AssuranceSecurityGovernanceMembers & LeadersProfessionals & PractitionersStudents & EducatorsExhibitors & Advertisers
CISM Certification
 Requirements
 Code of Professional Ethics
 Exam
  Registration
  Bulletin of Information
  Preparation
  Content Areas
 Exam Review Courses
 Application & Maintenance
 Exam Item Writer Program
 CISM in the News
 FAQ
Education & Conferences
Professional Resources
Downloads
Bookstore
Membership
My ISACA
Career Centre
Print this page

Home SecurityCISM CertificationExam Content Areas

Risk Management

Identify and manage information security risks to achieve business objectives.

Tasks

  • Develop a systematic, analytical and continuous risk management process.
  • Ensure that risk identification, analysis and mitigation activities are integrated into life cycle processes.
  • Apply risk identification and analysis methods.
  • Define strategies and prioritize options to mitigate risk to levels acceptable to the enterprise.
  • Report significant changes in risk to appropriate levels of management on both a periodic and event-driven basis.

Knowledge Statements

  • Knowledge of information resources used in support of business processes
  • Knowledge of information resource valuation methodologies
  • Knowledge of information classification
  • Knowledge of the principles of development of baselines and their relationship to risk-based assessments of control requirements
  • Knowledge of life-cycle-based risk management principles and practices
  • Knowledge of threats, vulnerabilities and exposures associated with confidentiality, integrity and availability of information resources
  • Knowledge of quantitative and qualitative methods used to determine sensitivity and criticality of information resources and the impact of adverse events
  • Knowledge of use of gap analysis to assess generally accepted standards of good practice for information security management against current state
  • Knowledge of recovery time objectives (RTO) for information resources and how to determine RTO
  • Knowledge of RTO and how it relates to business continuity and contingency planning objectives and processes
  • Knowledge of risk mitigation strategies used in defining security requirements for information resources supporting business applications
  • Knowledge of cost benefit analysis techniques in assessing options for mitigating risks threats and exposures to acceptable levels
  • Knowledge of managing and reporting status of identified risks
Assurance | Security | Governance
Members & Leaders | Professionals & Practitioners | Students & Educators | Exhibitors & Advertisers
Info Request | Join | Bookstore | My ISACA | About ISACA
Home | Site Map | Shopping Cart | Logout | Contact Us

Terms Of Use | Privacy Policy | IP Guidelines
© 2006 Information Systems Audit and Control Association (ISACA) All rights reserved.
3701 Algonquin Road, Suite 1010, Rolling Meadows, Illinois 60008 USA