AssuranceSecurityGovernanceMembers & LeadersProfessionals & PractitionersStudents & EducatorsExhibitors & Advertisers
CISM Certification
 Requirements
 Code of Professional Ethics
 Exam
  Registration
  Bulletin of Information
  Preparation
  Content Areas
 Exam Review Courses
 Application & Maintenance
 Exam Item Writer Program
 CISM in the News
 FAQ
Education & Conferences
Professional Resources
Downloads
Bookstore
Membership
My ISACA
Career Centre
Print this page

Home SecurityCISM CertificationExam Content Areas

Information Security Management

Oversee and direct information security activities to execute the information security program(me).

Tasks

  • Ensure that the rules of use for information systems comply with the enterprise's information security policies.
  • Ensure that the administrative procedures for information systems comply with the enterprise's information security policies.
  • Ensure that services provided by other enterprises, including outsourced providers, are consistent with established information security policies.
  • Use metrics to measure, monitor and report on the effectiveness and efficiency of information security controls and compliance with information security policies.
  • Ensure that information security is not compromised throughout the change management process.
  • Ensure that vulnerability assessments are performed to evaluate effectiveness of existing controls.
  • Ensure that noncompliance issues and other variances are resolved in a timely manner.
  • Ensure the development and delivery of the activities that can influence culture and behavior of staff, including information security education and awareness.

Knowledge Statements

  • Knowledge of how to interpret information security policies into operational use
  • Knowledge of information security administration process and procedures
  • Knowledge of methods for managing the implementation of the enterprise's information security program(me) through third parties including trading partners and security services providers
  • Knowledge of continuous monitoring of security activities in the enterprise's infrastructure and business applications
  • Knowledge of methods used to manage success/failure in information security investments through data collection and periodic review of key performance indicators
  • Knowledge of change and configuration management activities
  • Knowledge of information security management due diligence activities and reviews of the infrastructure
  • Knowledge of liaison activities with internal/external assurance providers performing information security reviews
  • Knowledge of due diligence activities, reviews and related standards for managing and controlling access to information resources
  • Knowledge of external vulnerability reporting sources, which provide information that may require changes to the information security in applications and infrastructure
  • Knowledge of events affecting security baselines that may require risk reassessments and changes to information security requirements in security plans, test plans and reperformance
  • Knowledge of information security problem management practices
  • Knowledge of information security manager facilitative roles as change agents, educators and consultants
  • Knowledge of the ways in which culture and cultural differences affect the behavior of staff
  • Knowledge of the activities that can change culture and behavior of staff
  • Knowledge of methods and techniques for security awareness training and education
Assurance | Security | Governance
Members & Leaders | Professionals & Practitioners | Students & Educators | Exhibitors & Advertisers
Info Request | Join | Bookstore | My ISACA | About ISACA
Home | Site Map | Shopping Cart | Logout | Contact Us

Terms Of Use | Privacy Policy | IP Guidelines
© 2006 Information Systems Audit and Control Association (ISACA) All rights reserved.
3701 Algonquin Road, Suite 1010, Rolling Meadows, Illinois 60008 USA