Information Risk Management

• Establish and/or maintain a process for information asset classification to ensure that measures taken to protect assets are proportional to their business value.
• Identify legal, regulatory, organizational and other applicable requirements to manage the risk of noncompliance to acceptable levels.
• Ensure that risk assessments, vulnerability assessments and threat analyses are conducted consistently, and at appropriate times, to identify and assess risk to the organization’s information.
• Identify, recommend or implement appropriate risk treatment/response options to manage risk to acceptable levels based on organizational risk appetite.
• Determine whether information security controls are appropriate and effectively manage risk to an acceptable level.
• Facilitate the integration of information risk management into business and IT processes to enable a consistent and comprehensive information risk management program across the organization.
• Monitor for internal and external factors (e.g., threat landscape, cybersecurity, geopolitical, regulatory change) that may require a reassessment of risk to ensure that changes to existing or new risk scenarios are identified and managed appropriately.
• Report noncompliance and other changes in information risk to facilitate the risk management decision-making process.
• Ensure that information security risk is reported to senior management to support an understanding of the potential impact on the organizational goals and objectives.

 Information Security Incident Management

• Define (types of) information security incidents
• Establish an incident response plan
• Develop processes for timely identification of information security incidents
• Develop processes to investigate and document information security incidents
• Develop incident escalation and communication processes
• Establish teams that effectively respond to information security incidents
• Test and review the incident response plan
• Establish communication plans and processes
• Determine the root cause of IS incidents
• Align incident response plan with DRP and BCP.

Strategic Management

• Learning objectives
• Domain Task and Knowledge Statements
• Strategic Planning
• Strategic Management
• Enterprise Architecture
• Evaluating IT Investment
• PM techniques

Risk Optimization

• Overview of Risk Management
• Risk Management Frameworks, Standards, Guidelines
• Risk Assessment
• Risk Treatment
• Assessment and Evaluation of the Risk Management Program

Risk Identification

• Good Practices for Risk Management
• Components of Risk Management
• Methods for Risk Identification
• Risk Culture and Communication
• The Businesses IT Risk Structure
• Risk Principles and Concepts
• Vulnerabilities and Threats
• Assets
• Threats
• Vulnerabilities
• Vulnerability Assessment
• Pen Testing
• Probability/Likelihood
• IT Risk
• IT Risk Scenarios
• Ownership and Accountability
• Other Risk Concepts
• Risk Awareness

Risk Response

• Risk Response and Business Objectives Alignment
• Response Options
• Techniques for Analysis
• New Controls and Related Vulnerabilities
• A Risk Action Plan
• Techniques for BPR
• Design and Implementation of Controls
• Control Monitoring
• Inherent and Residual Risk
• Control Objectives Practices and Metrics
• Cryptography as a Control
• Control Design and Implementation
• Emerging Technologies and Controls
• Ownership of Controls
• Management Procedures and Documentation
• Response and Action Plan

Test Review

• Key Risk Indicators
• Test Review
• Test Registration
• Test Preparation
• Certification Maintenance