Course Code: 5479

CISSM - Certified Information Systems Security Manager Certification

Class Dates:
4 Days
Class Time:


  • Course Overview
  • The Certified Information Systems Security Manager certification course is designed to teach towards and certify a information systems professional’s high standard of excellence in following areas:
    1.Information Security Governance
    2.Information Risk Management and Compliance
    3.Information Security Program Development and Management
    4.Information Security Incident Management
    While we provide thorough training in these 4 critical areas of information systems security management, most who take the C)ISSM have professional experience in all four of these areas.

    A gap of experience in some of these fields can be bridged by achieving our C)ISSO: Certified Information Systems Security Officer Certification.

    32 CPE Credits

  • Audience
  • Who Should Attend:

    The C)ISSM was created to train & certify managers of information systems who have experience with Information Security Risk, Security, Compliance, & Incident Management of systems. If you are lacking experience in one or two of these areas we recommend taking our C)ISSO: Certified Information Systems Security Officer Certification. This is specialized course, and as such we expect our students to be familiar with these subjects before coming to the course.

    Professional Roles:
    IT Auditor
    IT Consultant
    Security Consultant
    Chief Information Officer


  • Prerequisites:
    C)ISSO Information Systems Security Officer

    Or equivalent experience

  • Recommended Courses:

Course Details

  • Upon Completion
  • Have an in-depth knowledge of Information Security Risk, Security, Compliance, & Incident Management
  • Have knowledge to manage today’s most difficult information systems security challenges
  • Be ready to sit for the C)ISSM exam.
  • 1. Introduction
  • Welcome
  • Agenda
  • CISM
  • CISM Exam Review Course Overview
  • The Learning Environment
  • Daily Format
  • Domain Structure
  • Course Structure
  • Logistics
  • Information Security Governance
  • Course Agenda
  • Examination Content
  • Chapter 1 Learning Objectives
  • The First Question
  • Information Security Governance Overview
  • Selling the Importance of Information Security
  • The First Priority for the CISM
  • Business Goals and Objectives
  • Outcomes of Information Security Governance
  • Benefits of Information Security Governance
  • Information Security Strategy
  • Developing Information Security Strategy
  • .
  • Elements of a Strategy
  • Objectives of Security Strategy
  • The Goal of Information Security
  • Defining Security Objectives
  • Business Linkages
  • Business Case Development
  • The Information Security Program
  • Security Program Priorities
  • Security versus Business
  • Security Program Objectives, Security Integration
  • Architecture, Information Security Frameworks
  • Using an Information Security Framework
  • .
  • Information Security Frameworks and using
  • The Desired State of Security, The Maturity of the Security Program Using CMM
  • Using the Balanced Scorecard, The ISO27001:2013 Framework
  • Examples of Other Security Frameworks, Constraints and Considerations for a Security
  • Program, Elements of Risk and Security
  • Risk Management and IS Concepts
  • Security Program Elements, Third Party Agreements
  • Roles and Responsibilities of Senior Management
  • Senior Management Commitment, Steering Committee,
  • CISO Chief Information Security Officer , Responsibilities
  • Business Manager Responsibilities, IT Staff Responsibilities
  • Centralized versus Decentralized Security
  • .
  • Evaluating the Security Program, Audit and Assurance of Security
  • Effective Security Metrics, Key Performance Indicators (KPIs)
  • End to End Security, Correlation Tools
  • Reporting and Compliance, Regulations and Standards
  • Effect of Regulations, Reporting and Analysis
  • Ethics, Standards, Responsibility
  • Practice Question
  • 3. Information Risk Management and Coompliance
  • Exam Relevance, Information Asset Classification
  • Roles and Responsibilities, Information Classification Considerations
  • Regulations and Legislation, Asset Valuation, Valuation Process
  • Information Protection and Asset Protection
  • Definition of Risk, Why is Risk Important
  • Risk Management Definition, Objective and Overview
  • Defining the Risk Environment, Threats to Information and Information Systems and Threat Analysis
  • Aggregate Risk, Cascading Risk, Identification of Vulnerabilities, The Effect of Risk, Impact
  • Risk Management Process, Risk Assessment Methodology
  • Annualized Loss Expectancy (ALE), Qualitative Risk Assessment, Data Gathering Techniques
  • Results of Risk Assessment, Alignment of Risk Assessment and BIA, Risk Treatment, Risk Mitigation and Controls
  • Control Recommendations, Cost Benefit Analysis of Controls
  • .
  • Risk Mitigation Schematic, Control Types and Categories
  • Security Control Baselines, On-going Risk Assessment
  • Measuring Control Effectiveness, Building Risk Management In (Agenda)
  • Risk Related to Change Control, Risk Management During SDLC
  • On-going Risk Management Monitoring and Analysis
  • Audit and Risk Management, Risk in Business Process Re-Engineering
  • Risk in Project Management, Risk During Employment Process
  • New Employee Initiation, Risk During Employment
  • Risk at Termination of Employment, Risks During Procurement
  • Reporting to Management, Documentation, Training and Awareness
  • Training for End Users
  • Practice Question, Practice Question 2
  • Information Security Program Development and Management
  • Course Agenda, Exam Relevance, Definition
  • Security Strategy and Program Relationship
  • Information Security Management, Definition
  • Effective Security Management, Reasons for Security Program Failure
  • Program Objectives, Security Program Development
  • Outcomes of Information Security Program , Development
  • Governance of the Security Program
  • Role of the Information Security Manager (Agenda)
  • Strategy, Policy, Creating Effective Policy, Awareness
  • Implementation, Monitoring, Compliance
  • Developing an Information Security Road Map
  • Defining Security Program Objectives
  • .
  • Elements of a Security Program Road Map
  • Security Programs and Projects, Development
  • Security Project Planning, Selection of Controls
  • Common Control Practices, Security Program Elements (Agenda)
  • Policies, Acceptable Use Policy, Standards, Procedures, Guidelines, Technology
  • Personnel Security, Traning and Skills Matrix
  • Organizational Structure, Outsourced and Third Party Security Providers
  • Facilities and Facilities Security
  • Environmental Security, Information Security Concepts (Agenda), Access Control
  • Identification, Authentication, Authorization, Accounting / Auditability
  • Criticality, Sensitivity, Trust Models, Technology-based Security
  • Technologies, Security in Technical Components, Operations Security, Technologies – Access Control Lists
  • .
  • Filtering and Content Management, Technologies - SPAM,
  • Technologies – Databases and DBMS, Encryption
  • Technologies - Cryptography, Encryption cont, Hashing Algorithms
  • Technology – Communications OSI Model , Communications TCP/IP, Operating Systems
  • Technology - Firewalls, Emerging Technologies
  • Intrusion Detection Policies and Processes, Intrusion Detection Systems
  • IDS / IPS, Password Cracking, Vulnerability Assessments
  • Penetration Testing, Third Party Security Reviews
  • Integration into Life Cycle Processes, Security in External Agreements
  • Security Program Implementation, Phased Approach,
  • Challenges During Implementation, Evaluating the Security Program
  • Measuring Information Security Risk and Loss ,
  • .
  • Measuring Effectiveness of Technical Security
  • Program, Measuring Effectiveness of Security Management
  • Security Project Management, Review of Security Compliance
  • Practice Question
  • Information Security Incident
  • Management, Learning Objectives, Definition
  • Goals of Incident Management and Response
  • What is an Incident - Intentional, What is an Incident - Unintentional
  • History of Incidents, Developing Response and Recovery Plans
  • Incident Management and Response
  • Importance of Incident Management and Response
  • Incident Response Functions
  • Incident Response Manager Responsibilities
  • Requirements for Incident Response Managers
  • Senior Management Involvement, The Desired State, Strategic Alignment of Incident Response
  • Detailed Plan of Action for Incident Management
  • Prepare, Protect, Detect, Triage, Response
  • .
  • Elements of an Incident Response Plan
  • Crisis Communications, Challenges in Developing an Incident Management
  • Plan, Personnel, Team Member Skills, Security Concepts and Technologies
  • Organizing, Training and Equipping the Response , Staff, Value Delivery
  • Performance Measurement, Reviewing the Current State of Incident Response
  • Capability, Audits, Gap Analysis - Bais for an Incident Response Plan
  • When an Incident Occurs, During an Incident
  • Containment Strategies, The Battle Box
  • Evidence Identification and Preservation
  • Post Event Reviews, Disaster Recovery Planning (DRP) and Business
  • Recovery Processes, Development of BCP and DRP
  • Plan Development , Recovery Strategies, Basis for Recovery Strategy Selections
  • .
  • Recovery of Communications
  • Notification Requirements
  • Response Teams, Insurance
  • Testing Response and Recovery Plans
  • Types of Tests, Test Results, Plan maintenance Activities
  • BCP and DRP Training
  • Practice Questions