To keep up with emerging technologies and strengthen focus on IT risk and compliance issues, ISACA has recently updated its Certified Information Security Manager exam.
Changes include additional focus on regulatory and compliance requirements within IT risk, improved management of security incidents and introduction to technologies such as cloud and mobile computing as part a combined domain of security program development and management.
"The changes reflect what managers have globally vetted in our survey, and emphasis is on emerging technologies and increased focus on risk and compliance issues," says Allan Boardman, chair of ISACA's Credentialing Board and a risk officer at an investment bank in the U.K. "We have focused on areas where IT security managers are spending substantial time."
The CISM updates result from input gathered from 1,431 ISACA members globally and through ISACA's task force that conducts independent review and analysis.
The CISM certification program is developed specifically for experienced information security managers and leaders. This credential helps them to manage their security practices by supporting processes to ensure that the information security strategy is aligned with organizational goals and objectives. Further, CISM enables managers to control IT risk to an acceptable level to meet the business and compliance requirements of the organization and engage in adequate planning to detect, investigate, respond and recover from information security incidents to minimize business impact.
Since the credential's inception in 2002, this is the second time changes have been made to CISM's core job practice areas. For professionals taking the CISM exam in 2012, they can expect an increase in the percentage of test questions within the IT risk and compliance domain from 22 percent to 33 percent and inclusion of questions on emerging technologies within the security program development and management area.
3 Main Changes
Major updates to the CISM job practice include combining two of the domains, information security program development and management, resulting in four domains. In addition, CISM has added focus on how leaders manage their cloud computing and mobile initiatives. "In taking the exam, professionals will now be validated on their knowledge of these technologies," Boardman says.
The new CISM job practice domains are:
- Domain 1 - Information Security Governance;
- Domain 2 - Information Risk Management and Compliance;
- Domain 3 - Information Security Program Development and Management;
- Domain 4 - Information Security Incident Management.
The CISM credential has further added compliance as part of the risk management domain, which was "somehow buried" in the earlier version, Boardman says. As organizations are facing increased regulatory scrutiny, it has become essential for managers to pay close attention to meet compliance needs and further reduce risk and regulatory pressure by streamlining processes within their organizations. "Within this domain, we are emphasizing more on the need for matured IT-risk programs, data classification and policies with compliance as a major element," Boardman says.
Lastly, the incident-management domain is further strengthened to help managers effectively respond to security incidents, minimize risk and severity of incidents faced. "This is a strong piece of work carried out by security managers, so we want to ensure they have the skills ready for practical application," Boardman says.
The new CISM job practice is effective beginning with the June 2012 CISM exam.
"These updates will add value to security practitioners who are looking to further evolve in their roles," Boardman says.