A test of expertise
other security certifications discussed in this series, CISM is for experienced
information security professionals. Do you have what it takes to get this certification?
Information Security is surely going places. Apart from the growing number
of security professionals aspiring to be certified, new certifications are being
added. The latest is Certified Information Security Manager (CISM) from Information
Systems Audit and Control Association (ISACA), a body that has been offering
the CISA certification for more than twenty-five years.
How does the latest certification differ from the old and established certificates?
ISACA states that CISM is not an entry-level certification. "It is specifically
developed for information security professionals, who have acquired experience
working on the front lines of information security, and have five years or more
of experience managing the information security function of an enterprise. "
How does CISM test the knowledge of such an experienced security professional?
CISM has defined five practice areas in which the expertise of an information
security manager is tested. For each practice area, the main tasks have been
defined, followed by knowledge statements, which explain the specific areas
of expertise required for the particular practice area. The percentages in parenthesis
signify the weight given to each domain in the examination.
1. Information Security Governance (21%)
Under this topic, the information security manager is expected to establish
and maintain a framework to provide assurance that information security strategies
are aligned with the business objectives and consistent with applicable laws
This domain takes a high-level view of information security.
It begins with establishing information security objectives to support the business
objectives and operations. This requires obtaining senior management commitment
by issuing overall policy directives, establishing a steering group, identifying
security management roles, responsibilities and organizational structure. The
domain further deals in other areas of information security governance like
risk management, data classification management, network security, system access,
centralized vs. decentralized approaches to coordinate information security,
understanding legal and regulatory issues, and insurance policies covering information
security risks. The domain also dwells upon designing information security programs
with appropriate policies linking with business objectives, procedures, guidelines,
information security process improvement models, and various international standards
for information security management.
This is a very broad domain requiring vast understanding of philosophy of information
security management, various models and approaches, and integrating information
security in the corporate culture.
2. Risk Management (21%)
This domain expects you to identify and manage information security risks to
achieve business objectives.
Risk management is the focal point of any security program. Risk management
starts with doing information resources valuation and information classification.
You should also be familiar with the concept of security baseline and cycle-based
risk management. Knowledge of various quantitative and qualitative methods to
determine sensitivity and criticality of information resources as outlined in
standard methods like COBIT, NIST, Octave, is required. Also, analysis of threats,
vulnerabilities and exposures affecting confidentiality, integrity and availability
of resources needs to be understood. Next in line are the business impact analysis,
recovery time objective (RTO) and business continuity and contingency planning
objectives and processes. Finally, various risk mitigation strategies, from
physical security measures to application security measures need to be understood.
Subject matter covered in this domain is very relevant to
information security management implementation. Once again, the domain requires
you to read a vast amount of literature to bring yourself up to date.
3. Information Security Program Management (21%)
This domain deals with design, development and management of information security
programs to implement the information security governance framework.
This is the third step in implementation of information security management
in an organization, after creating the framework and performing risk assessment
and business impact analysis.
The candidates should have good knowledge of project management
techniques as the success of an information security program lies in strong
project management. The next area of expertise is information security architectures
like rules-based, list-based system access, single sign-on etc. and various
security technologies like firewalls, IDS, PKI, wireless security, Web security,
application security etc. This further requires knowledge of security procedures,
guidelines and security as part of the system development lifecycle, security
testing, security certification and accreditation. You should be able to do
a cost/benefit analysis of various physical, administrative and technical controls,
design and implement various security metrics and also evaluate vendor service
level agreements and prepare contracts.
Obviously, this domain thoroughly tests the technical and administrative knowledge
of the candidate.
4. Information Security Management (24%)
This domain tests your skills to oversee and direct information security activities,
to execute the information security program.
This is the implementation phase of information security, where the God is in
details. You have to ensure that the information security policy designed for
the enterprise does get implemented across the organization through the technical
and procedural implementations. The administrative procedures should be designed
to ensure compliance with policies. Even the outsourced providers should get
covered. Metrics should be used to measure and monitor the effectiveness and
efficiency of information security controls and their compliance with information
In the ever-changing world of security, care should be taken that the security
management is not compromised due to inadequate change management procedures.
Periodic vulnerability assessment should be preformed to evaluate effectiveness
of existing control. This calls for a good understanding of various vulnerability
assessment techniques. Lastly, the information security manager has to bring
about a cultural change in the organization, by making the organization more
aware of its security responsibilities. This requires knowledge of various techniques,
which could bring about this change in the organization without undue resistance.
5. Response Management (13%)
In this domain, you have to demonstrate the understanding of how to develop
and manage capability to respond to and recover from disruptive and destructive
information security events.
Each of the security related event has to be detected, identified,
analyzed and appropriate action has to be taken. This requires a response management
process as well as response and recovery plan. Disaster recovery planning and
business continuity planning needs to be formulated with proper understanding
of recovery time objectives (RTO) and recovery point objectives (RPO). Incident
response teams need to be organized, trained and equipped to deal with every
eventuality. Adequacy of the plans as well as preparedness of the teams needs
to be periodically tested. Test plans, beginning with tabletop testing up-to
full simulations have to be prepared. This requires good documentation to track
the test results and improve procedures, as well as, take follow-up actions
for each real life incident. This may also include forensic analysis. Post-event,
corrective and preventive actions have to be initiated.
The last domain tests the understanding of preparation required to handle and
manage any type of security incidence.
As I have done in the previous articles, I have compared the CISM syllabus with
CISM covers all the areas required by BS7799, which is not surprising. After
all both are dealing with Information Security Management. Of course, the emphasis
on some areas like correlating information security strategies with business
objectives and operations is more explicit in CISM whereas it is assumed to
be present in BS7799. Secondly, CISM requires the design and implementation
of security metrics. BS7799 does not require this but it is assumed that to
identify measurable ISMS improvement required in clause 7, the Information Security
Manager will deploy appropriate security metrics.
If you have the requisite information security experience and already possess
CISA designation, it may be a good idea to aim at CISM. From a market visibility
point, CISSP is more visible, but CISM will catch up in due course. One impediment
in the growth of CISM could be that the examination is held only once a year.
So if you miss the opportunity in June, you have to wait till next June.
How to become a CISM?
Since this certificate is offered by ISACA, it has similar guidelines as stipulated
for getting the CISA designation. Remember, passing the examination is just
the first step.
1. Successful completion of the CISM examination
The examination is conducted once a year on the second Saturday of June. So
the next examination is scheduled on 12th June 2004. The examination consists
of 200 multiple choice questions to be answered within four hours. Approximate
percentage of questions asked from each domain is given in bracket after each
domain title. The passing score is 75 percent, which means that if you pass
the exam, you have scored marks, which put you in the top 25 percent.
2. Information security work experience
You need to have minimum five years of information security
work experience with a minimum of three years of information security management
experience in three or more of the job practice areas. You could get a waiver
of up to two years if you are a CISA or CISSP, but no waivers for information
security management experience.
3. Adherence to the Code of Professional Ethics, and
agreement to comply with continued education policy.
Get more details from the website www.isaca.org.
|1. Information Security Governance
||Clauses 4.2.1 a and b
||Establish the ISMS
||Clauses 5.1 & 5.2
||Asset classification and control
|2. Risk Management
||Clauses 4.2.1c to h
|3 Information Security Program Management
||Physical and environmental security
Communication and Operations Management
||System development and maintenance
|4. Information Security Management
|| Implement and operate the ISMS
||Monitor and review the ISMS
||Maintain and improve the ISMS
||Clause 6.1 to 6.4
||Management review of ISMS
||Clause 7.1 to 7.3
|| ISMS improvement
|5. Response Management
||Business continuity management