Information Systems Security Management Professional (CISSP-ISSMP)
The Information Systems Security Management Professional (ISSMP) is a CISSP who specializes in establishing, presenting, and governing information security programs, and demonstrates management and leadership skills. ISSMPs direct the alignment of security programs with the organization’s mission, goals, and strategies in order to meet enterprise financial and operational requirements in support of its desired risk position.
The broad spectrum of topics included in the ISSMP Common Body of Knowledge (CBK) ensure its relevancy across all disciplines in the field of information security management. Successful candidates are competent in the following 6 domains:
Leadership and Business Management - 22%
Systems Lifecycle Management - 19%
Risk Management - 18%
Threat Intelligence and Incident Management - 17%
Contingency Management - 10%
Law, Ethics, and Security Compliance Management - 14%
1: Leadership and Business Management
a. Establish Security’s Role in Organizational Culture, Vision, and Mission
Define information security program vision and mission
Align security with organizational goals, objectives, and values
Explain business processes and their relationships
Describe the relationship between organizational culture and security
b. Align Security Program with Organizational Governance
Identify and navigate organizational governance structure
Recognize roles of key stakeholders
Recognize sources and boundaries of authorization
Negotiate organizational support for security initiatives
c. Define and Implement Information Security Strategies
Identify security requirements from business initiatives
Evaluate capacity and capability to implement security strategies
Manage implementation of security strategies
Review and maintain security strategies
Describe security engineering theories, concepts, and methods
d. Define and Maintain Security Policy Framework
Determine applicable external standards
Manage data classification
Establish internal policies
Obtain organizational support for policies
Develop procedures, standards, guidelines, and baseline
Ensure periodic review of security policy framework
e. Manage Security Requirements in Contracts and Agreements
Evaluate service management agreements (e.g., risk, financial)
Govern managed services (e.g., infrastructure, cloud services)
Manage impact of organizational change (e.g., mergers and acquisitions, outsourcing)
Monitor and enforce compliance with contractual agreements
f. Oversee Security Awareness and Training Programs
Promote security programs to key stakeholders
Identify training needs by target segment
Monitor and report on effectiveness of security awareness and training programs
g. Define, Measure, and Report Security Metrics
Identify Key Performance Indicators (KPI)
Relate KPIs to the risk position of the organization
Use metrics to drive security program development and operations
h. Prepare, Obtain, and Administer Security Budget
Manage and report financial responsibilities
Prepare and secure annual budget
Adjust budget based on evolving risks
i. Manage Security Programs
Build cross-functional relationships
Identify communication bottlenecks and barriers
Define roles and responsibilities
Resolve conflicts between security and other stakeholders
Determine and manage team accountability
j. Apply Product Development and Project Management Principles
Describe project lifecycle
Identify and apply appropriate project management methodology
Analyze time, scope, and cost relationship
2: Systems Lifecycle Management
a. Manage Integration of Security into System Development Lifecycle (SDLC)
Integrate information security gates (decision points) and milestones into lifecycle
Implement security controls into system lifecycle
Oversee configuration management processes
b. Integrate New Business Initiatives and Emerging Technologies into the Security Architecture
Participate in development of business case for new initiatives to integrate security
Address impact of new business initiatives on security
c. Define and Oversee Comprehensive Vulnerability Management Programs (e.g., vulnerability scanning, penetration testing, threat analysis)
Classify assets, systems, and services based on criticality to business
Prioritize threats and vulnerabilities
Oversee security testing
Mitigate or remediate vulnerabilities based on risk
d. Manage Security Aspects of Change Control
Integrate security requirements with change control process
Identify stakeholders
Oversee documentation and tracking
Ensure policy compliance
3: Risk Management
a. Develop and Manage a Risk Management Program
Communicate risk management objectives with risk owners and other stakeholders
Understand principles for defining risk tolerance
Determine scope of organizational risk program
Obtain and verify organizational asset inventory
Analyze organizational risk management requirements
Determine the impact and likelihood of threats and vulnerabilities
Determine countermeasures, compensating and mitigating controls
Recommend risk treatment options and when to apply them
b. Conduct Risk Assessments (RA)
Identify risk factors
Manage supplier, vendor, and third-party risk
Understand supply chain security management
Conduct Business Impact Analysis (BIA)
Manage risk exceptions
Monitor and report on risk
Perform cost–benefit analysis
4: Threat Intelligence and Incident Management
a. Establish and Maintain Threat Intelligence Program
Synthesize relevant data from multiple threat intelligence sources
Conduct baseline analysis
Review anomalous behavior patterns for potential concerns
Conduct threat modeling
Identify ongoing attacks
Correlate related attacks
Create actionable alerting to appropriate resources
b. Establish and Maintain Incident Handling and Investigation Program
Develop program documentation
Establish incident response case management process
Establish Incident Response Team (IRT)
Understand and apply incident management methodologies
Establish and maintain incident handling process
Establish and maintain investigation process
Quantify and report financial and operational impact of incidents and investigations to stakeholders
Conduct Root Cause Analysis (RCA)
5: Contingency Management
a. Oversee Development of Contingency Plans (CP)
Analyze challenges related to the Business Continuity (BC) process (e.g., time, resources, verification)
Analyze challenges related to the Disaster Recovery (DR) process (e.g., time, resources, verification)
Analyze challenges related to the Continuity of Operations Plan (COOP)
Coordinate with key stakeholders
Define internal and external incident communications plans
Define incident roles and responsibilities
Determine organizational drivers and policies
Reference Business Impact Analysis (BIA)
Manage third-party dependencies
Prepare security management succession plan
b. Guide Development of Recovery Strategies
Identify and analyze alternatives
Recommend and coordinate recovery strategies
Assign recovery roles and responsibilities
c. Maintain Business Continuity Plan (BCP), Continuity of Operations Plan (COOP), and
Disaster Recovery Plan (DRP)
Plan testing, evaluation, and modification
Determine survivability and resiliency capabilities
Manage plan update process
d. Manage Recovery Process
Declare disaster
Implement plan
Restore normal operations
Gather lessons learned
Update plan based on lessons learned
6: Law, Ethics, and Security Compliance Management
a. Understand the Impact of Laws that Relate to Information Security
Understand global privacy laws
Understand legal jurisdictions the organization operates within (e.g., trans-border data flow)
Understand export laws
Understand intellectual property laws
Understand industry regulations affecting the organization
Advise on potential liabilities
b. Understand Management Issues as Related to the (ISC)2 Code of Ethics
c. Validate Compliance in Accordance with Applicable Laws, Regulations, and Industry Best Practices
Obtain leadership buy-in
Select compliance framework(s)
Implement validation procedures outlined in framework(s)
Define and utilize security compliance metrics to report control effectiveness and potential areas of improvement
d. Coordinate with Auditors, and Assist with the Internal and External Audit Process
Prepare
Schedule
Perform audit
Evaluate findings
Formulate response
Validate implemented mitigation and remediation actions
e. Document and Manage Compliance Exceptions
Additional Examination Information
Supplementary References
Candidates are encouraged to supplement their education and experience by reviewing relevant resources that pertain to the CBK and identifying areas of study that may need additional attention.