Description

The job practice domains, knowledge and supporting tasks are as follows: (As amended from 1st June 2022)

Domain 1: Information Security Governance (17%)

Domain 2: Information Security Risk Management (20 %)

Domain 3: Information Security Program (33 %)

Domain 4: Incident Management (30 %)

Domain 1— Information security governance

• Identify internal and external influences to the organization that impact the information security strategy.
• Establish and/or maintain an information security strategy in alignment with organizational goals and objectives.
• Establish and/or maintain an information security governance framework.
• Integrate information security governance into corporate governance.
• Establish and maintain information security policies to guide the development of standards, procedures and guidelines.
• Develop business cases to support investments in information security.
• Gain ongoing commitment from senior leadership and other stakeholders to support the successful implementation of the information security strategy.
• Define, communicate and monitor information security responsibilities throughout the organization and lines of authority.
• Align the information security program with the operational objectives of other business functions.
• Integrate information security requirements into contracts and activities of external parties.
• Monitor external parties’ adherence to established security requirements.
• Establish and/or maintain a process for information asset identification and classification.
• Identify legal, regulatory, organizational and other applicable compliance requirements.
• Establish and maintain processes to investigate and document information security incidents in accordance with legal and regulatory requirements

• Domain 2— Information Risk Management:

• Identify internal and external influences to the organization that impact the information security
  strategy.
• Establish and/or maintain a process for information asset identification and classification.
• Participate in and/or oversee the risk identification, risk assessment and risk treatment process.
• Participate in and/or oversee the vulnerability assessment and threat analysis process.
• Identify, recommend, or implement appropriate risk treatment and response options to manage risk to acceptable levels based on organizational risk appetite.
• Determine whether information security controls are appropriate and effectively manage risk to an acceptable level.
• Facilitate the integration of information risk management into business and IT processes.
• Monitor for internal and external factors that may require reassessment of risk.
• Report on information security risk, including noncompliance and changes in information risk, to
  key stakeholders to facilitate the risk management decision-making process.

Domain 3— Information Security Program Development and Management:

• Identify internal and external influences to the organization that impact the information security strategy.
• Integrate information security governance into corporate governance.
• Establish and maintain information security policies to guide the development of standards, procedures and guidelines.
• Define, communicate and monitor information security responsibilities throughout the organization and lines of authority.
• Compile and present reports to key stakeholders on the activities, trends and overall effectiveness of the information security program.
• Evaluate and report information security metrics to key stakeholders.
• Establish and/or maintain the information security program in alignment with the information security strategy.
• Align the information security program with the operational objectives of other business functions.
• Establish and maintain information security processes and resources to execute the information security program.
• Establish, communicate and maintain organizational information security policies, standards, guidelines, procedures and other documentation.
• Establish, promote and maintain a program for information security awareness and training.
• Integrate information security requirements into organizational processes to maintain the organization’s security strategy.
• Integrate information security requirements into contracts and activities of external parties.
• Monitor external parties’ adherence to established security requirements.
• Define and monitor management and operational metrics for the information security program.
• Identify legal, regulatory, organizational, and other applicable compliance requirements.
• Determine whether information security controls are appropriate and effectively manage risk to an acceptable level.
• Facilitate the integration of information risk management into business and IT processes.
• Monitor for internal and external factors that may require reassessment of risk.
• Report on information security risk, including noncompliance and changes in information risk, to key stakeholders to facilitate the risk management decision-making process.
• Establish and maintain an incident response plan, in alignment with the business continuity plan and disaster recovery plan.
•  Establish and maintain communication plans and processes for internal and external entities.

Domain 4 — Incident Management:

• Identify internal and external influences to the organization that impact the information security strategy. 
• Establish and maintain an incident response plan, in alignment with the business continuity plan and disaster recovery plan. 
• Establish and maintain an information security incident classification and categorization process.
• Develop and implement processes to ensure the timely identification of information security incidents. 
• Establish and maintain processes to investigate and document information security incidents in accordance with legal and regulatory requirements.
• Establish and maintain incident handling process, including containment, notification, escalation, eradication and recovery. 
• Organize, train, equip and assign responsibilities to incident response teams. 
• Establish and maintain communication plans and processes for internal and external entities. 
• Evaluate incident management plans through periodic testing and review, including table-top exercises, checklist review and simulation testing. 
• Conduct post-incident reviews to facilitate continuous improvement, including root-cause analysis, lessons learned, corrective actions and reassessment of risk.

Exam Information

 Certification requirements     

 Submit verified evidence of a minimum of five years of information security work experience, with a minimum of three years of information security management work experience in three or more of the job practice analysis areas. The work experience must be gained within the 10-year period preceding the application date for certification or within 5 years from the date of originally passing the exam.

The following security-related certifications and information systems management experience can be used to satisfy the indicated amount of information security work experience.

Two Years:

• Certified Information Systems Auditor (CISA) in good standing
• Certified Information Systems Security Professional (CISSP) in good standing
• Post-graduate degree in information security or a related field (e.g., business administration, information systems, information assurance)

One Year:

• One full year of information systems management experience
• One full year of general security management experience
• Skill-based security certifications (e.g., SANS Global Information Assurance Certification (GIAC), Microsoft Certified Systems Engineer (MCSE), CompTIA Security +, Disaster Recovery Institute Certified Business
• Continuity Professional (CBCP), ESL IT Security Manager)

Completion of an information security management program at an institution aligned with the Model Curriculum