CISM Course Introduction

Table of Contents

Certified Information Security Manager (CISM) ............................................................................. 2

Overview ......................................................................................................................................... 3

CISM Certification Requirements -1 ............................................................................................... 4

CISM Certification Requirements -2 ............................................................................................... 6

About the Exam............................................................................................................................... 7

After the Exam ................................................................................................................................ 8

CISM Domains -1 ............................................................................................................................. 9

CISM Domains -2 ........................................................................................................................... 10

Notices .......................................................................................................................................... 11

Page 1 of 11
Certified Information Security Manager (CISM)

Certified Information
Security Manager (CISM)

CISM_Intro.pptx

© 2013 Carnegie Mellon University

**001 Jeff Arsenault: All right.

Hello, I'm Jeff Arsenault and I'll be
your instructor for Certified
Information Security Manager course.

Page 2 of 11
Overview

Overview
Requirements for Certification
About the Exam
After the Exam
CISM Domains

**002 First we'll go over the

requirements for the certification for
Certified Information Security
Manager. We'll go- we'll talk about
the exam itself. We'll talk about the
requirements after the exam, and
then the domains that the course
covers.

Page 3 of 11
CISM Certification Requirements -1

CISM Certification Requirements -1

CISM is an ISACA certification
• Formally known as Information Systems Audit and Control
Association (now just ISACA)
Requirements for certification
• Pass the CISM Exam
— Passing score valid for five years without required work experience

• Adhere to ISACA’s Code of Professional Ethics

• Agree to Comply with Continuing Education Policy
— Maintenance fees and a minimum of 20 CPE hours required annually

— Additionally, a minimum of 120 CPE hours is required during a fixed 3-

year period

**003 The certification covers.

The requirements for CISM

certification. So CISM is an ISACA
certification. ISACA stands for
Information Systems Audit and
Control Association; now they just
call it ISACA.

Requirements for the actual

certification is to pass the exam.
This is an exam. A passing score is
valid for five years without required
work experience. So you can take
the exam without actually having all
the requirements; but you have five
years after taking the exam to get
the necessary requirements.

Page 4 of 11
Adhere to ISACA's Code of
Professional Ethics and other
requirements; and to adhere, like
with all ISACA certifications, to agree
or comply with the continuing
education policy-- which is the
maintenance fees associated with it,
and a minimum of 20 continuing
professional education hours required
annually. But you also have to have
a minimum of 120 hours during a
fixed three-year period. So you have
to do more than the bare minimum.
You just have to have 20 per year
but you need to do more within three
years to stay current.

Page 5 of 11
CISM Certification Requirements -2

CISM Certification Requirements -2

Requirements for certification (continued)
• Work experience
— Verified minimum of five years of IS work experience

— Including a minimum of three years of IS management work experience

in three or more of the domains
— Work experience must be gained within the ten-year period prior to the
application date for certification or within five years after passing the
exam

**004 The work experience that's

required. This is the work experience
that you can get in the five years
after passing the exam. They include
a verified minimum of five years in
information security; a minimum of
three years in information security
management in three or more of the
domains-- which we'll talk about in
the next slide. And the work
experience must be gained within the
10-year period prior to the
application or within five years after
passing the exam. So.

Page 6 of 11
About the Exam

About the Exam

200 Questions, 4 Hour timeframe
• Information Security Governance (24%)
• Information Risk Management and Compliance (33%)
• Information Security Program Development and Management (25%)
• Information Security Incident Management (18%)

Exam only given twice a year – REPEAT – ONLY TWICE A

YEAR!!
• June Exam
— Early Registration: February

— Registration Closes: April

• December Exam
— Early Registration: August

— Registration Closes: October

**005 The actual exam is 200

questions. You have four hours to
complete it.

These are the four domains that are

covered; and these will be the four
blocks that we cover for instruction.

Twenty-four percent of it is
information security governance; how
to set up an information security
program; information risk
management and compliance, which
is part of your information security
management.

Information security program development

and management is 25 percent.

Page 7 of 11
And the last part, which is a lot of the
information that's new this year for
2013, is information security incident
management, with 18 percent.

The exam's only given twice a year,

in June and December.

After the Exam

After the Exam

Apply for CISM Certification
• Once the candidate has passed the exam and meets the work
experience requirements, the final step is to complete the CISM
Application for Certification
• There are three ways to apply: online, download form (PDF), mail
— http://www.isaca.org/Certification/CISM-Certified-Information-Security-
Manager/Apply-for-certification/Pages/Application.htm

**006 After you've finished the

exam you can apply for CISM
certification. Once the candidate has
passed the exam and meets the work
experience, the final step is to
complete the application for
certification. You can do this online
through a PDF or through the mail.

Page 8 of 11
CISM Domains -1

CISM Domains -1
Candidate must have a thorough understanding of task and
knowledge statements in order to pass the CISM exam.
Domain 1 - Information Security (IS) Governance
• Establish and maintain a framework to provide assurance that IS
strategies are aligned with business objectives and consistent with
applicable laws and regulations.
Domain 2 - Information Risk Management and Compliance
• Identify and manage IS risks to achieve business objectives.

**007 So as I mentioned in the

earlier slide there are four domains
that will be covered on the test; and
that's how we'll cover instruction.

The main one is Information Security

Governance; establish and maintain a
framework to provide assurance that
information security strategies are
aligned with the business objectives;
and consistent with applicable laws
and regulations.

The second domain is Information

Risk Management and Compliance;
identify and manage information
security risks and align with business
objectives. We'll see this as a

Page 9 of 11
recurring theme throughout all the
domains that everything we do in
information security management has
to be aligned with business
objectives; and we'll talk about this
numerous times.

CISM Domains -2

CISM Domains -2
Domain 3 - IS Program Development and Management
• Create and maintain a program to implement the IS strategy.

Domain 4 - IS Incident Management

• Plan, develop and manage a capability to detect, respond to and
recover from IS incidents.

**008 The third domain is IS

Program Development and
Management; how to create and
maintain a program to implement the
information security strategy.

And the last domain is Information

Security Incident Management: how
we're going to respond, detect and
recover from information security
incidents.

Page 10 of 11
As you'll notice in just describing the
four domains there's a lot of
crossover; and you'll see a lot of
repeated themes throughout.

Notices

Notices
© 2014 Carnegie Mellon University
This material is distributed by the Software Engineering Institute (SEI) only to course attendees for their
own individual study.
Except for the U.S. government purposes described below, this material SHALL NOT be reproduced or
used in any other manner without requesting formal permission from the Software Engineering Institute at
permission@sei.cmu.edu.

This material was created in the performance of Federal Government Contract Number FA8721-05-C-0003
with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded
research and development center. The U.S. government's rights to use, modify, reproduce, release,
perform, display, or disclose this material are restricted by the Rights in Technical Data-Noncommercial
Items clauses (DFAR 252-227.7013 and DFAR 252-227.7013 Alternate I) contained in the above identified
contract. Any reproduction of this material or portions thereof marked with this legend must also reproduce
the disclaimers contained on this slide.

Although the rights granted by contract do not require course attendance to use this material for U.S.
government purposes, the SEI recommends attendance to ensure proper understanding.

THE MATERIAL IS PROVIDED ON AN “AS IS” BASIS, AND CARNEGIE MELLON DISCLAIMS ANY AND
ALL WARRANTIES, IMPLIED OR OTHERWISE (INCLUDING, BUT NOT LIMITED TO, WARRANTY OF
FITNESS FOR A PARTICULAR PURPOSE, RESULTS OBTAINED FROM USE OF THE MATERIAL,
MERCHANTABILITY, AND/OR NON-INFRINGEMENT).

CERT ® is a registered mark owned by Carnegie Mellon University.

Page 11 of 11