversight and monitoring of Information Security Program Acts as Liaison between Management, Business, Information Technology, and Information Security Ensures all stakeholder interests are addressed Oversees compliance activities

6.15.4. Executive management Implementing effective security governance Defining the strategic security objectives Developing an effective information security strategy Budget and Support

6.15.5. Chief Information Security Officer (CISO) Responsible for Information security related activity Compliance Investigation Testing Policy

6.15.6. Business Manager Responsible for security enforcement and direction in their area Day to day monitoring Reporting Disciplinary actions Compliance

6.15.7. IT Staff Responsible for security design, deployment and maintenance System and Network monitoring Reporting Operations of security controls Compliance

6.16. Reporting and Compliance

6.16.1. Reporting, Performance

6.16.2. Privacy

6.16.3. Regulations

6.16.4. Laws

6.16.5. Industry standards Payment Card Industry (PCI) BASEL II

6.16.6. Effect of Regulations Potential impact of breach Cost Reputation Scheduled reporting requirements Frequency Format

6.16.7. Reporting and Analysis Data gathering at source Accuracy Identification Reports signed by Organizational Officer

6.17. Ethics

6.17.1. Rules of behaviour Legal Corporate Industry Personal

6.17.2. Ethical Responsibility Responsibility to all stakeholders Customers Suppliers Management Owners Employees Community

6.17.3. ISACA Code of Ethics Required for all ISACA certification holders Support the implementation of, and encourage compliance with, appropriate standards, procedures and controls for information systems. Perform their duties with objectivity, due diligence and professional care, in accordance with professional standards and best practices. Serve in the interest of stakeholders in a lawful and honest manner, while maintaining high standards of conduct and character, and not engage in acts discreditable to the profession. Maintain the privacy and confidentiality of information obtained in the course of their duties unless disclosure is required by legal authority. Such information shall not be used for personal benefit or released to inappropriate parties. Maintain competency in their respective fields and agree to undertake only those activities, which they can reasonably expect to complete with professional competence. Inform appropriate parties of the results of work performed; revealing all significant facts known to them. Support the professional education of stakeholders in enhancing their understanding of information systems security and control.

7. Domain 2: Information Risk Management and Compliance

7.1. Domain 2 - CISM® Exam Relevance

7.1.1. The content area for Domain 1 will represent ... 33% of the CISM® examination 62 questions

7.2. Risk Management

7.2.1. Risk is a function of the likelihood of a threat-source exercising a vulnerability and the resulting impact of that adverse event on the mission of the organization

7.2.2. Risk Management objective The objective of risk management is to identify, quantify and manage information security risk Reduce risk to an acceptable level through the application of risk-based, cost-effective controls

7.2.3. Risk terms Asset Threat Vulnerability Weaknesses in security controls Likelihood (probability) Impact (consequence) An exploit of a vulnerability by a threat may lead to an exposure An exposure is measured by the impact it has on the organization or the ability of the organization to meet its mission Examples of direct and indirect financial losses Aggregate risk Aggregate risk is where a several smaller risk factors combine to create a larger risk (the perfect storm scenario) Cascading Risk Cascading risks are the effect of one incident leading to a chain of adverse events (domino effect)

7.2.4. Defining the Risk Environment/Context The most critical prerequisite to a successful risk management program is understanding the organization including Key business drivers The organization’s SWOT (strengths, weaknesses, opportunities and threats) The organization’s PESTLE Internal and external stakeholders Organizational structure and culture Assets (resources, information, customers, equipment) Goals and objectives, and the strategies already in place to achieve them

7.2.5. Threats to information and information systems are related to Confidentiality Availability Authentication Integrity Access control Privacy Nonrepudiation Compliance

7.2.6. Risk Assessment Methodology

7.2.7. Data Gathering Techniques Checklists Prompt list (Risk breakdown structure (RBS)) Cause and effect diagrams Surveys/Questionnaires Observation Workshops Group techniques Brainstorming Nominal group Delphi Individual interviews Assumption analysis Constraints analysis

7.2.8. Risk Assessment Risk Assessment measures Impact and Likelihood Business Impact Analysis measures Impact over Time Related disciplines - but not the same BIA must be done periodically to determine how risk and impact levels increase over time Set priorities for critical business functions

7.2.9. Risk Treatment Risk Treatment takes the recommendations from the risk assessment process and selects the best choice for managing risk at an acceptable level Risk Appetite Risk Tolerance Risk Acceptance Residual Risk Cost/Benefit Priorities Risk Treatment Options for Threats (-) for Opportunities (+) for Threats & Opportunities Effect of responses Risk mitigation and controls Controls (safeguards/countermeasures) are implemented in order to reduce a specified risk Control recommendations Cost Benefit Analysis of Controls Categories of Security Controls Security Control types Security Control Baselines

7.3. Training, Education and Awareness

7.3.1. Training and Awareness The most effective control to mitigate risk is training of all personnel Educate on policies, standards, practices Creates accountability End users should receive training on The importance of adhering to information security policies, standards, and procedures Clean desk policy Responding to incidents and emergencies Privacy and confidentiality requirements The security implications of logical access in an IT environment

7.3.2. National Initiative for Cybersecurity Education (NICE) Reference: NICE is a part of Comprehensive National Cybersecurity Initiative (CNCI) where government and industry collaborated to create a training & educational framework for cybersecurity workforce

7.3.3. Security Education, Training and Awareness (SETA) Reference: NIST SP800-50, Building an IT Security Awareness and Training Program. Awareness Orientation briefs and materials to inform and remind employees of their security responsibilities and management’s expectation Training Course and materials to provide employees the necessary skills to perform their job functions Education Course and materials to provide employees the necessary decision-making and management skills to improve their promotional ability and mobility

8. Domain 3: Information Security (InfoSec) Program Development and Management

8.1. Domain 3 - CISM® Exam Relevance

8.1.1. The content area for Domain 1 will represent ... 25% of the CISM® examination 62 questions

9. Domain 4: Information Security (InfoSec) Incident Management

9.1. Domain 4 - CISM® Exam Relevance

9.1.1. The content area for Domain 1 will represent ... 18% of the CISM® examination 62 questions

10. Overview of the CISM® certification

10.1. About the CISM® exam

10.1.1. CISM® exam questions are developed with the intent of measuring and testing practical knowledge and the application of general concepts and standards.

10.1.2. PBE & CBE (only pencil & eraser are allowed). PBE - Paper based exam. CBE - Closed book exam.

10.1.3. 4 hour exam.

10.1.4. 200 multiple choice questions designed with one best answer.

10.1.5. No negative points.

10.1.6. Pre-requisite for exam: none

10.1.7. Pre-requisite for certification: Read CISM® Application Form

11. Interactive Glossary

11.1. Interactive CISM® Glossary

12. This freeware, non-commercial mind map (aligned with the newest version of CISM® exam) was carefully hand crafted with passion and love for learning and constant improvement as well for promotion the CISM® qualification and as a learning tool for candidates wanting to gain CISM® qualification. (please share and give feedback - your feedback and comments are my main motivation for further elaboration. THX!)

12.1. Questions / issues / errors? What do you think about my work? Your comments are highly appreciated. Feel free to visit my website:






12.1.6. miroslaw_dabrowski