Description
of the Certification and Examination
The CISM exam covers five information security
management areas, each of which is further
defined and detailed through task and knowledge
statements. These areas and statements were
developed by the CISM Certification Board
and represent a job practice analysis of
the work performed by information security
managers as validated by prominent industry
leaders, subject matter experts and industry
practitioners. The following is a brief
description of these areas, their definitions,
and approximate percentage of test questions
allocated to each area.
Select a title for a list of specific task
and knowledge statements that represent
a current market perspective of what is
performed and what should be known by information
security managers. This information provides
the basis for the CISM exam.
CISM will encompass the following
areas:
Information
Security Governance (21%)
Establish and maintain a framework to provide
assurance that information security strategies
are aligned with business objectives and
consistent with applicable laws and regulations.
Tasks and Knowledge Statements
Risk Management
(21%)
Identify and manage information security
risks to achieve business objectives. Tasks
and Knowledge Statements
Information
Security Program(me) Management (21%)
Design, develop and manage an information
security program(me) to implement the information
security governance framework. Tasks and
Knowledge Statements
Information
Security Management (24%)
Oversee and direct information security
activities to execute the information security
program(me). Tasks and Knowledge Statements
Response Management (13%)
Develop and manage a capability to respond
to and recover from disruptive and destructive
information security events. Tasks and Knowledge
Statements
|