Certified Information Security Manager (CISM)

Certified Information Security Manager (CISM) Fundamentals — Quiz 1

Certified Information Security Manager (CISM) Fundamentals — Quiz 1 — Study Guide

CISM Fundamentals — Study Guide for Quiz 1

Information security isn't just about firewalls and passwords — it's a discipline rooted in governance, accountability, and strategic thinking. The Certified Information Security Manager (CISM) credential recognizes professionals who can *manage* security programs, not just implement technical controls. This guide covers the foundational concepts you'll need to ace Quiz 1, from risk management frameworks to leadership principles.

Information Security Governance

Governance is the system by which an organization directs and controls its information security activities. Think of it like the constitution of your security program — it sets the rules everyone else follows.

Primary Goal of Governance

The primary goal of information security governance is to align security strategy with business objectives, ensuring that leadership makes informed decisions about risk. It answers the question: *"Are we protecting the right things in the right way?"*

Top-Down Approach

Good governance flows top-down. This means:

The Board and C-Suite set the tone and approve policy

Middle management implements programs

Staff follow procedures

This is sometimes called "tone at the top" — if leadership doesn't take security seriously, neither will employees.

The CISO's Role

The Chief Information Security Officer (CISO) is the executive responsible for the overall information security strategy. The CISO:

Reports to senior leadership

Bridges the gap between technical teams and business decision-makers

Owns the information security program

Policies, Frameworks, and Standards

Policies

A policy is a high-level statement of management intent. It doesn't say *how* to do something — it says *what* must be done and *why*.

Example: "All sensitive data must be encrypted at rest and in transit."

Frameworks and ISO 27001

A framework provides a structured approach to managing security. The most widely recognized is ISO/IEC 27001, which defines requirements for an Information Security Management System (ISMS).

Term	Definition
ISMS	A systematic approach to managing sensitive information using people, processes, and technology
ISO 27001	International standard specifying ISMS requirements
Statement of Applicability (SoA)	Documents which ISO 27001 controls apply to your organization and why

The SoA is critical — it justifies which controls were selected, which were excluded, and why, based on your risk assessment results.

Risk Management

Risk management is the heart of CISM. It's the ongoing process of identifying, assessing, and treating risks to information assets.

Key Risk Concepts

Risk: The potential for loss or harm when a threat exploits a vulnerability

Risk Appetite: How much risk an organization is *willing* to accept

Risk Owner: The person accountable for managing a specific risk (not just the IT team!)

Risk Assessment Methods

Method	Description	Example
Qualitative	Uses subjective ratings (High/Medium/Low)	"This risk is HIGH because it affects customer data"
Quantitative	Uses numbers and financial values	"Expected annual loss = $50,000"

Most organizations use a hybrid approach — qualitative for prioritization, quantitative for business cases.

Risk Treatment Options

Once risks are assessed, you choose how to handle them:

Avoid — Eliminate the activity causing the risk

Mitigate — Apply controls to reduce likelihood or impact

Transfer — Shift risk to a third party (e.g., insurance)

Accept — Acknowledge and monitor the risk (within risk appetite)

Security Controls

Controls are safeguards put in place to reduce risk. They fall into three functional categories:

Control Type	Purpose	Example
Preventive	Stop incidents before they happen	Firewalls, access controls
Detective	Identify incidents that have occurred	Intrusion detection systems (IDS), audit logs
Corrective	Restore systems after an incident	Backups, patch management

Quiz tip: An IDS (Intrusion Detection System) is a classic example of a detective control — it alerts you *after* suspicious activity is detected, not before.

Separation of Duties

Separation of duties is a preventive control that ensures no single person can complete a critical process alone. For example, the person who approves a payment shouldn't also be the one who processes it. This reduces fraud and error.

Due Care and Due Diligence

These two terms are often confused — here's a simple way to remember them:

Due Diligence = *Research before acting* (investigating risks before a decision)

Due Care = *Acting responsibly after knowing* (implementing reasonable safeguards)

Analogy: Before buying a used car, you research its history (due diligence). After buying it, you maintain it with regular oil changes (due care).

In security, due care means implementing reasonable security measures to protect assets. Failing to do so can result in legal liability.

Ownership, Responsibility, and Accountability

Role	Meaning
Asset Owner	Business unit leader accountable for an information asset
Custodian	IT staff responsible for day-to-day protection
Risk Owner	Person accountable for managing a specific risk

Ownership is a business function, not an IT function. A data owner decides *who* can access data; the custodian *enforces* that decision.

Business Continuity and BIA

Business Impact Analysis (BIA)

A BIA identifies which business processes are most critical and determines the potential impact of disruptions. It answers:

What are our most important functions?

How long can we survive without them?

What resources do they need?

Business Continuity

Business continuity planning ensures the organization can continue operating during and after a disruption. It relies on BIA results to prioritize recovery efforts.

Compliance, Awareness, and Training

Compliance ensures the organization meets legal, regulatory, and contractual obligations

Security awareness programs change employee behavior by educating them on threats like phishing

Training provides role-specific skills (e.g., secure coding for developers)

Mergers and Acquisitions

During mergers, security teams must assess the acquired company's risk posture — their vulnerabilities become *your* vulnerabilities. Due diligence before closing a deal is essential.

Audit

An audit is an independent review to verify that controls are working as intended and that the organization is complying with policies and regulations. Audits support governance by providing objective evidence to leadership.

Key Takeaways

Governance sets the tone: Information security must be driven top-down, with leadership establishing strategy, policy, and risk appetite before technical controls are chosen.

Risk management is a cycle: Identify → Assess (qualitative or quantitative) → Treat → Monitor. The risk owner is accountable for each risk, not just IT.

Controls have types: Detective controls (like IDS and audit logs) identify incidents *after* they occur; preventive controls stop them beforehand.

Due care vs. due diligence: Diligence is researching *before* a decision; care is acting responsibly *after* — both are required to avoid legal liability.

The SoA is ISO 27001's backbone: It documents which controls apply to your ISMS, why they were chosen, and which were excluded — making it a key governance artifact.