CERTIFIED INFORMATION SECURITY MANAGER (CISM)

This domain focuses on creating and maintaining a robust framework for information security governance and associated processes. The aim is to ensure that the information security strategy aligns seamlessly with an organization’s goals and objectives.

Task Statements

• Craft and sustain an information security strategy that aligns with the objectives and goals of the organization. This strategy will guide the establishment and ongoing management of the information security program.
• Create and uphold an information security governance framework. This framework will serve as a guide for activities supporting the information security strategy.
• Incorporate information security governance into the broader corporate governance structure. This integration ensures that the organizational goals and objectives are reinforced by the information security program.
• Formulate and uphold information security policies that direct the development of standards, procedures, and guidelines, all in alignment with the enterprise’s goals and objectives.
• Construct business cases that justify investments in information security.
• Identify both internal and external influences affecting the organization. These can include emerging technologies, social media, the business environment, risk tolerance, regulatory requirements, considerations related to third-party entities, and the evolving threat landscape. Addressing these factors is crucial to maintaining the relevance of the information security strategy.
• Secure ongoing commitment from senior leadership and other stakeholders to ensure the successful implementation of the information security strategy.
• Define, communicate, and oversee information security responsibilities across the organization. This includes roles like data owners, data custodians, end users, and privileged or high-risk users, while also establishing clear lines of authority.
• Establish, monitor, assess, and report key information security metrics. These metrics provide management with accurate and meaningful insights into the effectiveness of the information security strategy.

Effectively manage information risk to align with the organization’s objectives and risk tolerance.

Task Statements

• Develop and maintain a process for classifying information assets, ensuring that protective measures match their business value.
• Identify legal, regulatory, organizational, and other relevant requirements to mitigate the risk of noncompliance to acceptable levels.
• Consistently conduct risk assessments, vulnerability assessments, and threat analyses to identify and evaluate risks to the organization’s information.
• Propose and implement suitable risk treatment/response options to bring risks within acceptable levels, in line with the organization’s risk appetite.
• Evaluate the appropriateness of information security controls and their effectiveness in managing risks to an acceptable level.
• Foster the integration of information risk management into business and IT processes such as systems development, procurement, and project management, ensuring a unified and comprehensive information risk management program across the organization.
• Continuously monitor internal and external factors (e.g., key risk indicators [KRIs], the threat landscape, geopolitical changes, regulatory updates) that may necessitate a reevaluation of risks, ensuring that changes in existing or new risk scenarios are identified and managed effectively.
• Report instances of noncompliance and other alterations in information risk to support the decision-making process in risk management.
• Communicate information security risk to senior management, aiding their understanding of potential impacts on organizational goals and objectives

Effectively manage information risk within acceptable boundaries defined by the organization’s risk appetite to achieve its strategic objectives.

Tasks:

• Create and sustain the information security program in accordance with the organization’s information security strategy.
• Align the information security program with the operational goals of various business functions (e.g., HR, finance, procurement, and IT) to ensure it enhances business value while safeguarding the organization.
• Identify, procure, and oversee the necessary internal and external resources required to execute the information security program.
• Establish and maintain the essential information security processes, as well as the required resources such as personnel and technologies, to execute the program in harmony with the organization’s business objectives.
• Develop, communicate, and maintain organizational standards, guidelines, procedures, and other documents that steer and enforce compliance with information security policies.
• Institute, promote, and sustain an information security awareness and training program to cultivate a culture of effective security.
• Infuse information security requirements into organizational processes (e.g., change management, mergers and acquisitions, system development, business continuity, disaster recovery) to uphold the organization’s security strategy.
• Embed information security requirements into contracts and activities involving third parties (e.g., joint ventures, outsourced providers, business partners, customers) and oversee adherence to established requirements to uphold the organization’s security strategy.
• Establish, monitor, and analyze program management and operational metrics to assess the efficiency and effectiveness of the information security program.
• Compile and deliver reports to key stakeholders regarding the activities, trends, and overall performance of the information security program and the underlying business processes to communicate security effectiveness.

In this domain, the focus is on planning, establishing, and managing the capability to detect, investigate, respond to, and recover from information security incidents in order to minimize their impact on the business.

Task Statements

• Develop and uphold a clear organizational definition of information security incidents and a severity hierarchy to accurately classify and categorize incidents and respond appropriately.
• Create and maintain an incident response plan to ensure a swift and effective reaction to information security incidents.
• Formulate and put in place processes to promptly identify information security incidents that could potentially harm the business.
• Establish and maintain processes for investigating and documenting information security incidents while adhering to legal, regulatory, and organizational requirements to determine the right response and root cause.
• Set up and maintain incident notification and escalation processes to ensure that the relevant stakeholders are engaged in managing incident responses.
• Prepare, train, and equip incident response teams to effectively and promptly address information security incidents.
• Regularly test, review, and, if necessary, revise the incident response plan to ensure it remains effective and to enhance response capabilities.
• Develop and maintain communication plans and processes for managing communication with both internal and external entities.
• Conduct post-incident reviews to identify the root causes of information security incidents, devise corrective actions, reassess risks, evaluate response effectiveness, and take appropriate remedial actions.
• Establish and maintain integration between the incident response plan, business continuity plan, and disaster recovery plan to ensure a coordinated approach to incident management.