CISA - Certified Information Systems Auditor
The job practice domains and task and knowledge statements are as follows:
Domain 1—The Process of Auditing Information Systems (21%)
Domain 2—Governance and Management of IT (16%)
Domain 3—Information Systems Acquisition, Development and Implementation (18%)
Domain 4—Information Systems Operations, Maintenance and Service Management (20%)
Domain 5—Protection of Information Assets (25%)
Domain 1 : The Process of Auditing Information Systems
Provide audit services in accordance with IS audit standards to assist the organization in protecting and controlling information systems. (21%)
1.1 Execute a risk-based IS audit strategy in compliance with IS audit standards to ensure that key risk areas are audited.
1.2 Plan specific audits to determine whether information systems are protected, controlled and provide value to the organization.
1.3 Conduct audits in accordance with IS audit standards to achieve planned audit objectives.
1.4 Communicate audit results and make recommendations to key stakeholders through meetings and audit reports to promote change when necessary.
1.5 Conduct audit follow-ups to determine whether appropriate actions have been taken management in a timely manner.
1.1 Knowledge of ISACA IT Audit and Assurance Standards, Guidelines and Tools and Techniques, Code of Professional Ethics and other applicable standards.
1.2 Knowledge of the risk assessment concepts and tools and techniques used in planning, examination, reporting and follow-up
1.3 Knowledge of fundamental business processes (e.g., purchasing, payroll, accounts payable, accounts receivable) and the role of IS in these processes.
1.4 Knowledge of the control principles related to controls in information systems.
1.5 Knowledge of risk-based audit planning and audit project management techniques including follow-up.
1.6 Knowledge of the applicable laws and regulations that affect the scope, evidence collection and preservation, and frequency of audits.
1.7 Knowledge of the evidence collection techniques (e.g., observation, inquiry, inspection, interview, data analysis, forensic investigation techniques, computer-assisted audit techniques [CAATs]) used to gather, protect and preserve audit evidence.
1.8 Knowledge of different sampling methodologies and other substantive/data analytical procedures.
1.9 Knowledge of reporting and communication techniques (e.g., facilitation, negotiation, conflict resolution, audit report structure, issue writing, management summary, result verification)
1.10 Knowledge of audit quality assurance (QA) systems and frameworks
1.11 Knowledge of various types of audits (e.g., internal, external, financial) and methods for assessing and placing reliance on the work of other auditors or control entities.
Domain 2: Governance and Management of IT
Provide assurance that the necessary leadership and organizational structures and processes are in place to achieve objectives and to support the organization's strategy. (16%)
2.1 Evaluate the IT strategy, including IT direction, and the processes for the strategy’s development, approval, implementation and maintenance for alignment with the organization’s strategies and objectives.
2.2 Evaluate the effectiveness of the IT governance structure to determine whether IT decisions, directions and performance support the organization’s strategies and objectives.
2.3 Evaluate IT organizational structure and human resources (personnel) management to determine whether they support the organization’s strategies and objectives.
2.4 Evaluate the organization’s IT policies, standards and procedures, and the processes for their development, approval, release/publishing, implementation and maintenance to determine whether they support the IT strategy and comply with regulatory and legal requirements.
2.5 Evaluate IT resource management, including investment, prioritization, allocation and use, for alignment with the organization’s strategies and objectives.
2.6 Evaluate IT portfolio management, including investment, prioritization and allocation, for alignment with the organization’s strategies and objectives.
2.7 Evaluate risk management practices to determine whether the organization’s IT-related risk is identified, assessed, monitored, reported and managed.
2.8 Evaluate IT management and monitoring of controls (e.g., continuous monitoring, quality assurance [QA]) for compliance with the organization’s policies, standards and procedures.
2.9 Evaluate monitoring and reporting of IT key performance indicators (KPIs) to determine whether management receives sufficient and timely information.
2.10 Evaluate the organization’s business continuity plan (BCP), including alignment of the IT disaster recovery plan (DRP) with the BCP, to determine the organization’s ability to continue essential business operations during the period of an IT disruption.
2.1 Knowledge of the purpose of IT strategy, policies, standards and procedures for an organization and the essential elements of each
2.2 Knowledge of IT governance, management, security and control frameworks, and related standards, guidelines and practices
2.3 Knowledge of the organizational structure, roles and responsibilities related to IT, including segregation of duties (SoD)
2.4 Knowledge of the relevant laws, regulations and industry standards affecting the organization
2.5 Knowledge of the organization’s technology direction and IT architecture and their implications for setting long-term strategic directions
2.6 Knowledge of the processes for the development, implementation and maintenance of IT strategy, policies, standards and procedures
2.7 Knowledge of the use of capability and maturity models
2.8 Knowledge of process optimization techniques
2.9 Knowledge of IT resource investment and allocation practices, including prioritization criteria (e.g., portfolio management, value management, personnel management)
2.10 Knowledge of IT supplier selection, contract management, relationship management and performance monitoring processes, including third-party outsourcing relationships
2.11 Knowledge of enterprise risk management (ERM)
2.12 Knowledge of the practices for monitoring and reporting of controls performance (e.g., continuous monitoring, quality assurance [QA])
2.13 Knowledge of quality management and quality assurance (QA) systems
2.14 Knowledge of the practices for monitoring and reporting of IT performance (e.g., balanced scorecard [BSC], key performance indicators [KPIs])
2.15 Knowledge of business impact analysis (BIA)
2.16 Knowledge of the standards and procedures for the development, maintenance and testing of the business continuity plan (BCP)
2.17 Knowledge of the procedures used to invoke and execute the business continuity plan (BCP) and return to normal operations
Domain 3: Information Systems Acquisition, Development and Implementation
Provide assurance that the practices for the acquisition, development, testing and implementation of information systems meet the organization’s strategies and objectives. (18%)
3.1 Evaluate the business case for the proposed investments in information systems acquisition, development, maintenance and subsequent retirement to determine whether the business case meets business objectives
3.2 Evaluate IT supplier selection and contract management processes to ensure that the organization’s service levels and requisite controls are met.
3.3 Evaluate the project management framework and controls to determine whether business requirements are achieved in a cost-effective manner while managing risk to the organization.
3.4 Conduct reviews to determine whether a project is progressing in accordance with project plans, is adequately supported by documentation, and has timely and accurate status reporting.
3.5 Evaluate controls for information systems during the requirements, acquisition, development and testing phases for compliance with the organization's policies, standards, procedures and applicable external requirements.
3.6 Evaluate the readiness of information systems for implementation and migration into production to determine whether project deliverables, controls and the organization's requirements are met.
3.7 Conduct post-implementation reviews of systems to determine whether project deliverables, controls and the organization's requirements are met.
3.1 Knowledge of benefits realization practices, (e.g., feasibility studies, business cases, total cost of ownership [TCO], return on investment [ROI])
3.2 Knowledge of IT acquisition and vendor management practices (e.g., evaluation and selection process, contract management, vendor risk and relationship management, escrow, software licensing), including third-party outsourcing relationships, IT suppliers and service providers.
3.3 Knowledge of project governance mechanisms (e.g., steering committee, project oversight board, project management office)
3.4 Knowledge of project management control frameworks, practices and tools
3.5 Knowledge of the risk management practices applied to projects
3.6 Knowledge of requirements analysis and management practices (e.g., requirements verification, traceability, gap analysis, vulnerability management, security requirements)
3.7 Knowledge of the enterprise architecture (EA) related to data, applications and technology (e.g., web-based applications, web services, n-tier applications, cloud services, virtualization)
3.8 Knowledge of system development methodologies and tools, including their strengths and weaknesses (e.g., agile development practices, prototyping, rapid application development [RAD], object-oriented design techniques, secure coding practices, system version control)
3.9 Knowledge of the control objectives and techniques that ensure the completeness, accuracy, validity and authorization of transactions and data
3.10 Knowledge of the testing methodologies and practices related to the information system development life cycle (SDLC)
3.11 Knowledge of the configuration and release management relating to the development of information systems
3.12 Knowledge of system migration and infrastructure deployment practices and data conversion tools, techniques and procedures.
3.13 Knowledge of project success criteria and project risk
3.14 Knowledge of post-implementation review objectives and practices (e.g., project closure, control implementation, benefits realization, performance measurement)
Domain 4: Information Systems Operations, Maintenance and Service Management
Provide assurance that the processes for information systems operations, maintenance and service management meet the organization’s strategies and objectives. (20%)
4.1 Evaluate the IT service management framework and practices (internal or third party) to determine whether the controls and service levels expected by the organization are being adhered to and whether strategic objectives are met.
4.2 Conduct periodic reviews of information systems to determine whether they continue to meet the organization’s objectives within the enterprise architecture (EA).
4.3 Evaluate IT operations (e.g., job scheduling, configuration management, capacity and performance management) to determine whether they are controlled effectively and continue to support the organization’s objectives.
4.4 Evaluate IT maintenance (patches, upgrades) to determine whether they are controlled effectively and continue to support the organization’s objectives.
4.5 Evaluate database management practices to determine the integrity and optimization of databases.
4.6 Evaluate data quality and life cycle management to determine whether they continue to meet strategic objectives.
4.7 Evaluate problem and incident management practices to determine whether problems and incidents are prevented, detected, analyzed, reported and resolved in a timely manner to support the organization´s objectives.
4.8 Evaluate change and release management practices to determine whether changes made to systems and applications are adequately controlled and documented.
4.9 Evaluate end-user computing to determine whether the processes are effectively controlled and support the organization’s objectives.
4.10 Evaluate IT continuity and resilience (backups/restores, disaster recovery plan [DRP]) to determine whether they are controlled effectively and continue to support the organization’s objectives.
4.1 Knowledge of service management frameworks
4.2 Knowledge of service management practices and service level management
4.3 Knowledge of the techniques for monitoring third-party performance and compliance with service agreements and regulatory requirements
4.4 Knowledge of enterprise architecture (EA)
4.5 Knowledge of the functionality of fundamental technology (e.g., hardware and network components, system software, middleware, database management systems)
4.6 Knowledge of system resiliency tools and techniques (e.g., fault-tolerant hardware, elimination of single point of failure, clustering)
4.7 Knowledge of IT asset management, software licensing, source code management and inventory practices
4.8 Knowledge of job scheduling practices, including exception handling
4.9 Knowledge of the control techniques that ensure the integrity of system interfaces
4.10 Knowledge of capacity planning and related monitoring tools and techniques
4.11 Knowledge of systems performance monitoring processes, tools and techniques (e.g., network analyzers, system utilization reports, load balancing)
4.12 Knowledge of data backup, storage, maintenance and restoration practices
4.13 Knowledge of database management and optimization practices
4.14 Knowledge of data quality (completeness, accuracy, integrity) and life cycle management (aging, retention)
4.15 Knowledge of problem and incident management practices
4.16 Knowledge of change management, configuration management, release management and patch management practices
4.17 Knowledge of the operational risk and controls related to end-user computing
4.18 Knowledge of the regulatory, legal, contractual and insurance issues related to disaster recovery
4.19 Knowledge of business impact analysis (BIA) related to disaster recovery planning
4.20 Knowledge of the development and maintenance of disaster recovery plans (DRPs)
4.21 Knowledge of the benefits and drawbacks of alternate processing sites (e.g., hot sites, warm sites, cold sites)
4.22 Knowledge of disaster recovery testing methods
4.23 Knowledge of the processes used to invoke the disaster recovery plans (DRPs)
Domain 5: Protection of Information Assets
Provide assurance that the organization’s policies, standards, procedures and controls ensure the confidentiality, integrity and availability of information assets. (25%)
5.1 Evaluate the information security and privacy policies, standards and procedures for completeness, alignment with generally accepted practices and compliance with applicable external requirements.
5.2 Evaluate the design, implementation, maintenance, monitoring and reporting of physical and environmental controls to determine whether information assets are adequately safeguarded.
5.3 Evaluate the design, implementation, maintenance, monitoring and reporting of system and logical security controls to verify the confidentiality, integrity and availability of information.
5.4 Evaluate the design, implementation and monitoring of the data classification processes and procedures for alignment with the organization’s policies, standards, procedures and applicable external requirements.
5.5 Evaluate the processes and procedures used to store, retrieve, transport and dispose of assets to determine whether information assets are adequately safeguarded.
5.6 Evaluate the information security program to determine its effectiveness and alignment with the organization’s strategies and objectives.
5.1 Knowledge of the generally accepted practices and applicable external requirements (e.g., laws, regulations) related to the protection of information assets
5.2 Knowledge of privacy principles
5.3 Knowledge of the techniques for the design, implementation, maintenance, monitoring and reporting of security controls
5.4 Knowledge of the physical and environmental controls and supporting practices related to the protection of information assets
5.5 Knowledge of the physical access controls for the identification, authentication and restriction of users to authorized facilities and hardware
5.6 Knowledge of the logical access controls for the identification, authentication and restriction of users to authorized functions and data
5.7 Knowledge of the security controls related to hardware, system software (e.g., applications, operating systems) and database management systems.
5.8 Knowledge of the risk and controls associated with virtualization of systems
5.9 Knowledge of the risk and controls associated with the use of mobile and wireless devices, including personally owned devices (bring your own device [BYOD])
5.10 Knowledge of voice communications security (e.g., PBX, Voice-over Internet Protocol [VoIP])
5.11 Knowledge of network and Internet security devices, protocols and techniques
5.12 Knowledge of the configuration, implementation, operation and maintenance of network security controls
5.13 Knowledge of encryption-related techniques and their uses
5.14 Knowledge of public key infrastructure (PKI) components and digital signature techniques
5.15 Knowledge of the risk and controls associated with peer-to-peer computing, instant messaging, and web-based technologies (e.g., social networking, message boards, blogs, cloud computing)
5.16 Knowledge of the data classification standards related to the protection of information assets
5.17 Knowledge of the processes and procedures used to store, retrieve, transport and dispose of confidential information assets
5.18 Knowledge of the risk and controls associated with data leakage
5.19 Knowledge of the security risk and controls related to end-user computing
5.20 Knowledge of methods for implementing a security awareness program
5.21 Knowledge of information system attack methods and techniques
5.22 Knowledge of prevention and detection tools and control techniques
5.23 Knowledge of security testing techniques (e.g., penetration testing, vulnerability scanning)
5.24 Knowledge of the processes related to monitoring and responding to security incidents (e.g., escalation procedures, emergency incident response team)
5.25 Knowledge of the processes followed in forensics investigation and procedures in collection and preservation of the data and evidence (i.e., chain of custody).
5.26 Knowledge of the fraud risk factors related to the protection of information assets
CISM - Certification Information Security Manager
The job practice domains and task and knowledge statements are as follows:
Domain 1—Information Security Governance (24%)
Domain 2—Information Risk Management (30%)
Domain 3—Information Security Program Development and Management (27%)
Domain 4—Information Security Incident Management (19%)
Domain 1: Information Security Governance
Establish and/or maintain an information security governance framework and supporting processes to ensure that the information security strategy is aligned with organizational goals and objectives. (24%)
1.1 Establish and/or maintain an information security strategy in alignment with organizational goals and objectives to guide the establishment and/or ongoing management of the information security program.
1.2 Establish and/or maintain an information security governance framework to guide activities that support the information security strategy.
1.3 Integrate information security governance into corporate governance to ensure that organizational goals and objectives are supported by the information security program.
1.4 Establish and maintain information security policies to guide the development of standards, procedures and guidelines in alignment with enterprise goals and objectives.
1.5 Develop business cases to support investments in information security.
1.6 Identify internal and external influences to the organization (e.g., emerging technologies, social media, business environment, risk tolerance, regulatory requirements, third-party considerations, threat landscape) to ensure that these factors are continually addressed by the information security strategy
1.7 Gain ongoing commitment from senior leadership and other stakeholders to support the successful implementation of the information security strategy.
1.8 Define, communicate, and monitor information security responsibilities throughout the organization (e.g., data owners, data custodians, end users, privileged or high-risk users) and lines of authority.
1.9 Establish, monitor, evaluate and report key information security metrics to provide management with accurate and meaningful information regarding the effectiveness of the information security strategy.
k1.1 Knowledge of techniques used to develop an information security strategy (e.g., SWOT [strengths, weaknesses, opportunities, threats] analysis, gap analysis, threat research)
k1.2 Knowledge of the relationship of information security to business goals, objectives, functions, processes and practices
k1.3 Knowledge of available information security governance frameworks
k1.4 Knowledge of globally recognized standards, frameworks and industry best practices related to information security governance and strategy development
k1.5 Knowledge of the fundamental concepts of governance and how they relate to information security
k1.6 Knowledge of methods to assess, plan, design and implement an information security governance framework
k1.7 Knowledge of methods to integrate information security governance into corporate governance
k1.8 Knowledge of contributing factors and parameters (e.g., organizational structure and culture, tone at the top, regulations) for information security policy development
k1.9 Knowledge of content in, and techniques to develop, business cases
k1.10 Knowledge of strategic budgetary planning and reporting methods
k1.11 Knowledge of the internal and external influences to the organization (e.g., emerging technologies, social media, business environment, risk tolerance, regulatory requirements, third-party considerations, threat landscape) and how they impact the information security strategy
k1.12 Knowledge of key information needed to obtain commitment from senior leadership and support from other stakeholders (e.g., how information security supports organizational goals and objectives, criteria for determining successful implementation, business impact)
k1.13 Knowledge of methods and considerations for communicating with senior leadership and other stakeholders (e.g., organizational culture, channels of communication, highlighting essential aspects of information security)
k1.14 Knowledge of roles and responsibilities of the information security manager
k1.15 Knowledge of organizational structures, lines of authority and escalation points
k1.16 Knowledge of information security responsibilities of staff across the organization (e.g., data owners, end users, privileged or high-risk users)
k1.17 Knowledge of processes to monitor performance of information security responsibilities
k1.18 Knowledge of methods to establish new, or utilize existing, reporting and communication channels throughout an organization
k1.19 Knowledge of methods to select, implement and interpret key information security metrics (e.g., key performance indicators [KPIs] or key risk indicators [KRIs])
Domain 2—Information Risk Management
Manage information risk to an acceptable level based on risk appetite in order to meet organizational goals and objectives. (30%)
2.1 Establish and/or maintain a process for information asset classification to ensure that measures taken to protect assets are proportional to their business value.
2.2 Identify legal, regulatory, organizational and other applicable requirements to manage the risk of noncompliance to acceptable levels.
2.3 Ensure that risk assessments, vulnerability assessments and threat analyses are conducted consistently, at appropriate times, and to identify and assess risk to the organization’s information.
2.4 Identify, recommend or implement appropriate risk treatment/response options to manage risk to acceptable levels based on organizational risk appetite.
2.5 Determine whether information security controls are appropriate and effectively manage risk to an acceptable level.
2.6 Facilitate the integration of information risk management into business and IT processes (e.g., systems development, procurement, project management) to enable a consistent and comprehensive information risk management program across the organization.
2.7 Monitor for internal and external factors (e.g., key risk indicators [KRIs], threat landscape, geopolitical, regulatory change) that may require reassessment of risk to ensure that changes to existing, or new, risk scenarios are identified and managed appropriately.
2.8 Report noncompliance and other changes in information risk to facilitate the risk management decision-making process.
2.9 Ensure that information security risk is reported to senior management to support an understanding of potential impact on the organizational goals and objectives.
k2.1 Knowledge of methods to establish an information asset classification model consistent with business objectives
k2.2 Knowledge of considerations for assigning ownership of information assets and risk
k2.3 Knowledge of methods to identify and evaluate the impact of internal or external events on information assets and the business
k2.4 Knowledge of methods used to monitor internal or external risk factors
k2.5 Knowledge of information asset valuation methodologies
k2.6 Knowledge of legal, regulatory, organizational and other requirements related to information security
k2.7 Knowledge of reputable, reliable and timely sources of information regarding emerging information security threats and vulnerabilities
k2.8 Knowledge of events that may require risk reassessments and changes to information security program elements
k2.9 Knowledge of information threats, vulnerabilities and exposures and their evolving nature
k2.10 Knowledge of risk assessment and analysis methodologies
k2.11 Knowledge of methods used to prioritize risk scenarios and risk treatment/response options
k2.12 Knowledge of risk reporting requirements (e.g., frequency, audience, content)
k2.13 Knowledge of risk treatment/response options (avoid, mitigate, accept or transfer) and methods to apply them
k2.14 Knowledge of control baselines and standards and their relationships to risk assessments
k2.15 Knowledge of information security controls and the methods to analyze their effectiveness
k2.16 Knowledge of gap analysis techniques as related to information security
k2.17 Knowledge of techniques for integrating information security risk management into business and IT processes
k2.18 Knowledge of compliance reporting requirements and processes
k2.19 Knowledge of cost/benefit analysis to assess risk treatment options
Domain 3—Information Security Program Development and Management
Develop and maintain an information security program that identifies, manages and protects the organization’s assets while aligning to information security strategy and business goals, thereby supporting an effective security posture. (27%)
3.1 Establish and/or maintain the information security program in alignment with the information security strategy.
3.2 Align the information security program with the operational objectives of other business functions (e.g., human resources [HR], accounting, procurement and IT) to ensure that the information security program adds value to and protects the business.
3.3 Identify, acquire and manage requirements for internal and external resources to execute the information security program.
3.4 Establish and maintain information security processes and resources (including people and technologies) to execute the information security program in alignment with the organization’s business goals.
3.5 Establish, communicate and maintain organizational information security standards, guidelines, procedures and other documentation to guide and enforce compliance with information security policies.
3.6 Establish, promote and maintain a program for information security awareness and training to foster an effective security culture.
3.7 Integrate information security requirements into organizational processes (e.g., change control, mergers and acquisitions, system development, business continuity, disaster recovery) to maintain the organization’s security strategy.
3.8 Integrate information security requirements into contracts and activities of third parties (e.g., joint ventures, outsourced providers, business partners, customers) and monitor adherence to established requirements in order to maintain the organization’s security strategy.
3.9 Establish, monitor and analyze program management and operational metrics to evaluate the effectiveness and efficiency of the information security program.
3.10 Compile and present reports to key stakeholders on the activities, trends and overall effectiveness of the IS program and the underlying business processes in order to communicate security performance.
k3.1 Knowledge of methods to align information security program requirements with those of other business functions
k3.2 Knowledge of methods to identify, acquire, manage and define requirements for internal and external resources
k3.3 Knowledge of current and emerging information security technologies and underlying concepts
k3.4 Knowledge of methods to design and implement information security controls
k3.5 Knowledge of information security processes and resources (including people and technologies) in alignment with the organization’s business goals and methods to apply them
k3.6 Knowledge of methods to develop information security standards, procedures and guidelines
k3.7 Knowledge of internationally recognized regulations, standards, frameworks and best practices related to information security program development and management
k3.8 Knowledge of methods to implement and communicate information security policies, standards, procedures and guidelines
k3.9 Knowledge of training, certifications and skill set development for information security personnel
k3.10 Knowledge of methods to establish and maintain effective information security awareness and training programs
k3.11 Knowledge of methods to integrate information security requirements into organizational processes (e.g., access management, change management, audit processes)
k3.12 Knowledge of methods to incorporate information security requirements into contracts, agreements and third-party management processes
k3.13 Knowledge of methods to monitor and review contracts and agreements with third parties and associated change processes as required
k3.14 Knowledge of methods to design, implement and report operational information security metrics
k3.15 Knowledge of methods for testing the effectiveness and efficiency of information security controls
k3.16 Knowledge of techniques to communicate information security program status to key stakeholders
Domain 4—Information Security Incident Management
Plan, establish and manage the capability to detect, investigate, respond to and recover from information security incidents to minimize business impact. (19%)
4.1 Establish and maintain an organizational definition of, and severity hierarchy for, information security incidents to allow accurate classification and categorization of and response to incidents.
4.2 Establish and maintain an incident response plan to ensure an effective and timely response to information security incidents.
4.3 Develop and implement processes to ensure the timely identification of information security incidents that could impact the business.
4.4 Establish and maintain processes to investigate and document information security incidents in order to determine the appropriate response and cause while adhering to legal, regulatory and organizational requirements.
4.5 Establish and maintain incident notification and escalation processes to ensure that the appropriate stakeholders are involved in incident response management.
4.6 Organize, train and equip incident response teams to respond to information security incidents in an effective and timely manner.
4.7 Test, review and revise (as applicable) the incident response plan periodically to ensure an effective response to information security incidents and to improve response capabilities.
4.8 Establish and maintain communication plans and processes to manage communication with internal and external entities.
4.9 Conduct postincident reviews to determine the root cause of information security incidents, develop corrective actions, reassess risk, evaluate response effectiveness and take appropriate remedial actions.
4.10 Establish and maintain integration among the incident response plan, business continuity plan and disaster recovery plan.
k4.1 Knowledge of incident management concepts and practices
k4.2 Knowledge of the components of an incident response plan
k4.3 Knowledge of business continuity planning (BCP) and disaster recovery planning (DRP) and their relationship to the incident response plan
k4.4 Knowledge of incident classification/categorization methods
k4.5 Knowledge of incident containment methods to minimize adverse operational impact
k4.6 Knowledge of notification and escalation processes
k4.7 Knowledge of the roles and responsibilities in identifying and managing information security incidents
k4.8 Knowledge of the types and sources of training, tools and equipment required to adequately equip incident response teams
k4.9 Knowledge of forensic requirements and capabilities for collecting, preserving and presenting evidence (e.g., admissibility, quality and completeness of evidence, chain of custody)
k4.10 Knowledge of internal and external incident reporting requirements and procedures
k4.11 Knowledge of postincident review practices and investigative methods to identify root causes and determine corrective actions
k4.12 Knowledge of techniques to quantify damages, costs and other business impacts arising from information security incidents
k4.13 Knowledge of technologies and processes to detect, log, analyze and document information security events
k4.14 Knowledge of internal and external resources available to investigate information security incidents
k4.15 Knowledge of methods to identify and quantify the potential impact of changes made to the operating environment during the incident response process
k4.16 Knowledge of techniques to test the incident response plan
k4.17 Knowledge of applicable regulatory, legal and organization requirements
k4.18 Knowledge of key indicators/metrics to evaluate the effectiveness of the incident response plan
CISSP - Certified Information Systems Security Professional
Domain 1: Security and Risk Management
Domain 2: Asset Security
Domain 3: Security Engineering
Domain 4: Communications and Network Security
Domain 5: Identity and Access Management
Domain 6: Security Assessment and Testing
Domain 7: Security Operations
Domain 8: Software Development Security
Domain 1: Security and Risk Management
1.1 Understand and apply concepts of confidentiality, integrity and availability
1.2 Apply security governance principles through:
»» Legislative and regulatory compliance
»» Privacy requirements compliance
1.4 Understand legal and regulatory issues that pertain to information security in a global context
1.5 Understand professional ethics
»» Exercise (ISC)² Code of Professional Ethics
»» Support organization’s code of ethics
1.6 Develop and implement documented security policy, standards, procedures, and guidelines.
1.7 Understand business continuity requirements
»» Develop and document project scope and plan
»» Conduct business impact analysis
»» Alignment of security function to strategy, goals,
mission, and objectives (e.g., business case, budget and resources)
»» Organizational processes (e.g., acquisitions, divestitures, governance committees)
»» Security roles and responsibilities
»» Control frameworks
»» Due care
»» Due diligence
»» Computer crimes
»» Licensing and intellectual property (e.g., copyright, trademark, digital-rights management)
»» Import/export controls
»» Trans-border data flow
»» Data breaches
CISSP Certification Exam Outline 6
1.8 Contribute to personnel security policies
1.9 Understand and apply risk management concepts
1.10 Understand and apply threat modeling
1.11 Integrate security risk considerations into acquisition strategy and practice
1.12 Establish and manage information security education, training, and awareness
»» Appropriate levels of awareness, training, and education required within organization
»» Periodic reviews for content relevancy
»» Employment candidate screening (e.g., reference checks, education verification)
»» Employment agreements and policies
»» Employment termination processes
»» Vendor, consultant, and contractor controls
»» Identify threats and vulnerabilities
»» Risk assessment/analysis (qualitative, quantitative, hybrid)
»» Risk assignment/acceptance (e.g., system authorization)
»» Countermeasure selection
»» Types of controls (preventive, detective, corrective, etc.)
»» Control assessment
»» Monitoring and measurement
»» Asset valuation
»» Continuous improvement
»» Risk frameworks
»» Identifying threats (e.g., adversaries, contractors, employees, trusted partners)
»» Determining and diagramming potential attacks (e.g., social engineering, spoofing)
»» Performing reduction analysis
»» Technologies and processes to remediate threats (e.g., software architecture and operations)
»» Hardware, software, and services
»» Third-party assessment and monitoring (e.g., onsite assessment, document exchange and review, process/policy review)
»» Minimum security requirements
»» Service-level requirements
CISSP Certification Exam Outline 7
Domain 2: Asset Security
2.1 Classify information and supporting assets (e.g., sensitivity, criticality)
2.2 Determine and maintain ownership (e.g., data owners, system owners, business/mission owners)
2.3 Protect privacy
2.4 Ensure appropriate retention (e.g., media, hardware, personnel)
2.5 Determine data security controls (e.g., data at rest, data in transit)
2.6 Establish handling requirements (markings, labels, storage, destruction of sensitive information)
»» Data owners
»» Data processers
»» Data remanence
»» Collection limitation
»» Scoping and tailoring
»» Standards selection
CISSP Certification Exam Outline 8
Domain 3: Security Engineering
3.1 Implement and manage engineering processes using secure design principles
3.2 Understand the fundamental concepts of security models (e.g., Confidentiality,
Integrity, and Multi-level Models)
3.3 Select controls and countermeasures based upon systems security evaluation models
3.4 Understand security capabilities of information systems (e.g., memory protection,
virtualization, trusted platform module, interfaces, fault tolerance)
3.5 Assess and mitigate the vulnerabilities of security architectures, designs, and solution
3.6 Assess and mitigate vulnerabilities in web-based systems (e.g., XML, OWASP)
3.7 Assess and mitigate vulnerabilities in mobile systems
3.8 Assess and mitigate vulnerabilities in embedded devices and cyber-physical systems (e.g.,
network-enabled devices, Internet of things (loT))
3.9 Apply cryptography
»» Client-based (e.g., applets, local caches)
»» Server-based (e.g., data flow control)
»» Database security (e.g., inference, aggregation,
data mining, data analytics, warehousing)
»» Large-scale parallel data systems
»» Distributed systems (e.g., cloud computing, grid
computing, peer to peer)
»» Cryptographic systems
»» Industrial control systems (e.g., SCADA)
»» Cryptographic life cycle (e.g., cryptographic
limitations, algorithm/protocol governance)
»» Cryptographic types (e.g., symmetric, asymmetric,
»» Public Key Infrastructure (PKI)
»» Key management practices
»» Digital signatures
»» Digital rights management
»» Integrity (hashing and salting)
»» Methods of cryptanalytic attacks (e.g., brute force,
cipher-text only, known plaintext)
CISSP Certification Exam Outline 9
3.10 Apply secure principles to site and facility design
3.11 Design and implement physical security
»» Wiring closets
»» Server rooms
»» Media storage facilities
»» Evidence storage
»» Restricted and work area security (e.g., operations
»» Data center security
»» Utilities and HVAC considerations
»» Water issues (e.g., leakage, flooding)
»» Fire prevention, detection and suppression
CISSP Certification Exam Outline 10
Domain 4: Communications and Network Security
4.1 Apply secure design principles to network architecture (e.g., IP & non-IP protocols,
4.2 Secure network components
4.3 Design and establish secure communication channels
4.4 Prevent or mitigate network attacks
»» OSI and TCP/IP models
»» IP networking
»» Implications of multilayer protocols (e.g., DNP3)
»» Converged protocols (e.g., FCoE, MPLS, VoIP,
»» Software-defined networks
»» Wireless networks
»» Cryptography used to maintain communication
»» Operation of hardware (e.g., modems, switches,
routers, wireless access points, mobile devices)
»» Transmission media (e.g., wired, wireless, fiber)
»» Network access control devices (e.g.,
»» Endpoint security
»» Content-distribution networks
»» Physical devices
»» Multimedia collaboration (e.g., remote meeting
technology, instant messaging)
»» Remote access (e.g., VPN, screen scraper, virtual
»» Data communications (e.g., VLAN, TLS/SSL)
»» Virtualized networks (e.g., SDN, virtual SAN, guest
operating systems, port isolation)
CISSP Certification Exam Outline 11
Domain 5: Identity and Access Management
5.1 Control physical and logical access to assets
5.2 Manage identification and authentication of people and devices
5.3 Integrate identity as a service (e.g., cloud identity)
5.4 Integrate third-party identity services (e.g., on-premise)
5.5 Implement and manage authorization mechanisms
»» Role-Based Access Control (RBAC) methods
»» Rule-based access control methods
»» Mandatory Access Control (MAC)
»» Discretionary Access Control (DAC)
5.6 Prevent or mitigate access control attacks
5.7 Manage the identity and access provisioning lifecycle (e.g., provisioning, review)
»» Identity management implementation (e.g., SSO,
»» Single/multi-factor authentication (e.g., factors,
»» Session management (e.g., timeouts,
»» Registration and proofing of identity
»» Federated identity management (e.g., SAML)
»» Credential management systems
CISSP Certification Exam Outline 1122
6.1 Design and validate assessment and test strategies
6.2 Conduct security control testing
6.3 Collect security process data (e.g., management and operational controls)
6.4 Analyze and report test outputs (e.g., automated, manual)
6.5 Conduct or facilitate internal and third party audits
»» Vulnerability assessment
»» Penetration testing
»» Log reviews
»» Synthetic transactions
»» Code review and testing (e.g., manual, dynamic,
»» Misuse case testing
»» Test coverage analysis
»» Interface testing (e.g., API, UI, physical)
»» Account management (e.g., escalation,
»» Management review
»» Key performance and risk indicators
»» Backup verification data
»» Training and awareness
»» Disaster recovery and business continuity
Domain 6: Security Assessment and Testing
CISSP Certification Exam Outline 13
7.1 Understand and support investigations
7.2 Understand requirements for investigation types
7.3 Conduct logging and monitoring activities
7.4 Secure the provisioning of resources
7.5 Understand and apply foundational security operations concepts
7.6 Employ resource protection techniques
»» Media management
»» Hardware and software asset management
»» Evidence collection and handling (e.g., chain of
»» Reporting and documenting
»» Investigative techniques (e.g., root-cause analysis,
»» Digital forensics (e.g., media, network, software,
and embedded devices)
»» Intrusion detection and prevention
»» Security information and event management
»» Continuous monitoring
»» Egress monitoring (e.g., data loss prevention,
»» Asset inventory (e.g., hardware, software)
»» Configuration management
»» Physical assets
»» Virtual assets (e.g., software-defined network,
virtual SAN, guest operating systems)
»» Cloud assets (e.g., services, VMs, storage,
»» Applications (e.g., workloads or private clouds,
web services, software as a service)
»» Need-to-know/least privilege (e.g., entitlement,
aggregation, transitive trust)
»» Separation of duties and responsibilities
»» Monitor special privileges (e.g., operators,
»» Job rotation
»» Information lifecycle
»» Service-level agreements
»» Electronic discovery (eDiscovery)
CISSP Certification Exam Outline 14
7.7 Conduct incident management
7.8 Operate and maintain preventative measures
7.9 Implement and support patch and vulnerability management
7.10 Participate in and understand change management processes (e.g., versioning, baselining,
security impact analysis)
7.11 Implement recovery strategies
7.12 Implement disaster recovery processes
7.13 Test disaster recovery plans
7.14 Participate in business continuity planning and exercises
7.15 Implement and manage physical security
»» Perimeter (e.g., access control and monitoring)
»» Internal security (e.g., escort requirements/visitor control, keys and locks)
7.16 Participate in addressing personnel safety concerns (e.g., duress, travel, monitoring)
»» Lessons learned
»» Intrusion detection and prevention systems
»» Third-party security services
»» Backup storage strategies (e.g., offsite storage,
electronic vaulting, tape rotation)
»» Recovery site strategies
»» Multiple processing sites (e.g., operationally
»» System resilience, high availability, quality of
service, and fault tolerance
»» Training and awareness
»» Full interruption
CISSP Certification Exam Outline 15
Software Development Security
8.1 Understand and apply security in the software development lifecycle
8.2 Enforce security controls in development environments
8.3 Assess the effectiveness of software security
»» Auditing and logging of changes
»» Risk analysis and mitigation
»» Acceptance testing
8.4 Assess security impact of acquired software
»» Development methodologies (e.g., Agile,
»» Maturity models
»» Operation and maintenance
»» Change management
»» Integrated product team (e.g., DevOps)
»» Security of the software environments
»» Security weaknesses and vulnerabilities at
the source-code level (e.g., buffer overflow,
escalation of privilege, input/output validation)
»» Configuration management as an aspect of
»» Security of code repositories
»» Security of application programming interfaces
CISSP Certification Exam Outline 16