BCS Foundation Certificate in Information Security Management Principles (CISMP)

Syllabus & weighting

Information Security Management Principles (10%)

• Identify definitions, meanings and use of concepts and terms across information security management.
• Explain the need for, and the benefits of information security.

Information Risk (10%)

• Gain an appreciation of risk assessment and management as it applies to information security.
• Outline the threats to and vulnerabilities of information systems.
• Describe the processes for understanding and managing risk relating to information systems.

Information Security Framework (15%)

• Explain how risk management should be implemented in an organisation.
• Interpret general principles of law, legal jurisdiction and associated topics as they affect information security management covering a broad spectrum from the security implications on compliance with legal requirements affecting business.
• Describe the number of common, established standards and procedures that directly affect information security management.

Security Lifecycle (10%)

• Demonstrate an understanding of the importance and relevance of the information lifecycle.
• Identify the following stages of the information lifecycle.
• Outline the following concepts of the design process lifecycle including essential and non-functional requirements.
• Demonstrate an understanding of the importance of appropriate technical audit and review processes, of effective change control and of configuration management.
• Explain the risks to security brought about by systems development and support.

Procedural/People Security Controls (15%)

• Explain the risks to information security involving people.
• Describe user access controls that may be used to manage those risks.
• Identify the importance of appropriate training for all those involved with information.

Technical Security Controls (25%)

• Outline the technical controls that can be used to help ensure protection from malicious software.
• Identify information security principles associated with the underlying networks and communications systems.
• Recognise the information security issues relating to value-added services that use the underlying networks and communications systems.
• Recall the information security issues relating to organisations that utilise cloud computing facilities.
• Define the following aspects of security in information systems, including operating systems, database and file management systems, network systems and applications systems and how they apply to the IT infrastructure.

Physical and Environmental Security Controls (5%)

• Outline the physical aspects of security available in multi-layered defences and explain how the environmental risks to information in terms of the need, for example, for appropriate power supplies, protection from natural risks (fire, flood, etc.) and in the everyday operations of an organisation.

Disaster Recovery and Business Continuity Management (5%)

• Describe (K1/2) the differences between and the need for business continuity and disaster recovery.

Other Technical Aspects (5%)

• Demonstrate understanding of the principles and common practices, including any legalconstraints and obligations, so they can contribute appropriately to investigations.
• Describe the role of cryptography in protecting systems and assets, including awareness of the relevant standards and practices.