Online Exam-Prep Tools
With this book, you will unlock unlimited access to our online exam-prep platform (Figure 0.1). This is your place to practice everything you have learned in the book.
Sharpen your understanding of concepts with multiple sets of practice questions and interactive flashcards, accessible from all modern web browsers. If you get stuck, you can raise your concerns with the author directly through the website. Before doing that, make sure to go through the list of resolved doubts as well. These are based on questions asked by other users. Finally, go through the exam tips on the website to make sure you are wellĀ prepared.
Who This Book Is For
This book is ideal for IT risk professionals, IT auditors, CISOs, information security managers, and risk management professionals.
What This Book Covers
This book is aligned with the CISM Review Manual (16th Edition; 2022) and encompasses the following topics:
Chapter 1: Enterprise Governance provides an overview of information security governance as a whole. It covers aspects such as the importance of information security governance, the role of organizational culture in information security, and security governance metrics.
Chapter 2: Information Security Strategy discusses information security strategy and highlights areas such as security strategy development, senior management's role in anĀ organization's security strategy, and the security architecture.
Chapter 3: Information Risk Assessment covers the basic aspects of risk management and deals with the basic definition of risk and its components, risk identification, analysis and evaluation, and the security baseline.
Chapter 4: Information Risk Response covers the tools and techniques used for risk response: namely, risk avoidance, risk mitigation, risk transfer, and risk acceptance. TheĀ chapter also details change management and risk management integration with the project life cycle.
Chapter 5: Information Security Program Development explores the different procedures and techniques for developing an information security program and also deals with the information security program roadmap.
Chapter 6: Information Security Program Management discusses the basics of information security program management and covers information security program objectives, theĀ security baseline, and security awareness and training.
Chapter 7: Information Security Infrastructure and Architecture defines information security architecture and explores how to implement it effectively.
Chapter 8: Information Security Monitoring Tools and Techniques emphasizes the importance of monitoring tools and techniques and introduces some of the most commonly used and most useful ones, such as intrusion detection systems, intrusion prevention systems, and firewalls.
Chapter 9: Incident Management Readiness sets out what it means to be ready for information security incidents. It covers aspects such as incident classification, businessĀ impact analysis, and insurance.
Chapter 10: Incident Management Operations covers the implementation of business continuity and disaster recovery processes and also deals with post-incident reviewĀ practices.
How to Get the Most Out of This Book
This book is directly aligned with the CISM Review Manual (16th Edition; 2022) from ISACA. It is advisable to stick to the following steps when preparing for the CISM exam:
Step 1: Read this book from end to end.
Step 2: Go through ISACA's QAE book or database.
Step 3: Refer to ISACA's CISM Review Manual.
Step 4: Memorize key concepts using the flashcards on the website.
Step 5: Attempt the online practice question sets. Make a note of the concepts you are weak in, revisit those in the book, and re-attempt the practice questions.
Step 6: Keep repeating the practice question sets till you are able to answer all the questions in each practice set correctly within the time limit.
Step 7: Review exam tips on the website.
CISM aspirants will gain a lot of confidence if they approach their CISM preparation as per these mentioned steps.
Recorded Lectures
This book is also available in video lecture format along with 200+ exam-oriented practice questions on Udemy. Buyers of this book are entitled to 30% off on HemangĀ Doshi's recorded lectures. For a discount coupon, please write to [email protected].
Requirements for the Online Content
The online content includes interactive elements like practice questions, flashcards, and exam tips. For optimal experience, it is recommended that you use the latest version of a modern, desktop (or mobile) web browser such as Edge, Chrome, Safari, or Firefox.
Instructions for Unlocking the Online Content
To unlock the online content, you will need to create an account on our exam-prep website using the unique sign-up code provided in this book.
Where to find the sign-up code
You can find your unique sign-up code at the start of Chapter 5, Information Security Program Development.
- Create a strong alphanumeric password (2) (minimum 6 characters in length):
- Enter the unique sign-up code (3). Once you have entered the code, click the
Sign Up
button.Note
You only need to input the sign-up code once. After your account is created, you will be able to access the website from any device with only your email address and password.
- Upon a successful sign-up, you will be redirected to the dashboard (see FigureĀ 0.5).
Going forward, you will simply need to login using your email address andĀ password.
Note
If you are facing issues signing up, reach out to [email protected].
Quick Access to the Website
If you have successfully signed up, it is recommended that you bookmark this link for quick access to the website: https://packt.link/cismexamguidewebsite. Click the Login
link on the top-right corner of the page to open the login page. Use the credentials you created in Steps 2 and 3 of the Instructions for Unlocking the Online Content section above.
Alternatively, you can scan the following QR code to open the website:
CISM Syllabus ā 2022
The CISM exam content was updated on June 1, 2022. There are minor changes in domain nomenclature and substantial changes in the weightage of each domain tested in the new exam. The following table presents the domains and their corresponding weightage:
Earlier Domains (Applicable up to May 31, 2022) |
Updated Domains (Applicable from June 1, 2022) |
Information Security Governance (24%) |
Information Security Governance (17%) |
Information Risk Management (30%) |
Information Security Risk ManagementĀ (20%) |
Information Security Program Development and Management (27%) |
Information Security Program (33%) |
Information Security Incident Management (19%) |
Incident Management (30%) |
Candidates who have based their studies so far on the previous weightings should take careful note of the changes and adjust their preparations accordingly.
The CISM exam contains 150 questions and covers the 4 information security management areas mentioned in the preceding table in Figure 0.7.
The following are the key topics that candidates will be tested on starting from JuneĀ 1,Ā 2022:
Number |
Key Domains and Topics |
1 |
Information Security Governance |
A |
Enterprise Governance |
1A1 |
Organizational Culture |
1A2 |
Legal, Regulatory, and Contractual Requirements |
1A3 |
Organizational Structures, Roles, and Responsibilities |
B |
Information Security Strategy |
1B1 |
Information Security Strategy Development |
1B2 |
Information Governance Frameworks and Standards |
1B3 |
Strategic Planning (e.g., budgets, resources, and business case) |
2 |
Information Security Risk Management |
A |
Information Security Risk Assessment |
2A1 |
Emerging Risk and Threat Landscape |
2A2 |
Vulnerability and Control Deficiency Analysis |
2A3 |
Risk Assessment and Analysis |
B |
Information Security Risk Response |
2B1 |
Risk Treatment/Risk Response Options |
2B2 |
Risk and Control Ownership |
2B3 |
Risk Monitoring and Reporting |
3 |
Information Security Program |
A |
Information Security Program Development |
3A1 |
Information Security Program Resources (e.g., people, tools, and technologies) |
3A2 |
Information Asset Identification and Classification |
3A3 |
Industry Standards and Frameworks for Information Security |
3A4 |
Information Security Policies, Procedures, and Guidelines |
3A5 |
Information Security Program Metrics |
B |
Information Security Program Management |
3B1 |
Information Security Control Design and Selection |
3B2 |
Information Security Control Implementation and Integrations |
3B3 |
Information Security Control Testing and Evaluation |
3B4 |
Information Security Awareness and Training/td> |
3B5 |
Management of External Services (e.g., providers, suppliers, third parties, andĀ fourth parties) |
3B6 |
Information Security Program Communications and Reporting |
4 |
Incident Management |
A |
Incident Management Readiness |
4A1 |
Incident Response Plan |
4A2 |
Business Impact Analysis (BIA) |
4A3 |
Business Continuity Plan (BCP) |
4A4 |
Disaster Recovery Plan (DRP) |
4A5 |
Incident Classification/Categorization |
4A6 |
Incident Management Training, Testing, and Evaluation |
B |
Incident Management Operations |
4B1 |
Incident Management Tools and Techniques |
4B2 |
Incident Investigation and Evaluation |
4B3 |
Incident Containment Methods |
4B4 |
Incident Response Communications (e.g., reporting, notification, andĀ escalation) |
4B5 |
Incident Eradication and Recovery |
4B6 |
Post-Incident Review Practices |