CISM® — Certified Information Security Manager

This course focuses on developing the skills necessary to become a Certified Information Security Manager (CISM®), with an emphasis on emerging technologies such as artificial intelligence and blockchain.

Why should you attend?

The Certified Information Security Manager (CISM®) validates your ability to assess risks, implement effective governance, and proactively respond to incidents. With a focus on emerging technologies such as AI (artificial intelligence) and blockchain, it ensures that your skill set addresses security threats and evolving industry requirements. Addressing top concerns such as data breaches and ransomware attacks, essential for IT professionals, this certification ensures that you stay ahead of the pace of change.

Target audience

Professionals preparing to become CISM certified.
Individuals certified in CISA or CISSP looking to move into information security management.
Professionals in general security management who wish to shift towards information security.
Information security managers.

Learning objectives

Upon completion of this course, you will be able to:

• Explain the relationship between executive leadership, enterprise governance, and information security governance.

• Outline the components used to build an information security strategy.

• Explain how the risk assessment process influences the information security strategy.

• Articulate the process and requirements used to develop an effective information risk response strategy.

• Describe the components of an effective information security program.

• Explain the process of building and maintaining an enterprise-level information security program.

• Outline the techniques used to assess the enterprise's capability and readiness to manage an information security incident.

• Outline the methods of measuring and improving response and recovery capabilities.

Requirements for CISM certification

To obtain the CISM certificate, you must have 5 years of experience in information system security within the last 10 years.

Content

Domain 1: Information Security Governance

Enterprise Governance

Organizational Culture
Legal, Regulatory, and Contractual Requirements
Organizational Structures, Roles, and Responsibilities

Information Security Strategy

Development of information security strategy
Governance frameworks and standards for information
Strategic planning (e.g., budgets, resources, business case)

Domain 2: Information Security Risk Management

Information Security Risk Assessment

The emerging landscape of risks and threats
Vulnerability and control deficiency analysis
Risk assessment and analysis

Response to Information Security Risks

Risk treatment/response options
Risk and control ownership
Risk monitoring and reporting

Domain 3: Information Security Program

Development of the Information Security Program

Resources for the information security program (e.g., people, tools, technologies)
Identification and classification of information assets
Industry standards and frameworks for information security
Information security policies, procedures, and guidelines
Metrics for the information security program

Management of the Information Security Program

Design and selection of information security controls
Implementation and integration of information security controls
Testing and evaluation of information security controls
Awareness and training in information security
Management of external services (e.g., vendors, suppliers, third parties, fourth parties)
Communications and reporting of the information security program

Domain 4: Incident Management

Preparation for Incident Management

Incident response plan
Business impact analysis (BIA)
Business continuity plan (BCP)
Disaster recovery plan (DRP)
Incident classification/categorization
Training, testing, and evaluation of incident management

Incident Management Operations

Tools and techniques for incident management
Investigation and evaluation of incidents
Incident isolation methods
Communications in incident response (e.g., reporting, notification, escalation)
Incident eradication and recovery
Post-incident review practices

Trainer

Eliza Popa

I am a Diplomat Economist who has been working with CII organizations for over 30 years. Out of this tenure, 14 years have been dedicated to IT digital transformation projects and operations, followed by over 10 years in information security roles with both end-user organizations and consultancy firms. My professional certifications include CISSP, CISA, CRISC, CISM, CDPSE, CCSK v4, ITIL v3, Oracle SQL DBA, and PECB ISO/IEC 27001 Master, ISO/IEC 27002 Sr. Lead Manager, ISO/IEC 27005 Sr. Lead Risk Manager, Sr. Lead Cybersecurity Manager, CISO, Sr. Lead Cloud Security Manager, ISO/IEC 38500 Sr. Lead IT Corporate Governance Manager, ISO/IEC 20000 Sr. Lead Auditor, ISO 37301 Sr. Lead Implementer, ISO 31000 Sr. Lead Risk Manager, ISO 21502 Sr. Lead Project Manager, and ISO 9001 Sr. Lead Auditor. I provided informal training to CISA and CISSP candidates from 2016 until 2019, when I became an ISC2 Official Training Instructor for CISSP and a PECB Certified Trainer. Furthermore, in 2022 I became an ISC2 Official Training Instructor for CC and a CSA Authorized Trainer for CCSK v4 Foundation and Plus (AWS / Azure labs). My expertise and capabilities captured the attention of PECB, who, in 2023, appointed me to develop and record the eLearning training content and Skills content for ISO/IEC 27001 Lead Implementer and ISO/IEC Lead Auditor courses. https://www.linkedin.com/in/elizapopa/

What is included in the course fee

Official ISACA Training Materials:

The Review Manual, which is a comprehensive reference guide designed to assist individuals in preparing for the CISM exam and to understand the roles and responsibilities of an information systems (IS) auditor.

QAE (Questions, Answers, and Explanations), based on the exam questions, each set of questions and answers includes in-depth explanations for each answer choice, allowing the learner to fully understand the rationale behind each correct and incorrect answer choice.