INTRODUCTION

The dizzying pace of information systems innovation has made vast expanses of information available to organizations and the public. Often, design flaws and technical vulnerabilities bring unintended consequences, usually in the form of information theft and disclosure. The result: a patchwork of laws, regulations, and standards such as Sarbanes–Oxley, GDPR, Gramm-Leach-Bliley, HIPAA, PCI-DSS, PIPEDA, NERC CIP, and scores of U.S. state laws requiring public disclosure of security breaches involving private information. Through these, organizations are either required or incentivized to build or improve their information security programs to avoid security breaches, penalties, sanctions, and embarrassing news headlines.

These developments continue to drive demand for information security professionals and information security leaders. These highly sought professionals play a crucial role in the development of better information security programs that result in reduced risk and improved confidence.

The Certified Information Security Manager (CISM) certification, established in 2002, is the leading certification for information security management. Demand for the CISM certification has grown so much that the once-per-year certification exam was changed to twice per year in 2005 and is now offered multiple times each year. In 2005, the CISM certification was awarded accreditation by the American National Standards Institute (ANSI) under international standard ISO/IEC 17024. CISM is also one of the few certifications formally approved by the U.S. Department of Defense in its Information Assurance Technical category (DoD 8570.01-M). In 2017, CISM was a finalist in SC Magazine’s Best Professional Certification Program. There are now more than 34,000 professionals with the certification.

Purpose of This Book

Let’s get the obvious out of the way: this is a comprehensive study guide for the security management professional who needs a serious reference for individual or group-led study for the Certified Information Security Manager (CISM) certification. The content in this book contains the technical information that CISM candidates are required to know. This book is one source of information to help you prepare for the CISM exam but should not be thought of as the ultimate collection of all the information and experience that ISACA expects qualified CISM candidates to possess. No one publication covers all of this information.

This book is also a reference for aspiring and practicing IT security managers and CISOs. The content that is required to pass the CISM exam is the same content that practicing security managers need to be familiar with in their day-to-day work. This book is an ideal CISM exam study guide as well as a desk reference for those who have already earned their CISM certification.

This book is also invaluable for information security professionals who are not in a leadership position today. You will gain considerable insight into today’s information security management challenges. This book is also useful for IT and business management professionals who work with information security leaders and need to better understand what they are doing and why.

This book is an excellent guide for anyone exploring a security management career. The study chapters explain all the relevant technologies, techniques, and processes used to manage a modern information security program. This is useful if you are wondering what the security management profession is all about.

How This Book Is Organized

This book is logically divided into four major sections:

• Introduction The “front matter” of the book and Chapter 1 provide an overview of the CISM certification and the information security management profession.

• CISM study material Chapters 2 through 5 contain everything a studying CISM candidate is responsible for. This same material is a handy desk reference for aspiring and practicing information security managers.

• Glossary There are more than 550 terms used in the information security management profession.

• Practice exams Appendix explains the online CISM practice exam and Total Tester software accompanying this book.