Skip to content
Home » Blog » Certified Information Security Manager (CISM) Exam: Information Security Program Development & Management [Updated 2021]

Certified Information Security Manager (CISM) Exam: Information Security Program Development & Management [Updated 2021]

  • by


Information Security Program Development & Management (ISPDM) entails coordinating, managing, and monitoring information security operations in support of corporate goals, while also bringing together human, physical, and financial resources in the most efficient manner possible.

We got an idea of the different domains that the CISM applicant meets when taking the test in our last blog, (CISM): Introduction to the four domains, and discussed ISPDM briefly.

In this article, we will acquire a better knowledge of the domain and examine what applicants need to know in order to prepare for the test.

In an organisation, security programme development encompasses a wide range of tasks. The majority of these actions have a direct influence on people, processes, or information technology.

Security programmes are frequently focused on connecting a variety of unrelated operations inside an organisation that are all, in some way, related to the safeguarding of important information assets.

Another approach to look about security programme management is that the security manager (and, if applicable, his or her team) serves as a catalyst to ensure that activities across the company are carried out in a way that does not provide an unacceptable risk.

What are the objectives of CISM ISPDM domain?

Information security programmes are a set of actions that are used to detect, discuss, and respond to threats.

The security programme comprises of controls, processes, and practises that enhance the computer environment’s resilience and ensure that threats are identified and managed effectively.

In a smaller business, these tasks may be performed by a single person, but bigger companies will have a security leader who heads an internal team that is supplemented by external partners as needed.

Applicants will be expected to understand how to identify the resources needed to attain goals that are in line with the organization’s objectives.

They will be expected to demonstrate a thorough grasp of the process of launching a security programme from the beginning. This will necessitate a thorough understanding of the many components and requirements of successful programme design, execution, and management.

Applicants must be familiar with the three main components of a security programme.

  1. It has to be the implementation of a well-thought-out data security plan. The programme should be supportive of the organization’s goals and properly linked with them.
  2. It must be well-thought-out, with management and stakeholders’ collaboration and support.
  3. Effective metrics must be created for the programme design and implementation stages, as well as the later continuing security programme management phases, in order to give the essential input to drive programme execution and achieve the desired results.

Information Security Program’s Importance

Information security programmes are a set of actions that are used to detect, discuss, and respond to threats.

The security programme comprises of controls, processes, and practises that enhance the computer environment’s resilience and ensure that threats are identified and managed effectively.

In a smaller business, these tasks may be performed by a single person, but bigger companies will have a security leader who heads an internal team that is supplemented by external partners as needed.

Want to know the best books for CISM preparation? Click here are our recommendations.

The key tasks required in every organization’s security programme have been evolved into security programme models.

Security managers, on the other hand, must understand their organisations’ internal workings in order for their security programmes to successfully fit with the organization’s operations, practises, and culture.

An information security program’s actions help to put the security manager’s vision for successful security and risk management in the organisation into action.

A security manager’s vision is usually centred on how the security programme connects with and supports the company.

Information security programme management is a continuous process that safeguards data assets, complies with regulatory requirements, and reduces legal and liability risks.

Candidates’ ability to develop successful programme management plans is put to the test in a variety of ways. Good planning yields appropriate levels of data protection at a reasonable price.

Candidates are assessed on developing, executing, administering, and monitoring a security programme once they have demonstrated a grasp of how planning is done.

Candidates that are knowledgeable in this area can demonstrate that they can turn a strategy into reality.

What are the outcomes of CISM ISPDM domain

The outcomes specified in ISG should be achieved by effective information security programme management.

Goals must be defined in language that are clear, objective, and quantifiable.

Appropriate metrics should also be implemented to determine whether or not the objectives were accomplished. If this is not the case, it should be determined how far the targets were missed and a conversation held to enhance performance.

Candidates should concentrate on the six outcomes listed below, which should serve as the foundation for defining the goals of an effective information security programme:

  • Strategic alignment Organizational information risk, selection of suitable control objectives and standards, agreement on acceptable risk and risk tolerance, and definitions of financial, operational, and other limitations are all important aspects of strategic alignment.
  • Risk management: Applicants must demonstrate a thorough grasp of the organization’s risks, vulnerabilities, and risk profile. Candidates must be able to assess the possible consequences of threats that materialise, as well as the methods for decreasing risks to an acceptable level.
  • Value delivery: Candidates should be aware that the security program’s implementation can have a significant influence on value delivery. As a result, they should be able to demonstrate their competence to manage security investments in order to maximise support for business goals. Candidates should be able to focus their efforts on achieving a set of security best practises.
  • Resource management: Candidates must be able to demonstrate their ability to create and manage a security programme using available resources. People, money, and technical expertise are typically among the various resources accessible. Candidates must be able to guarantee that those who require knowledge receive it through correct documentation.
  • Integration of the assurance process: Candidates must be familiar with assurance functions, since they are inevitably important for information security. Candidates must be able to establish formal connections with a variety of assurance providers and attempt to combine these efforts with information security operations. Physical security, management, the privacy office, audit, quality assurance, and human resources are all examples of this in a normal business.
  • Performance management :Candidates must be able to identify places of useful monitoring during the evolution of a security programme when measuring performance. There may be possibilities to “roll up” sets of indicators to give a more comprehensive picture for security management.

CISM: The Information Security Management Frameworks

Control frameworks are not the same as security management frameworks. Control frameworks are sets of security rules, whereas security management frameworks define the entire operations of an information security programme.

Information security management frameworks are business process models that cover the most important procedures and activities that most businesses require.

The identification of risk is a major motivator for actions in other sections of the framework to decrease risk to acceptable levels, therefore these frameworks are risk centric.

The three most common security management frameworks are as follows, which you should study:

  • ISO/IEC 27001:2013  The ISO/IEC 27001 standard, “Information technology – Security approaches – Information security management systems – Standards,” lays out the requirements and procedures for establishing and maintaining an information security management system (ISMS). This is the collection of procedures that are used to analyse risk, establish policy and controls, and manage all of the common information security activities including vulnerability management and incident management.
  • COBIT 5 COBIT 5 is a controls and governance framework for managing an IT organisation developed by ISACA. COBIT 5 for Information Security is a new standard that expands on COBIT 5 and explains each component from the perspective of information security. .
  • NIST CSF The Cyber Security Framework (CSF) was created by the United States’ National Institute of Standards and Technology (NIST) in 2014 to address the high rate of security breaches and identity theft in the country. The NIST CSF is a results-based security management and control framework that helps organisations understand their current maturity levels, assess risk, identify gaps, and build strategic improvement action plans.

IT Service Management concept

IT service management (ITSM) is a collection of actions that assures the efficient and effective delivery of IT services through active management and process improvement.

ITSM is made up of numerous different activities:

  • Desk of customer service
  • Management of incidents
  • Management of issues
  • Change management is a term used to describe the process
  • Management of configurations
  • Management of the release
  • Management at the service level
  • Management of finances
  • Management of capacity
  • Management of service continuity

The IT Infrastructure Library (ITIL) process framework is a well-known standard that defines ITSM. AXELOS is in charge of the ITIL material. The ISO/IEC 20000:2011 standard, which is the worldwide standard for ITSM, may be audited and certified for IT service management procedures.

Why is ITSM Important for Security?

IT service management and information risk may look unrelated at first glance.

These are some of the reasons why efficient IT service management is so important for information risk and security:

  • The configuration of IT systems will be inconsistent in the absence of proper change management and configuration management, resulting in exploitable vulnerabilities that might lead to security incidents in many situations.
  • Security flaws may remain in production systems in the absence of appropriate release management, potentially resulting in vulnerabilities and incidents.
  • System and application faults might arise in the absence of proper capacity management, resulting in unplanned downtime and data damage.
  • IT businesses may not have enough money to invest in key security projects if they don’t have good financial management.


Controls are rules, processes, methods, systems, and other measures that are meant to limit risk. Controls are created by a company to guarantee that its business objectives are accomplished, risks are minimised, and errors are avoided or remedied.

Controls are developed for two major purposes in an organisation: to assure desired results and to prevent undesirable ones.

Different Types of Controls

The three types of controls are physical, technical, and administrative:

  • Physical These sorts of controls may be found in the real world. Video monitoring, locking doors, bollards, and fences are examples of physical controls.
  • Technical : These controls are generally intangible and are implemented as information systems and information system components. Encryption, computer access restrictions, and audit logs are examples of technological controls. These are sometimes referred to as logical controls.
  • Administrative controls are policies, processes, and standards that specify which actions, protocols, and settings are required or prohibited. A policy prohibiting personal use of company-owned information systems is an example of administrative control. These are sometimes referred to as management controls.

Different Classes of Controls

There are six classes of controls:

  • Preventive This sort of control is used to prevent an undesired event from occurring. Computer login screens (which prevent unauthorised people from accessing information), keycard systems (which prevent unauthorised people from entering a building or workspace), and encryption (which prevents people who don’t have an encryption key from reading encrypted data) are all examples of preventive controls.
  • Detective This control is used to record both desired and undesirable occurrences. A detective control can’t make someone do anything (whether it’s wanted or not), but it may make sure that it’s known whether and how something happened. Video surveillance and event logs are examples of investigative controls.
  • Deterrent This sort of control is used to persuade someone not to do something they don’t want to do. Guard dogs, warning signs, and visible video surveillance cameras and monitors are examples of deterrent measures.
  • Corrective After an undesired event has happened, this sort of control is triggered (manually or automatically). The act of improving a process when it is discovered to be faulty is an example of corrective control.
  • Compensating  Because no other direct control can be utilised, this form of control is used. When used to compensate for the lack of a stronger investigative control, such as a video surveillance system, a guest sign-in register, for example, can be a compensating control. The risk associated with the original control is addressed by a compensating control.
  • Recovery This control is used to return the status of a system or asset to what it was before the occurrence. The use of a tool to remove malware from a computer is an example of a recovery control. Another example is the recovery of deleted or damaged files using backup software.


An information security program is comprised of activities used to identify and treat risks. The risk management life cycle consists of regular and ad hoc risk assessments. Risk governance is the set of activities that enable management to have visibility and exert control over the security program. It is important to establish a security steering committee or security council. Security programs include a variety of administrative activities that are vital to its success.

Various techniques are needed to identify and manage risks. Security managers need to understand how to develop business cases to secure funding for security projects. Rather than focus on return on investment (ROI), security managers should focus on risk reduction. Data security controls help to ensure that only authorized personnel are able to access, add, delete, and update business information. Security managers need to understand the various types of controls (e.g., preventive, detective, deterrent, manual, automatic, etc.) so that the right types can be implemented.

Further Study : CISM domains

Further Study : CISM Resources

Below are some recommended CISM books on Amazon :

CISM Certified Information Security Manager All-in-One Exam Guide by Peter H. Gregory

This bundle contains all-in-one exam guide and CISM practice exams. When searching for the CISM preparation material, I could find only this book worth giving a try apart from the ISACA review manual.

The study guide is thorough and covers all aspects of the exam.

Electronic exams are included in both the study guide and the practice test book. Some questions are shared between both but they rarely overlap.

The practice tests and questions were as close to the exam version I took as feasible without being dumps, indicating that they were extremely accurate reflections of the test material.

With around 20 days of regular studying for about 1-2 hours per day, I was able to pass the test on my first attempt with ease. Based on the findings, I believe the study guide and practice test set is well worth the money and should likely be the only study material necessary.

CISM Review Manual, 15th Edition by ISACA

It’s a good handbook to read for the CISM exam, however, some of the information is a little raw. It’s kind of required reading for the CISM test, however, it’s a rather dull read. Lots of relevant and useful content. However, this appears to be a review handbook rather than a guidebook.

Related Posts


Leave a Reply