| Leadership and Operational Management |
21% |
1.1 Establish security’s role in organizational culture, vision, and mission
- Defining information security program vision and mission
- Aligning security with organizational goals, objectives, and values
- Defining security’s relationship with the overall organization processes
- Defining the relationship between organizational culture and security
1.2 Align security program with organizational governance
- Identifying and navigating organizational governance structure
- Verifying and validating roles of key stakeholders
- Validating sources and boundaries of authorization
- Advocating and obtaining organizational support for security initiatives
1.3 Define and implement information security strategies
- Identifying security requirements from organizational initiatives
- Evaluating capacity and capability to implement security strategies
- Prescribing security architecture design
- Managing implementation of security strategies
- Reviewing and maintaining security strategies
1.4 Define and maintain security policy framework
- Determining applicable external standards, laws, and regulations
- Determining data classification and protection requirements
- Establishing internal policies
- Advocating and obtaining organizational support for policies
- Developing procedures, standards, guidelines, and baselines
- Ensuring periodic review of security policy framework
1.5 Manage security requirements in contracts and agreements
- Evaluating service management agreements (e.g., risk, financial)
- Governing managed services (e.g., infrastructure, cloud services)
- Managing security impact of organizational change (e.g., mergers and acquisitions, outsourcing, capability development)
- Ensuring that applicable regulatory compliance statements and requirements are included in contractual and service management agreements
- Monitoring and enforcing compliance with contractual and service management agreements
1.6 Manage security awareness and training programs
- Promoting security programs to key stakeholders
- Identifying needs and implementing training programs by target segment
- Monitoring, evaluating, and reporting on effectiveness of security awareness and training programs
1.7 Define, measure, and report security metrics
- Identifying Key Performance Indicators (KPI) and Key Risk Indicators (KRI)
- Associating metrics to the risk posture of the organization
- Using metrics to drive improvements to the security program and operations
1.8 Prepare, obtain, and manage security budget
- Preparing and securing annual budget
- Adjusting or requesting budget based on evolving risks and threat landscape
- Managing and reporting financial responsibilities
1.9 Manage security programs
- Defining roles and responsibilities
- Determining and managing team accountability
- Building cross-functional relationships
- Resolving conflicts between security and other stakeholders
- Identifying communication bottlenecks and barriers
- Integrating security controls into organization processes
1.10 Apply product development and project management principles
- Incorporating security throughout the lifecycle
- Identifying and applying applicable methodology (e.g., agile, waterfall, lean, rapid application development)
- Analyzing project scope, timelines, quality, and budget
|
| Systems Lifecycle Management |
15% |
2.1 Manage integration of security throughout system life cycle
- Integration of information security decision points and requirements throughout the system life cycle
- Implementation of security controls throughout the system life cycle
- Overseeing security configuration management (CM) processes
2.2 Integrate organization initiatives and emerging technologies throughout the security architecture
- Implementing security principles
- Addressing impact of organization initiatives on security posture
2.3 Define and manage comprehensive vulnerability management programs (e.g., vulnerabilities, scanning, penetration testing, threat analysis)
- Identification, classification, and prioritization of assets, systems, and services based on criticality and impact to the organization
- Prioritization of threats and vulnerabilities based on risk
- Management of security testing
- Management of mitigation and/or remediation of vulnerabilities
- Monitoring and reporting of vulnerabilities
2.4 Manage security aspects of change control
- Integration of security requirements with change control process
- Conducting a security impact analysis
- Identification and coordination with the stakeholders
- Management of documentation and tracking
- Ensuring policy compliance (e.g., continuous monitoring)
|
| Risk Management |
20% |
3.1 Develop and manage a risk management program
- Identifying risk management program objectives
- Defining risk management objectives with risk owners and other stakeholders
- Determining scope of organizational risk program
- Identifying organizational risk tolerance/appetite
- Obtaining and verifying organizational asset inventory
- Analyzing organizational risks
- Determine countermeasures, compensating and mitigating controls
- Identifying risk treatment options
- Conducting Cost-benefit analysis (CBA) of risk treatment options
- Recommending risk treatment options to stakeholders
- Documenting and managing agreed risks and issues treatments
- Testing, monitoring, and reporting on risks and issues
3.2 Manage security risks within the supply chain (e.g., supplier, vendor, third-party risk, contracts)
- Identifying supply chain security risk objectives
- Integrating supply chain security risks into organizational risk management
- Verifying and validating security risk control within the supply chain
- Monitoring and reviewing the supply chain security risks
3.3 Conduct risk assessments
- Identifying risk factors
- Determining the risk assessment approach (e.g., qualitative, quantitative)
- Performing the risk analysis
3.4 Manage risk controls
- Identifying controls
- Determining control effectiveness
- Evaluating control coverage
- Monitoring/reporting risk control effectiveness and coverage
|
| Security Operations |
18% |
4.1 Establish and maintain security operations center
- Development of security operations center (SOC) documentation
4.2 Establish and maintain threat intelligence program
- Aggregating threat data from multiple threat intelligence sources
- Conducting baseline analysis of network traffic, data, and user behavior
- Detecting and analyzing anomalous behavior patterns for potential concerns
- Conducting threat modeling
- Identifying and categorizing attacks
- Correlating related security events and threat data
- Defining actionable alerts
4.3 Establish and maintain incident management program
- Development of program documentation
- Establishing incident response (IR) case management processes
- Establishing incident response (IR) team
- Applying incident management methodologies
- Establishing and maintaining incident handling processes
- Establishing and maintaining investigation processes
- Quantifying and reporting incident impacts and investigations to stakeholders
- Conducting root cause analysis
|
| Contingency Management |
12% |
5.1 Facilitate development of contingency plans
- Identifying and analyzing factors related to resiliency planning (e.g., Continuity of Operations Plan (COOP), external factors, laws, regulations, business impact analysis (BIA))
- Identifying and analyzing factors related to the business continuity plan (BCP) (e.g., time, resources, verification, business impact analysis (BIA))
- Identifying and analyzing factors related to the disaster recovery plan (DRP) (e.g., time, resources, verification)
- Coordinating contingency management plans with key stakeholders
- Defining internal and external crisis communications plan
- Defining and communicating contingency roles and responsibilities
- Identifying and analyzing contingency impact on organization processes and priorities
- Managing third-party contingency dependencies (e.g., cloud providers, utilities)
- Preparing security management succession plan
5.2 Develop recovery strategies
- Identifying and analyzing alternatives
- Recommending and coordinating recovery strategies
- Assigning recovery roles and responsibilities
5.3 Maintain contingency plan, resiliency plan (e.g., Continuity of Operations Plan (COOP)), business continuity plan (BCP) and disaster recovery plan (DRP)
- Planning testing, evaluation, and modification
- Determining survivability and resiliency capabilities
- Managing plan update process
5.4 Manage disaster response and recovery process
- Declaring and communicating disaster
- Implementing plan
- Restoring normal operations
- Gathering lessons learned
- Updating plan based on lessons learned
|
| Law, Ethics, and Security Compliance Management |
14% |
6.1 Identify the impact of laws and regulations that relate to information security
- Identifying legal jurisdictions that the organization and users operate within (e.g., trans-border data flow)
- Identifying applicable security and privacy laws/regulations/standards
- Identifying intellectual property laws
- Identifying and advising on risks of non-compliance and non-conformity
6.2 Understand, adhere to, and promote professional ethics
- ISC2 Code of Ethics
- Organizational code of ethics
6.3 Validate compliance in accordance with applicable laws, regulations, and industry standards
- Informing and advising senior management
- Evaluating and selecting compliance framework(s)
- Implementing the compliance framework(s)
- Defining and monitoring compliance metrics
6.4 Coordinate with auditors and regulators in support of internal and external audit processes
- Planning
- Scheduling
- Coordinating audit activities
- Evaluating and validating findings
- Formulating response
- Monitoring and validating implemented mitigation and remediation actions
6.5 Document and manage compliance exceptions
- Identifying and documenting controls and workarounds
- Reporting and obtaining authorized approval of risk waiver
|
| Official Information |
|
https://www.isc2.org/certifications/issmp |
