Certified Information Security Manager Training (CISM)

Commitment 4 Days, 7-8 hours a day.
Language English
User Ratings Average User Rating 4.8 See what learners said
Delivery Options Instructor-Led Onsite, Online, and Classroom Live


Prepare for the CISM exam with our best-of-breed Certified Information Security Manager (CISM) Training prep course.

The CISM certification program was developed by ISACA for experienced information security management professionals who have experience developing and managing information security programs and who understand the program’s relationship to the overall business goals. The CISM exam consists of 200 multiple-choice questions that cover the four CISM domains. The American National Standards Institute (ANSI) has accredited the CISM certification program under ISO/IEC 17024:2003, General Requirements for Bodies Operating Certification Systems of Persons.

Around the world, the demand for skilled information security management professionals is on the rise, and the CISM certification is the globally accepted standard of achievement in this area. The uniquely management-focused CISM certification ensures holders understand business and know how to manage and adapt technology to their enterprise and industry. Since its inception in 2002, more than 30,000 professionals worldwide have earned the CISM to affirm their high level of technical competence and qualification for top-caliber leadership and management roles.

  • CISM demonstrates a deep understanding of the relationship between information security programs and broader business goals and objectives.
  • Earning a CISM is considered a great way to pave the path from security technologist to the security manager.
  • CISM holders are consistently recognized among the most-qualified professionals in the information security and risk management fields.
  • CISM-certified employees provide enterprises with an information security management certification recognized by organizations and clients around the globe.
  • The credibility CISM offers is strengthened by its real-world experience requirement.

This Certified Information Security Manager (CISM) Training course supports a certification that is a DoD Approved 8570 Baseline Certification and meets DoD 8140/8570 training requirements.

  • 4 Days of CISM Training from an Authorized ISACA Instructor
  • ISACA approved CISM Training Student Guide
  • ISACA approved CISM Training Labs
  • ISACA approved CISM Practice Exams
  • 100% Satisfaction Guarantee
  • Exam Pass Guarantee



The CISM certification promotes international practices and validates your knowledge and experience around effective security management and consulting. The four CISM domains include:

  1. Security governance: To effectively address the challenges of protecting an organization’s assets, senior management must define the desired outcomes of the information security program.
  2. Risk management: Asset classification and valuation is an essential part of an effective risk management program — the greater the value, the greater the impact, and the greater the risk.
  3. Information security program development and management: The purpose of this area is to implement management’s governance strategy — the “due diligence” and “due care” of protecting the corporation’s assets.
  4. Information security incident management: This area focuses on effectively managing unexpected (and expected) events, which may or may not be disruptive, and can be summed up in five words: identity, protect, detect, respond, and recover.
  • We can adapt this Certified Information Security Manager (CISM) Training course to your group’s background and work requirements at little to no added cost.
  • If you are familiar with some aspects of this Certified Information Security Manager (CISM) Training course, we can omit or shorten their discussion.
  • We can adjust the emphasis placed on the various topics or build the Certified Information Security Manager (CISM) around the mix of technologies of interest to you (including technologies other than those included in this outline).
  • If your background is nontechnical, we can exclude the more technical topics, include the topics that may be of special interest to you (e.g., as a manager or policy-maker), and present the Certified Information Security Manager (CISM) Training course in a manner understandable to lay audiences.

The intended audience for Certified Information Security Manager Training (CISM) program is intended for experienced information security managers and those with information security management responsibilities. Sample job titles might include:

  • Information Security Managers
  • Aspiring Information Security Managers
  • IS/IT Consultants
  • Chief Information Officers
  • Anyone interested in learning information security management skills and getting certified

The knowledge and skills that a learner must have before attending this Certified Information Security Manager (CISM) Training course are:

  • To become a CISM, you must submit verified evidence of a minimum of five years of information security work experience, with a minimum of three years of information security management work experience in three or more of the job practice analysis areas. The work experience must be gained within the ten-year period preceding the application date for certification or within five years from the date of originally passing the exam.


Day 1: Information security governance
  • Information security concepts
  • Relationship between information security and business operations
  • Techniques used to secure senior management commitment and support of information security management
  • Methods of integrating information security governance into the overall enterprise governance framework
  • Practices associated with an overall policy directive that captures senior management
  • Level direction and expectations for information security in laying the foundation for information security management within an organization
  • An information security steering group function
  • Information security management roles, responsibilities, and organizational structure
  • Areas of governance (e.g., risk management, data classification management, network security, system access)
  • Centralized and decentralized approaches to coordinating information security
  • Legal and regulatory issues associated with internet businesses, global transmissions, and transborder data flows (e.g., privacy, tax laws, and tariffs, data import/export restrictions, restrictions on cryptography, warranties, patents, copyrights, trade secrets, and national security)
  • Common insurance policies and imposed conditions (e.g., crime or fidelity insurance, business interruption)
  • Requirements for the content and retention of business records and compliance
  • Process for linking policies to enterprise business objectives
  • Function and content of essential elements of an information security program (e.g., policy statements, procedures, and guidelines)
  • Techniques for developing an information security process improvement model for sustainable and repeatable information security policies and procedures
  • Information security process improvement and its relationship to traditional process management, security architecture development and modeling, and security infrastructure
  • Generally accepted international standards for information security management and related process improvement models
  • The key components of cost-benefit analysis and enterprise transformation/migration plans (e.g., architectural alignment, organizational positioning, change management, benchmarking, market/competitive analysis)
  • Certified Information Security Manager Training (CISM)
  • Methodology for business case development and computing enterprise value proposition
Day 2: Risk management
  • Information resources used in support of business processes
  • Information resource valuation methodologies
  • Information classification
  • The principles of development of baselines and their relationship to risk-based assessments of control requirements
  • Life-cycle-based risk management principles and practices
  • Threats, vulnerabilities, and exposures associated with confidentiality, integrity, and availability of information resources
  • Quantitative and qualitative methods are used to determine the sensitivity and criticality of information resources and the impact of adverse events
  • Use of gap analysis to assess generally accepted standards of good practice for information security management against the current state
  • Recovery time objectives (RTO) for information resources and how to determine RTO
  • RTO and how it relates to business continuity and contingency planning objectives and processes
  • Risk mitigation strategies used in defining security requirements for information resources supporting business applications
  • Cost-benefit analysis techniques in assessing options for mitigating risks threats and exposures to acceptable levels
  • Managing and reporting the status of identified risks
Day 3: Information security program development and management
  • Methods to develop an implementation plan that meets security requirements identified in risk analyses
  • Project management methods and techniques
  • The components of an information security governance framework for integrating security principles, practices, management, and awareness into all aspects and all levels of the enterprise
  • Security baselines and configuration management in the design and management of business applications and the infrastructure
  • Information security architectures (e.g., single sign-on, rules-based as opposed to list-based system access control for systems, limited points of systems administration)
  • Information security technologies (e.g., cryptographic techniques and digital signatures, enabling management to select appropriate controls)
  • Security procedures and guidelines for business processes and infrastructure activities
  • Systems development life cycle methodologies (e.g., traditional SDLC, prototyping)
  • Planning, conducting, reporting, and follow-up on security testing
  • Assessing and authorizing the compliance of business applications and infrastructure to the enterprise’s information security governance framework
  • Types, benefits, and costs of physical, administrative, and technical controls
  • Planning, designing, developing, testing, and implementing information security requirements into an enterprise’s business processes
  • Security metrics design, development, and implementation
  • Certified Information Security Manager Training (CISM)
  • Acquisition management methods and techniques (e.g., evaluation of vendor service level agreements, preparation of contracts)
Day 4: Information security program development and management (continued)
  • How to interpret information security policies into operational use
  • Information security administration process and procedures
  • Methods for managing the implementation of the enterprise’s information security program through third parties, including trading partners and security services providers
  • Continuous monitoring of security activities in the enterprise’s infrastructure and business applications
  • Methods used to manage success/failure in information security investments through data collection and periodic review of key performance indicators
  • Change and configuration management activities Information security management due diligence activities and reviews of the infrastructure
  • Liaison activities with internal/external assurance providers performing information security reviews
  • Due diligence activities, reviews, and related standards for managing and controlling access to information resources
  • External vulnerability reporting sources, which provide information that may require changes to the information security in applications and infrastructure
  • Events affecting security baselines that may require risk reassessments and changes to information security requirements in security plans, test plans, and reperformance
  • Information security problem management practices
  • Information security managers’ facilitative roles as change agents, educators, and consultants
  • Ways in which cultural and socially acceptable differences affect the behavior of staff
  • Activities that can change the cultural and socially acceptable behavior of staff
  • Methods and techniques for security awareness training and education
Day 5: Information security incident management
  • Components of an incident response capability
  • Information security emergency management practices (e.g., production change control activities, development of computer emergency response team)
  • Disaster recovery planning and business recovery processes
  • Disaster recovery testing for infrastructure and critical business applications
  • Escalation processes for effective security management
  • Intrusion detection policies and processes
  • Help desk processes for identifying security incidents reported by users and distinguishing them from other issues dealt with the help desks
  • Notification process in managing security incidents and recovery (e.g., automated notice and recovery mechanisms in response to virus alerts in a real-time fashion)
  • Requirements for collecting and presenting evidence: rules for evidence, admissibility of evidence, quality, and completeness of evidence
  • Post-incident reviews and follow-up procedures
Certified Information Security Manager Training (CISM)Certified Information Security Manager Training (CISM) Course Recap, Q/A, and Evaluations


    Are you Human?