Model Curriculum Info Sec Mgmt 15Dec08 - ISACA · Lynn Lawton, CISA, FBCS, FCA, FIIA, KPMG LLP, UK, International President ... ISACA Model Curriculum for Information Security Management

ISACA®

Model Curriculum for Information Security Management

2008 ISACA. All rights reserved. Page 2

ISACA

With more than 86,000 constituents in more than 160 countries, ISACA® (www.isaca.org) is a recognizedworldwide leader in IT governance, control, security and assurance. Founded in 1969, ISACA sponsors internationalconferences, publishes the ISACA® Journal, and develops international information systems auditing and controlstandards. It also administers the globally respected Certified Information Systems Auditor™ (CISA®) designation,earned by more than 60,000 professionals since 1978; the Certified Information Security Manager® (CISM®)designation, earned by more than 10,000 professionals since 2002; and the new Certified in the Governance ofEnterprise ITTM (CGEITTM) designation.

DisclaimerISACA and the authors have designed and created this publication, titled ISACA

®Model Curriculum for Information

Security Management, primarily as an educational resource for security and governance professionals. ISACAmakes no claim that use of this publication will assure a successful outcome. This publication should not beconsidered inclusive of any proper information, procedures and tests or exclusive of other information proceduresand tests that are reasonably directed to obtaining the same results. In determining the propriety of any specificprocedure or test, security and control professionals should apply their own professional judgment to the specificcontrol circumstances presented by the particular systems or information technology environment.

Copies of the model curriculum are freely available to all and may be downloaded fromwww.isaca.org/modelcurricula.

Reservation of Rights 2008 ISACA. All rights reserved. Express permission to reprint or reproduce is granted solely to academicinstitutions for educational purposes, and must include full attribution of the material’s source. No other right orpermission is granted with respect to this work.

ISACA3701 Algonquin Road, Suite 1010Rolling Meadows, IL 60008, USAPhone: +1.847.253.1545Fax: +1.847.253.1443E-mail: [email protected] site: www.isaca.org

ISACA®

Model Curriculum for Information Security ManagementPrinted in the United States of America

ISACA®



Acknowledgments

ISACA wishes to recognize:

ISACA Board of DirectorsLynn Lawton, CISA, FBCS, FCA, FIIA, KPMG LLP, UK, International PresidentGeorge Ataya, CISA, CISM, CGEIT, CISSP, ICT Control SA, Belgium, Vice PresidentHoward Nicholson, CISA, CGEIT, City of Salisbury, Australia, Vice PresidentJose Angel Pena Ibarra, CGEIT, Consultoria en Comunicaciones e Info. SA & CV, Mexico, Vice PresidentRobert E. Stroud, CA Inc., USA, Vice PresidentKenneth L. Vander Wal, CISA, CPA, Ernst & Young (retired), USA, Vice PresidentFrank Yam, CISA, CIA, CCP, CFE, CFSA, FFA, FHKCS, FHKIoD, Focus Strategic Group, Hong Kong, Vice PresidentMarios Damianides, CISA, CISM, CA, CPA, Ernst & Young, USA, Past International PresidentEverett C. Johnson Jr., CPA, Deloitte & Touche LLP (retired), USA, Past International PresidentGregory T. Grocholski, CISA, The Dow Chemical Company, USA, DirectorTony Hayes, Queensland Government, Australia, DirectorJo Stewart-Rattray, CISA, CISM, CSEPS, RSM Bird Cameron, Australia, Director

Model Curriculum Task ForceFaisal Akkawi, PhD, Northwestern University, USAGeorge Ataya, CISA, CISM, CGEIT, CISSP, Solvay Business School, BelgiumManuel Ballester, Ph.D., CISA, CISM, CGEIT, IEEE, University Deusto, SpainLizzie Coles-Kemp, University of London, Royal Holloway, UKJean-Pierre Fortier, Universite Laval, CanadaM. Hossein Heydari, Ph.D., James Madison University, USAJohn Nugent, CISM, CPA, DBA, FCPA, University of Dallas, USAAndrew Wasser, Carnegie Mellon University, USA

Security Management CommitteeJo Stewart-Rattray, CISA, CISM, CSEPS, RSM Bird Cameron, Australia, ChairManuel Aceves, CISA, CISM, CISSP, Cerberian Consulting, MexicoKent Anderson, CISM, Encurve LLC, USAEmil D’Angelo, CISA, CISM, Bank of Tokyo-Mitsubishi UFJ Ltd., USAYves Le Roux, CISM, CA Inc., FranceMark Lobel, CISA, CISM, CISSP, PricewaterhouseCoopers LLP, USAKyeong-Hee Oh, CISA, CISM, Fullbitsoft, KoreaVernon Richard Poole, CISM, CGEIT, Sapphire Technologies Ltd., UKRolf von Roessing, CISA, CISM, CGEIT, KPMG Germany, Germany

ISACA®



Table of ContentsPage

1. Background 5

2. Development of the ISACA® Model Curriculum for Information Security Management 8

3. Use of the ISACA® Model Curriculum for Information Security Management 11

4. ISACA® Model Curriculum for Information Security Management 13

Appendix 1—Suggested Supplemental Skills for Information Security Managers 16

Appendix 2—Alignment Grid for the ISACA® Model Curriculum for InformationSecurity Management 17

Appendix 3—References 22

ISACA Model Curriculum for Information Security Management


1. Background

ISACA HistoryThe evolution of information technology affects the business environment in many significantways. It has changed business practices, reduced costs and altered the ways in which informationshould be controlled. In addition, it has raised the level of knowledge and skills required toprotect an enterprise’s information assets, and increased the need for well-educated professionalsin the fields of information security, governance and risk management. This need was recognizedby the 1969 founding of what is now known as ISACA.

ISACA has become the leading IT governance, assurance and security organization. Theapproximately 86,000 consultants, academics, security professionals, IS auditors and seniorexecutives who make up ISACA have established 160 chapters spread among 140 countries.ISACA’s Certified Information Security Manager (CISM) certification is recognized globallyand has been earned by more than 10,000 professionals. In addition, ISACA publishes the ISACAJournal, a leading technical journal in the information control field, and sponsors a series ofinternational conferences focusing on technical and managerial topics. Together, ISACA and itsaffiliate, the IT Governance Institute (ITGI), lead the IT governance community and serve itspractitioners by providing the elements needed by IT professionals in an ever-changingworldwide environment.

Need for the Model Curriculum for Information Security ManagementFor a number of years, many employers have been seeking to fill positions with informationsecurity professionals who possess a substantial background in security, business and riskmanagement. This demand is expected to grow in the future. Employers have had difficulty inlocating a sufficient number of adequately prepared candidates for the available positions. Theprofessionals who do have the requisite background have usually obtained their formalinformation security education in one of three manners: Participation in a mixture of on-the-job training and in-house programs. This method of

education requires that a professional already be an employee of an enterprise, and it is mostappropriate where the technology presented has been adopted and implemented by aparticular enterprise. The on-the-job training and in-house programs are well suited toprovide employees with education in a well-defined and limited focus area, but are not wellsuited to offer a broad-based educational experience for the participants.

Participation in workshops/seminars presented by professional enterprises or vendors.This method is available to professionals from many different enterprises and is valuable inpresenting information that is new or for exploring various approaches to informationsecurity problems. In the workshop/seminar environment, a peer group can shareperspectives not available from a single instructor. However, workshops/seminars are usuallymore expensive, take time away from the office and are typically available only toprofessionals who are already employed in the workforce. ISACA is well known fordeveloping and offering high-quality workshops and seminars.

Participation in university degree and postgraduate or certificate programs that aredelivered within either a full-time or part-time student environment. These programs canlead to baccalaureate or graduate degrees or to specialized certificates or diplomas. This is



the method that can provide professionals (or future professionals) with the most in-depthand broad-based educational experience. Thus, this is the method that ISACA has addressedwith its model curriculum efforts.

Typically, students who desire to enter the information security profession, but who lackbusiness experience, seek to gain the required knowledge, skills and abilities throughacademic/business coursework enhanced by internships. Colleges and universities worldwide areattempting to meet the growing employer demand by educating students, preparing them to enteror to assume a leadership position within the information security profession. At theundergraduate level, some academic institutions have begun to integrate information securitycourses into their information technology and business programs. At the graduate level, somehave developed more focused information security programs. Often, however, the academicinstitutions have relied upon existing IT programs to prepare students for the informationsecurity profession. Unfortunately, traditional IT programs, by themselves, may be inadequate tomeet the needs of both students and employers.

Information security professionals need to be able to cope with the pace of rapid businesschanges and update themselves regularly with competent knowledge. Recent events, governmentregulations and changes in business processes have affected the role of information security andthe methodologies information security professionals use.

There has been a significant change in responsibilities held by the information security manager.More often, traditional business functions such as compliance, risk management and privacy arebeing assigned to the information security manager. Therefore, the information securityprofessional must understand not only technological requirements, but also the needs of thebusiness. Therefore, curricula must not only take into consideration the technological challenges,but also the improvement of oral and written communication.

Thus, one of the purposes of a model curriculum for information security is to focus the level offormal education offered by universities. This model is based on the needs and expectations ofthe information security profession and relies upon the prior research of academics, practitionersand professional associations. One objective is to identify the fundamental course components ofinformation security management so universities can educate students for careers in theinformation security management field and assist students in becoming marketable in theprofession. Although students may not possess actual work experience, the topics identified inthe model have been selected to provide graduates with solid skills and capabilities for theprofession. The model matches academic offerings with the needs of the profession and providesa framework for academic institutions and professional associations in developing new coursesor redesigning their existing course offerings.

ISACA recognizes that each educational institution, whether an accredited college or universityhas strengths, weaknesses and constraints that it must address when developing a curriculum. Asa result, each educational institution wants to capitalize on its strengths (such as the talent orinterests of a particular faculty member) and minimize the effects of its weaknesses (e.g., limitedfaculty resources to teach particular topics) or constraints (e.g., the number of courses within adegree program that can be devoted to information security topics). Thus, it is unrealistic to



expect any institution to cover all of the topics and subtopics to the levels presented in the model.Format, arrangement and content of the proposed curriculum will vary depending on universityaccreditation and government requirements.

ConclusionThe information security management profession continues to evolve. Universities and othereducational institutions must understand the needs of the professional community to provide themarket with graduates possessing the required skills and knowledge that enterprises need. TheISACA Model Curriculum for Information Security Management provides academic institutionswith a basic framework of the education required to develop the skills needed to make studentsemployable in the profession.

In the information-based business environment, business professionals who are competent ininformation security or information security professionals who understand business are in greatdemand. Information security managers must continually receive training to upgrade theirknowledge, skills and abilities. Academic institutions with the appropriate curriculum cangenerate employable candidates who will be able to assume leadership positions in theinformation security field. An academic institution that sponsors an information securitycurriculum that has a business focus is very desirable to those professionals wishing to changetheir career path or upgrade their skills for job enhancement. The ISACA Model CurriculumInformation Security Management can be viewed as a reasonably comprehensive set of topicsthat should be part of an ideal program for information security management. This modelcurriculum provides a goal for colleges and universities worldwide to strive toward in meetingthe demand for educating future information security management professionals.

In addition, the model can serve both those who are interested in obtaining an informationsecurity education and interested educational institutions worldwide that are developing acurriculum in information security.



2. Development of the ISACA Model Curriculum for InformationSecurity Management

ISACA has long recognized the importance of having model curricula to assist in thedevelopment of educational programs for aspiring IT professionals. In 2004, the ISACA ModelCurriculum for Information Systems Audit and Control was updated. With an increased demandfor information security professionals with a business focus, the need for a similar curriculumdirected toward this group was obvious.

A global committee representing faculty and information security professionals was involved inthe development of the ISACA Model Curriculum for Information Security Management, andspecialists representing research, standards, education and certification interests reviewed themodel. The model is based on the needs and expectations of the information security professionand the prior research of academics, practitioners, audit organizations and professional societies.The model curriculum is considered a living document, to be regularly updated.

The mission statement for the global committee, the Information Security Management ModelCurriculum Task Force, was to: Create a model curriculum and ensure that it meet the current needs of the information

security profession Identify course components to fulfill those needs Create the specific course descriptions in the model Ensure that the model curriculum is in alignment with the most recent CISM Review Manual,

published by ISACA Formulate a plan to stimulate current and future interest in the ISACA Model Curriculum for

Information Security Management at universities Create a procedure for academic institutions to have their programs reviewed by ISACA for

model curriculum alignment and, when that alignment is acknowledged, to post thatinformation to the ISACA web site

Establish a renewal process for reevaluation of college and university programs for alignmentwith the ISACA model curriculum

It was decided that the best approach to the curriculum development would be to develop amodel that presented topical areas to be covered in the program and allow each educationalinstitution or environment to decide the manner in which the educational content would bedelivered.

Creation of the ModelIt was agreed that the CISM examination content areas could provide a framework for the modelcurriculum. Thus, the five CISM content areas and their subtopics were used to provide astructure to organize the components of the model curriculum. The five major content (domain)areas in the CISM examination are: Information security governance Information risk management Information security program development



Information security program management Incident management and response

Guidance regarding the amount of educational coverage that should be devoted to each topic areaincluded in the model curriculum needed to be clear enough that users of the model could benefitfrom the work of the task force, but not so restrictive that faculty members would be constrainedin the development or teaching of their courses or in the development of the overall curriculumof a program. The model guidance provides, for each topic, recommended hours of contact timewith the students, which is adaptable to the many different educational environments foundglobally. To develop these contact hour estimates, the task force decided to provide guidanceonly for the topics within the domain level and not to suggest contact times for every detailedsubtopic. With this structure, instructors can decide to devote more time to one or more subtopicswithin an area and perhaps little or no time to other subtopics.

Discussions with academics and professionals from around the globe indicated that acomprehensive curriculum to train information security management professionals would ofteninclude in excess of 300 contact hours. This 300-hour estimate was representative of the timespent in seven, three-credit-hour system courses or about six, five-credit-hour quarter system-based courses. Of course, the 300 hours could be delivered in a variety of formats, including aseries of eight-hour education seminars.

The Information Security Management Model Curriculum Task Force understood thatinstitutions would likely have areas that are included in their curricula that might differ fromareas included by other institutions. These differences are normal and the ISACA ModelCurriculum for Information Security Management allows time for teaching these differing topicsby identifying topical coverage requiring only 244 hours of contact time (about 80 percent of the300 hours in many programs). The additional hours in an institution’s program can be focused ontopics not specifically identified in the model (e.g., topics in Appendix 1, SuggestedSupplemental Skills for Information Security Management) or focused on additional coverage ofmodel topics.

An educational institution or professional enterprise can also structure its delivery systemcomponents (e.g., courses, modules) to include topics from anywhere within the model and notbe limited to any predetermined component structures. To determine alignment with the model,an institution or enterprise should create a mapping of the model curriculum to the topics that aredelivered within its educational delivery system components. This mapping could be as simple asproviding detailed syllabi of courses taught at a college or university and noting where itemsfrom the model curriculum are covered. (An alignment grid can be found in Appendix 2—Alignment Grid for the ISACA Model Curriculum for Information Security Management.)

Although it is important for the identified topics in the model curriculum to be covered, ISACArecognizes that educational entities have institutional strengths, weaknesses and constraints thatthey need to address when developing a curriculum. Format, arrangement and content of theproposed curriculum will vary depending on university accreditation requirements andgovernment requirements. For universities with a business education program in the US orinternationally, use of the Association to Advance Collegiate Schools of Business (AACSB)



International, Association of Collegiate Business Schools and Programs (ACBSP), EuropeanQuality Improvement System (EQUIS) or Association of MBAs (AMBA) standards isacceptable for curriculum design since the accreditation processes are rigorous and held in highregard by many universities worldwide. Carryover of hours from those areas covered in excessof the recommended number of hours in the model to other areas will be considered by ISACAduring the evaluation of the alignment mapping to the model curriculum.

The model curriculum is designed to prepare an individual to pursue a degree with a focus oninformation security within the scope of a typical program. A typical undergraduate or graduatedegree includes programs in business, information security and risk management. The topics inthe model curriculum are designed to provide professional skills and capabilities. (See Appendix1—Suggested Supplemental Skills for Information Security Management.)



3. Use of the ISACA Model Curriculum for Information SecurityManagement

Alignment with the ISACA Model Curriculum for Information Security Management entitlesthe program to be posted on the ISACA web site, and graduates of a compliant program qualifyfor one year of work experience toward the CISM certification.

The customary methods for delivering education differ greatly throughout the world. Sometimes,universities in some countries do not offer graduate degree programs with established sets ofcourses as their primary means of advanced education. In some areas, universities offer weekendprograms that lead to certificates that are recognized and valued in the professional workplace ofthose countries.

The ISACA Model Curriculum for Information Security Management covers topics proposed bya wide range of ISACA members with expertise in information security, governance and riskmanagement. The topics and subtopics selected for inclusion in the model have been deemedimportant for meeting the knowledge expectations for a recent college graduate seeking to fill aposition in the information security management field.

The many topics and subtopics included in the model curriculum are accompanied by contact-hour estimates that provide guidance regarding the amount of educational coverage that shouldbe devoted to each area. These estimates were determined based upon the experience andknowledge of the ISACA Model Curriculum Task Force. It is envisioned that the contact hourswould typically be in some type of classroom, but the model is designed so that the contact couldbe accomplished through other education delivery methods, including distance learningprograms. Thus, if a course meets for concentrated periods of time over a few weekends or meetsin a 10-week quarter or 14- to 16-week semester, it should be relatively easy to determine thecontact time spent discussing a topic area.

The contact hour guidance is provided only at the topic levels within the domains, not for everydetailed subtopic. With this structure, faculty members from any university or educational settingaround the world can decide to devote more time to one or more subtopics within an area andperhaps little or no time to other subtopics. The educational institution could also structure itsdelivery system components (e.g., courses, modules) to include topics from anywhere within themodel and not be limited to any predetermined component structures.

As discussed previously in this document, the topics and subtopics are organized according tothe major domains for the CISM examination. Detailed descriptions of the topics and subtopicsare included in the indicated figures that appear in chapter 4, ISACA Model Curriculum forInformation Security Management.

The information security governance domain is divided into two topic areas, each with six toeight different subtopics. The topics cover the subject matter of information security governanceas well as the development of an information security strategy. Detailed descriptions of thetopics and the subtopics are listed in figure 1.



The information risk management domain is divided into two topic areas that have from five toseven subtopics each. This domain focuses on the management and assessment of risk in anenterprise. Detailed descriptions of the topics and the subtopics are listed in figure 2.

The information security program development domain includes 11 subtopics categorized underone topic. It includes information regarding the development of a formal security program,including information security management responsibilities, the importance of obtaining seniormanagement’s commitment to the program, defining the program and implementing theprogram. Detailed descriptions of the topics and subtopics are listed in figure 3.

The information security program management domain includes three topic areas with two tofour subtopics each. The domain includes subject matter such as policies, outcomes of effectivemanagement and measuring the information security program. Detailed descriptions of thesetopics and the subtopics are listed in figure 4.

Figure 5 provides the topics and subtopics for the incident management and response domain.To determine alignment with the model, the educational institution should create a map of wherethe model curriculum topics are delivered within its educational delivery system components.

The mapping process steps are detailed in figure 6 in Appendix 2—Alignment Grid for theISACA Model Curriculum for Information Security Management, which provides a form to mapan academic program to the model curriculum.



4. ISACA Model Curriculum for Information Security Management

The topics covered by the model are grouped into five content domains. These domains arebroken into major topic areas, and subtopics are provided within each topic area, along with thenumber of contact hours needed to adequately cover the topic (see figures 1 through 5).

Figure 1—Information Security Governance DomainTopics Hours Subtopics

Effective information security governanceRoles and responsibilities of senior managementInformation security concepts (e.g., Certified Internal Auditor [CIA] model, borders andtrust, encryption, trusted systems, certifications, defense by diversity, depth, obscurity,least privilege, life cycle management, technologies)Information security manager (responsibilities, senior management commitment,reporting structures)Scope and charter of information security governance (laws, regulations, policies,assurance process integration, convergence)

Securitygovernance

22

Information security metricsViews of strategyDeveloping an information security strategy aligned to business strategyInformation security strategy objectives

Architectures and frameworks (Control Objectives for Information and relatedTechnology [COBIT], ISO 27002)Determining current state of securityStrategy resources (e.g., policies, standards, controls, education, personnel)Strategy constraints (e.g., regulatory, culture, costs, resources)

Informationsecuritystrategy

30

Action plan for strategyTotal Hours 52

Figure 2—Information Risk ManagementTopics Hours Subtopics

Overview of risk managementRisk management strategyEffective information security risk managementInformation security risk management concepts (e.g., threats, vulnerabilities, risks,attacks, business disaster plan [BDP]/disaster recovery [DR], service level agreement[SLA], governance) and technologies (e.g., authentication, access controls,nonrepudiation, environmental controls, availability/reliability management)

Riskmanagement

24

Implementing risk management

Risk assessment (e.g., methodologies, options on handling risk)Controls and countermeasuresInformation resource valuationRecovery time objectivesIntegration with life cycle processesIT control baselines

Riskassessment

30

Risk, monitoring and communicationTotal Hours 54



Figure 3—Information Security Program DevelopmentTopics Hours Subtopics

Effective information security program developmentInformation security manager (roles, responsibilities, obtaining senior managementcommitment)Scope and charter of information security program development (assurance functionintegration, challenges in development)Information security program development objectives (goal, objectives, outcomes, risks,testing, standards, updating)Defining an information security program development road map

Information security program resources (e.g., documentation, controls, architecture,personnel, change processes)Implementing an information security program (e.g., policies, training and awareness,controls)Information infrastructure, architecture, laws, regulations and standards

Physical and environmental controls

Information security program integration

Programdevelopment

44

Information security program development metrics (e.g., strategic alignment, valuedelivery, resource management, performance)

Total Hours 44

Figure 4—Information Security Program ManagementTopics Hours Subtopics

Importance and outcomes of effective security managementOrganizational and individual roles and responsibilities

Informationsecurity

managementoverview

11Information security management framework

Measuring information security management performanceCommon information security management challengesDetermining the state of information security management

Measuringinformation

securityprogram

management

24

Information security management resources

Information security management considerationsImplementinginformation

securitymanagement

23 Implementing information security management (e.g., action plans, policies, serviceproviders, assessments)

Total Hours 58



Figure 5—Information Management and Response Domain

Topics Hours SubtopicsIncident management and responseIncident management conceptsScope and charter of incident managementInformation security managerIncident management objectives

Incidentmanagementand response

overview

12

Incident management metrics and indicatorsDefining incident management proceduresIncident management resources

Definingincident

managementprocedures

12

Current state of incident response capability

Elements of an incident response plan (gap analysis)

Developing response and recovery plans

Testing response and recovery plans

Executing response and recovery plans

Documenting events

Developingan incident

response plan

12

Postincident reviews

Total Hours 36

Grand Total 244 Total hours for figures 1 through 5



Appendix 1—Suggested Supplemental Skills for InformationSecurity Management

The following competencies are not required components to the ISACA Model Curriculum forInformation Security Management but are important skills for information security managers.

IT SecurityThese are skills that are technical in nature and may include topics such as penetration testing,continuous monitoring, and security architecture.

Enterprise Risk ManagementTopic to be discussed may include organizational risk and the convergence of physical andinformation security.

Regulation, Standards and FrameworksTopics to be covered may include international and regional legislation, such as the USSarbanes-Oxley Act, Japan’s Financial Instruments and Exchange Law (J-SOX), the US Gramm-Leach-Bliley Act, the European Union Directive on Data Protection, International Organizationfor Standardization/International Electrotechnical Commission 27001 (ISO/IEC 27001/27002),the US National Institute of Standards and Technology (NIST), ITGI’s COBIT, etc.

Managerial Communications and/or Public SpeakingThese are communication skills that are employed when discussing security program metrics andprogram recommendations.

Interviewing SkillsThis includes the effective gathering of information when interviewing management andcompleting control questionnaires.

Negotiation Skills and/or Personal SellingThis is needed to convince management to implement recommendations for positive change.

Business WritingThis is useful to produce understandable and usable reports and other written communications.

Industrial Psychology and/or Behavioral ScienceThis includes the ability to understand and effectively manage human behavior andorganizational culture to maximize the security program success.

Project Management/Time BudgetingThis includes the essential ability to effectively and efficiently manage time and tasks

Team Building and Team LeadingThis includes effectively managing team activities with proper coordination and utilization ofknowledge and skills of individual team members for information security.



Appendix 2—Alignment Grid for the ISACA Model Curriculum forInformation Security Management

To map a program to the ISACA Model Curriculum for Information Security Management,enter the name of the course(s) or session(s) in the program that covers each topic area orsubtopic description along with the amount of time (in hours) devoted to covering the topic ineach table. If a described topic is not covered, record a 0 (zero) in the column for contact hours.To be in alignment with the model, the total time spent, in hours, should be at least 244 hoursand all areas in the model curriculum should have reasonable coverage. Note: When mapping agraduate program, include the prerequisites from the undergraduate program.

Before beginning this process: The current course syllabi should be obtained. Current and expanded course outlines provide

more detail and are better sources. The current textbook supporting the classes and the visual media/projects used in those

classes should be accessible. For a question on content, refer to the course textbook orPowerPoint slides.

If some of the subject matter is taught in other departments or colleges, a representative whois knowledgeable of what is taught in those classes may need to provide assistance. For thisreason, an undergraduate program may take more time to map than a graduate program.

See if a second monitor is available; the process is facilitated by looking at the model matrixon one and the syllabus/expanded course outline on another

The mapping process steps are listed in figure 6.

Figure 6—Mapping Process Steps1 Identify all direct and support courses that apply to the program. Course syllabi are to contain at least the

following information: school name and address, course title, course number, contact hours, facultymember names and credentials, terms offered, the purpose of the course, the objectives of the course, andthe course text.

2 Make sure the current syllabi or expanded course outlines and support materials for the courses areaccessible. It takes approximately 16 hours to complete the mapping, if expanded course outlines areavailable from which information can be extracted.

3 Proceed one by one. Select the first course in the program, examine the elements and subject matter, andmap to the model. Literally, proceed week by week.

4 Use key words from the ISACA template subtopics to search the syllabi to identify matches. Once a matchis made, estimate the amount of time the subject was covered based on the syllabus.

5 If unsure of the content of the subject covered, go to the textbook and PowerPoint slides/materials used.Note that generic titles used often cover more than what is implied.

6 Remember to allocate the time per course and identify the course covering each subject. For example, aquarter system may have 10 weeks and four contact hours per week (40 hours), but some courses may havelab or project requirements that may result in more than 40 hours.

7 Map course by course, and keep track of allocation. This is easiest for those familiar with the program andwho have the information available.

8 After completing all courses, go back and double-check that the selections/placement are the best possibleand seem reasonable.

9 Have a colleague check the mapping.10 Submit the completed tables to ISACA for review by e-mail: [email protected] , fax +1.847.253.1443

or mail to the attention of the Manager of Information Security Practices at ISACA, 3701 Algonquin Road,Suite 1010, Rolling Meadows, IL 60008, USA.



If the program is found to be in alignment with the ISACA Model Curriculum for InformationSecurity Management, the program may be posted on the ISACA web site and graduates of theprogram will qualify for one year of work experience toward the CISM certification. Thefollowing pages include figures 1 through 5 with blank columns added for the course andnumber of hours which institutions can use to map their programs to the model curriculum.

Figure 1—Information Security Governance DomainTopics Hours Subtopics Course Covering Topic Hours

Effective information securitygovernance

(Course number, item number onsyllabus, paragraph description)

Roles and responsibilities of seniormanagementInformation security concepts (e.g.,certified internal auditor [CIA] model,borders and trust, encryption, trustedsystems, certifications, defense bydiversity, depth, obscurity, leastprivilege, life cycle management,technologies)Information security manager(responsibilities, senior managementcommitment, reporting structures)Scope and charter of informationsecurity governance (laws, regulations,policies, assurance process integration,convergence)

Securitygovernance

22

Information security metricsViews of strategyDeveloping an information securitystrategy aligned to business strategyInformation security strategy objectives

Architectures and frameworks (COBIT,ISO 27002)Determining current state of securityStrategy resources (e.g., policies,standards, controls, education,personnel)Strategy constraints (e.g., regulatory,culture, costs, resources)

Informationsecuritystrategy

30

Action plan for strategy

Total Hours 52



Figure 2—Information Risk ManagementTopics Hours Subtopics Course Covering Topic Hours

Overview of risk managementRisk management strategyEffective information security riskmanagementInformation security risk managementconcepts (e.g., threats, vulnerabilities,risks, attacks, BDP/DR, SLA,governance) and technologies (e.g.,authentication, access controls,nonrepudiation, environmentalcontrols, availability/reliabilitymanagement)

Riskmanagement

24

Implementing risk management

Risk assessment (e.g., risk assessmentmethodologies, options on handlingrisk)Controls and countermeasuresInformation resource valuationRecovery time objectivesIntegration with life cycle processesIT control baselines

Riskassessment

30

Risk, monitoring and communicationTotal Hours 54



Figure 3—Information Security Program DevelopmentTopics Hours Subtopics Course Covering Topic Hours

Effective information security programdevelopmentInformation security manager (roles,responsibilities, obtaining seniormanagement commitment)Scope and charter of informationsecurity program development(assurance function integration,challenges in development)Information security programdevelopment objectives (goal,objectives, outcomes, risks, testing,standards, updating)Defining an information securityprogram development road mapInformation security program resources(e.g., documentation, controls,architecture, personnel, changeprocesses)Implementing an information securityprogram (e.g., policies, training andawareness, controls)Information infrastructure, architecture,laws, regulations and standardsPhysical and environmental controls

Information security programintegration

Programdevelopment

44

Information security programdevelopment metrics (e.g., strategicalignment, value delivery, resourcemanagement, performance)

Total Hours 44



Figure 4—Information Security Program ManagementTopics Hours Subtopics Course Covering Topic Hours

Importance and outcomes of effectivesecurity managementOrganizational and individual roles andresponsibilities

Informationsecurity

managementoverview

11

Information security managementframeworkMeasuring information securitymanagement performanceCommon information securitymanagement challengesDetermining the state of informationsecurity management

Measuringinformation

securityprogram

management

24

Information security managementresourcesInformation security managementconsiderationsImplementing

informationsecurity

management

23Implementing information securitymanagement (e.g., action plans,policies, service providers,assessments)

Total Hours 58

Figure 5—Information Management and Response Domain

Topics Hours Subtopics Course Covering Topic HoursIncident management and responseIncident management conceptsScope and charter of incidentmanagementInformation security managerIncident management objectives

Incidentmanagementand response

overview

12

Incident management metrics andindicatorsDefining incident managementproceduresIncident management resources

Definingincident

managementprocedures

12

Current state of incident responsecapabilityElements of an incident response plan(gap analysis)Developing response and recoveryplansTesting response and recovery plans

Executing response and recoveryplansDocumenting events

Developingan incident

response plan

12

Postincident reviews

Total Hours 36

Grand Total 244 Total hours for figures 1 through 5



Appendix 3—References

CISM examination areas, ISACA Certification Board, USA, 2008, www.isaca.org/cism

ISACA, ISACA Model Curriculum for IS Audit and Control, USA, 2004

IT Governance Institute, COBIT 4.1, USA, 2007, www.isaca.org/cobit

Documents

Model Curriculum Info Sec Mgmt 15Dec08 - ISACA · Lynn Lawton, CISA, FBCS, FCA, FIIA, KPMG LLP, UK, International President ... ISACA Model Curriculum for Information Security Management