CISM: The Last Mile
$9.99
Minimum price
$14.99
Suggested price

CISM: The Last Mile

Your guide to the finish line

About the Book

This book covers every topic in the latest CISM exam syllabus, approaching topics from the ISACA perspective. It's 325+ pages organized in a format that makes it easy to drill down on specific exam domains and concepts at-a-glance, making it an essential exam resource for anyone who aims to prepare for the CISM exam without wasting time or money.

About the Author

Pete Zerger
Pete Zerger

Pete is a vCISO, cloud and cybersecurity strategist, security architect, and cyber educator, leading hundreds of thousands of users to cybersecurity certifications in more than 50 countries.

Table of Contents

    • Preface (Read this first!)
      • Legend
      • CISM vs CISSP: What’s the difference?
      • Technology Perspective of the CISM Exam
      • Industry Guidance from ISACA
      • Exam Format
      • Exam Mindset
      • CISM Exam Syllabus
      • Questions and Errata
    • Chapter 1:Domain 1A: Enterprise Governance
      • Syllabus
      • Supporting Tasks
        • Important Terms and Definitions
        • Planning Horizons
      • 1A1. Organizational Culture
        • Information Security Governance
        • Enterprise Governance vs. Information Security Governance
        • Alignment with Business Objectives
        • Security Governance Principles
        • ISACA Code of Professional Ethics
        • Importance of Information Security Governance
        • Outcomes of Information Security Governance
        • Scope and Charter of Information Security Governance
        • Relationship of Information Security, IT Security, and Cybersecurity
        • Organizational Culture
        • Acceptable Use Policy (AUP)
        • Ethics
      • 1A2. Legal, Regulatory, and Contractual Requirements
        • Compliance Requirements
        • Identifying Applicable Compliance Standards
        • Requirements for Business Record Retention
      • 1A3. Organizational Structures, Roles, and Responsibilities
        • Board of Directors
        • Senior Management
        • Chief Executive Officer (CEO)
        • Chief Information Security Officer (CISO)
        • Chief Privacy Officer (CPO)
        • Chief Risk Officer (CRO)
        • Risk Management Roles and Responsibilities
        • Security Steering Committee
        • Business Process/Asset Owners
        • Internal Audit
        • RACI Matrix
        • Keys to successful RACI implementation
    • Chapter 2:Domain 1B. Information Security Strategy
      • Syllabus
      • Supporting Tasks
      • 1B1. Information Security Strategy Development
        • Three flavors of governance
        • Information Security Strategy Development
        • Business Goals and Objectives
        • Information Security Strategy Objectives
        • Ensuring Objective and Business Integration
        • Avoiding Common Pitfalls and Bias
        • The Desired State
        • COBIT
        • Business Model for Information Security (BMIS)
        • Strategy Development
        • Elements of a Strategy
      • 1B2. Information Governance Frameworks and Standards
        • Balanced Scorecard
        • Architectural Approaches
        • Enterprise Risk Management (ERM) Frameworks
        • Information Security/Cybersecurity Management Frameworks and Models
      • 1B3. Strategic Planning
        • Workforce Composition and Skills
        • Assurance Provisions
        • Risk Assessment and Management
        • Action Plan to Implement Strategy
        • Creating SMART Goals
        • SWOT
        • Capability maturity models
        • Information Security Program Objectives
    • Chapter 3:Domain 2A: Information Security Risk Assessment
      • Syllabus
      • Supporting Tasks
        • Governance, Risk, and Compliance
        • Important terms related to risk
      • 2A1. Emerging Risk and Threat Landscape
        • Risk Identification
        • Risk Categories (Risk Types)
        • Threats
        • Defining a Risk Management Framework
        • Emerging Threats
        • Risk Likelihood and Impact
        • Risk Register
      • 2A2. Vulnerability and Control Deficiency Analysis
        • Methods for Identifying and Assessing Vulnerabilities
        • The Role of Controls and Deficiencies
        • Common Vulnerabilities
        • Key Resources and Vulnerability Categories
        • Vulnerability Management and Penetration Testing
        • Security Control Baselines
        • Events Affecting Security Baselines
      • 2A3. Risk Assessment and Analysis
        • Determining the Risk Management Context
        • Operational Risk Management
        • Risk Management Integration with IT Life Cycle Management Processes
        • Risk Scenarios
        • Understanding Risk: A Breakdown
        • Risk Assessment Process
        • Risk Assessment and Analysis Methodologies
        • Other Risk Assessment Approaches
        • Risk Analysis
        • Formulas and Methods
        • Analysis Techniques
        • Gap Analysis
        • Qualitative Analysis
        • Semi-quantitative (Hybrid) Analysis
        • Quantitative Analysis
        • Value at Risk (VaR)
        • Other Risk Analysis Methods
        • Risk Evaluation
        • Deciding on Risk Treatment Options
        • Risk Ranking
    • Chapter 4:Domain 2B: Information Security Risk Response
      • Syllabus
      • Supporting Tasks
      • 2B1. Risk Treatment/Risk Response Options
        • Determining Risk Capacity and Acceptable Risk (Risk Appetite)
        • Risk Response Options
        • Risk Acceptance Framework
        • Inherent and Residual Risk
        • Impact
        • Controls
        • Legal and Regulatory Requirements
        • Compliance as a Business Decision
        • Cost-Benefit Analysis
      • 2B2. Risk and Control Ownership
        • Risk Ownership and Accountability
        • Risk Owner
        • Control Owner
      • 2B3. Risk Monitoring and Reporting
        • Risk Monitoring
        • Key Risk Indicators (KRIs)
        • Reporting Changes in Risk
        • Risk Communication, Awareness, and Consulting
        • Documentation
    • Chapter 5:Domain 3A: Information Security Program Development
      • Syllabus
      • Supporting Tasks
      • 3A1. Information Security Program Resources
        • Information Security Program Overview
        • Information Security Management Trends
        • Essential Elements of an Information Security Program
        • Importance of the Information Security Program
        • Applying the Security Program Business Case
        • Outcomes of Information Security Program Management
        • Information Security Program Resources
        • Information Security Program Objectives
        • Information Security Program Concepts
        • Scope and Charter of an Information Security Program
        • Common Information Security Program Challenges
        • Common Information Security Program Constraints
        • Defining an Information Security Program Roadmap
        • Create a Program Roadmap Using Frameworks and Architectures
        • Developing an Information Security Program Roadmap
        • Benefits
        • Life Cycle Principles Supporting the Roadmap
      • 3A2. Information Asset Identification and Classification
        • The Information Lifecycle
        • Information Asset Identification and Classification
        • Information Asset Identification and Valuation
        • Information Asset Valuation Strategies
        • Integrating Asset Classification with Risk Structures
        • Data Protection Technologies
        • Determine Criticality of Assets, Impact of Adverse Events
      • 3A3. Industry Standards and Frameworks for Information Security
        • Framework Types
        • Enterprise Information Security Architectures
        • Information Security Management Frameworks
        • Information Security Framework Components
        • Technical Components
        • Operational Components
        • Management Components
        • Administrative Components
        • Educational and Informational Components
      • 3A4. Information Security Policies, Procedures, and Guidelines
        • Security Policy
        • Security Standard
        • Security Procedure
        • Security Guideline
      • 3A5. Information Security Program Metrics
        • Effective Security Metrics
        • Security Program Metrics and Monitoring
        • Metrics Tailored to Enterprise Needs
    • Chapter 6:Domain 3B: Information Security Program Management
      • Syllabus
      • Supporting Tasks
      • 3B1. Information Security Control Design and Selection
        • People, Process, Technology
        • Managing Risk Through Controls
        • Control Design Considerations
        • Foundational Technologies
      • 3B2. Information Security Control Implementation and Integration
        • Control Categories
        • Baseline Controls
        • Integration of the Security Program with IT Operations
        • Personnel, Roles, Skills, and Culture
        • Information Security Liaison Responsibilities
        • Cross-Organizational Responsibilities
        • Issue Resolution Through the Information Security Program
        • Integration with IT Processes
        • Public Cloud
        • Network Security
      • 3B3. Information Security Control Testing and Evaluation
        • Control Strength
        • Control Recommendations
        • Control Testing and Modification
      • 3B4. Information Security Awareness and Training
        • Security Awareness Training and Education
        • Developing an Information Security Awareness Program
        • Role-Based Training
        • Training and Education Metrics
      • 3B5. Management of External Services
        • Governance of Third-Party Relationships
        • Third-Party Service Providers
        • Outsourcing Challenges
        • Outsourcing Contracts
        • Third-Party Access
      • 3B6. Information Security Program Communications and Reporting
        • Program Management Evaluation
        • The Plan-Do-Check-Act (PDCA) Cycle
        • Security Reviews and Audits
        • Compliance Monitoring and Enforcement
        • Monitoring Approaches
        • Measuring Information Security Management Performance
        • Ongoing Monitoring and Communication
    • Chapter 7:Domain 4A: Incident Management Readiness
      • Syllabus
      • Supporting Tasks
      • 4A1. Incident Response Plan
        • The Relationship Between Incident Management and Incident Response
        • Goals of Incident Management and Incident Response
        • Incident Handling and the Incident Management Life Cycle
        • Incident Management vs Incident Response
        • Incident Management and Incident Response Plans
        • Importance of Incident Management
        • Outcomes of Incident Management
        • Incident Management Resources
        • Policies and Standards
        • Incident Management Objectives
        • Strategic Alignment
        • Response and Recovery Plan
        • The Role of the Information Security Manager in Incident Management
        • Risk Management
        • Assurance Process Integration
        • Value Delivery
        • Resource Management
        • Defining Incident Management Procedures
        • Plan of Action for Incident Management
        • Current State of Incident Response Capability
        • Incident Response Life Cycle
        • Incident Management and Response Teams
        • Organizing, Training, and Equipping the Response Staff
        • Incident Notification Process
        • Challenges in Developing an Incident Management Plan
      • 4A2. Business Impact Analysis (BIA)
        • The Three Primary Goals of a BIA
        • Key Considerations in a BIA
        • Elements of a Business Impact Analysis
        • Typical BIA Information Collected
        • Benefits of Conducting a Business Impact Analysis
      • 4A3. Business Continuity Plan (BCP)
        • Integrating Incident Response with Business Continuity
        • Methods for Providing Continuity of Network Services
        • High-Availability Considerations
        • Insurance
        • Cyber Insurance
      • 4A4. Disaster Recovery Plan (DRP)
        • Business Continuity and Disaster Recovery Procedures
        • Recovery Operations
        • Evaluating Recovery Strategies
        • Addressing Threats
        • Recovery site strategies
        • Types of recovery sites
        • Basis for Recovery Site Selections
        • Response and Recovery Strategy Implementation
      • 4A5. Incident Classification/Categorization
        • Escalation Process for Effective Incident Management
        • Help/Service Desk Processes for Identifying Security Incidents
      • 4A6. Incident Management Training, Testing, and Evaluation
        • Incident Management Metrics and Indicators
        • Performance Measurement
        • Updating Recovery Plans
        • Testing Incident Response and BC/DR Recovery Plans
        • Periodic Testing of the Response and Recovery Plans
        • Testing for Infrastructure and Critical Business Applications
        • Types of Tests
        • Test Results
        • Recovery Test Metrics
        • Incident Management Metrics and Indicators
        • Updating Recovery Plans
    • Chapter 8:DOMAIN 4B: Incident Management Operations
      • Syllabus
      • Supporting Tasks
      • 4B1. Incident Management Tools and Techniques
        • Incident Management Systems
        • Incident Response Technology Foundations
        • Personnel (IRT Structure)
        • Skills
        • Awareness and Education
        • Audits
        • Outsourced Security Providers
      • 4B2. Incident Investigation and Evaluation
        • Executing Response and Recovery Plans
        • Foundational Concepts
      • 4B3. Incident Containment Methods
        • Decision to Initiate Containment
      • 4B4. Incident Response Communications (e.g., reporting, notification, escalation)
        • Notification Requirements
        • Communication Networks
      • 4B5. Incident Eradication and Recovery
        • Eradication Phase
        • Recovery Phase
      • 4B6. Post-Incident Review Practices
        • Identifying Causes and Corrective Actions
        • Documenting Events
        • Establishing Legal Procedures to Assist in Post-Incident Activities
        • Requirements for Evidence
        • Legal Aspects of Forensic Evidence
      • What’s Next?
    • Appendix A - Glossary (ISACA CISM Official)
        • 1. Governance and Management
        • 2. Risk Management
        • 3. Security Program and Controls
        • 4. Incident Management and Recovery
        • 5. Technical Security Mechanisms
        • 6. Network and Infrastructure Security
        • 7. Threats and Vulnerabilities
        • 8. Data and Asset Management
    • Appendix B - Acronyms (ISACA CISM Official)
    • Appendix C - Frameworks Reference

The Leanpub 60 Day 100% Happiness Guarantee

Within 60 days of purchase you can get a 100% refund on any Leanpub purchase, in two clicks.

Now, this is technically risky for us, since you'll have the book or course files either way. But we're so confident in our products and services, and in our authors and readers, that we're happy to offer a full money back guarantee for everything we sell.

You can only find out how good something is by trying it, and because of our 100% money back guarantee there's literally no risk to do so!

So, there's no reason not to click the Add to Cart button, is there?

See full terms...

Earn $8 on a $10 Purchase, and $16 on a $20 Purchase

We pay 80% royalties on purchases of $7.99 or more, and 80% royalties minus a 50 cent flat fee on purchases between $0.99 and $7.98. You earn $8 on a $10 sale, and $16 on a $20 sale. So, if we sell 5000 non-refunded copies of your book for $20, you'll earn $80,000.

(Yes, some authors have already earned much more than that on Leanpub.)

In fact, authors have earnedover $14 millionwriting, publishing and selling on Leanpub.

Learn more about writing on Leanpub

Free Updates. DRM Free.

If you buy a Leanpub book, you get free updates for as long as the author updates the book! Many authors use Leanpub to publish their books in-progress, while they are writing them. All readers get free updates, regardless of when they bought the book or how much they paid (including free).

Most Leanpub books are available in PDF (for computers) and EPUB (for phones, tablets and Kindle). The formats that a book includes are shown at the top right corner of this page.

Finally, Leanpub books don't have any DRM copy-protection nonsense, so you can easily read them on any supported device.

Learn more about Leanpub's ebook formats and where to read them

Write and Publish on Leanpub

You can use Leanpub to easily write, publish and sell in-progress and completed ebooks and online courses!

Leanpub is a powerful platform for serious authors, combining a simple, elegant writing and publishing workflow with a store focused on selling in-progress ebooks.

Leanpub is a magical typewriter for authors: just write in plain text, and to publish your ebook, just click a button. (Or, if you are producing your ebook your own way, you can even upload your own PDF and/or EPUB files and then publish with one click!) It really is that easy.

Learn more about writing on Leanpub

Publish Early, Publish Often

  • Path
  • There are many paths, but the one you're on right now on Leanpub is...
  • › Cismlastmile

*   *   *

Leanpub is copyright © 2010-2025 Ruboss Technology Corp.
All rights reserved.

This site is protected by reCAPTCHA
and the Google Privacy Policy and Terms of Service apply.