Certified Information Systems Security Manager (CISSM I & II) Tutorial

Overview

The Certified Information Systems Security Manager (CISSM) certification program aims to equip professionals with the knowledge and skills to design, manage, and govern information security programs effectively. CISSM I focuses on foundational principles and management concepts, while CISSM II advances into governance, risk, and compliance integration across enterprise systems.

Module 1: Introduction to Information Security Management

Objectives

• Understand the role of information security management in organizations.
• Learn key terminology and the value of information assets.
• Define security governance and its relationship to risk management.

Topics

1. Information Security Concepts
   • Confidentiality, Integrity, Availability (CIA triad)
   • Authentication, Authorization, Accountability
   • Data classification and asset valuation
2. Organizational Security Goals
   • Aligning security with business objectives
   • Security as a business enabler
3. Security Management Functions
   • Planning, implementation, control, and evaluation
   • Metrics and performance indicators

Module 2: Governance and Risk Management

Objectives

• Establish governance frameworks for information security.
• Implement risk management methodologies.

Topics

1. Governance Frameworks
   • ISO/IEC 27001 and 27002
   • NIST SP 800 series
   • COBIT and ITIL
2. Risk Management Process
   • Risk identification, assessment, mitigation, and monitoring
   • Quantitative vs. qualitative risk assessment
3. Policy Development
   • Writing security policies and standards
   • Policy hierarchy: Policies, standards, procedures, and guidelines

Module 3: Security Program Development and Management

Objectives

• Design and implement an organization-wide information security program.
• Understand lifecycle management for security programs.

Topics

1. Security Program Design
   • Program objectives and governance structure
   • Security organization roles and responsibilities
2. Implementation and Operations
   • Budgeting and resource allocation
   • Awareness and training initiatives
3. Continuous Improvement
   • Metrics and performance measurement
   • Security program maturity models

Module 4: Incident Management and Business Continuity

Objectives

• Build and manage incident response processes.
• Integrate business continuity and disaster recovery planning.

Topics

1. Incident Response Framework
   • Identification, containment, eradication, recovery, and lessons learned
   • Communication and escalation paths
2. Forensics and Evidence Handling
   • Legal and regulatory considerations
   • Chain of custody
3. Business Continuity Management (BCM)
   • Business Impact Analysis (BIA)
   • Recovery Time Objective (RTO) and Recovery Point Objective (RPO)

Module 5: Information Security Governance (CISSM II Focus)

Objectives

• Integrate security management into enterprise governance structures.
• Link governance to compliance and strategic management.

Topics

1. Strategic Alignment
   • Linking security initiatives to business goals
   • Measuring value and effectiveness
2. Risk and Compliance Integration
   • Legal and regulatory frameworks (GDPR, HIPAA, SOX, etc.)
   • Managing audits and compliance programs
3. Reporting and Decision Support
   • Security metrics and executive reporting
   • Board-level communication

Module 6: Advanced Risk and Control Management (CISSM II Focus)

Objectives

• Evaluate advanced risk modeling and control design.
• Integrate security controls into enterprise architecture.

Topics

1. Risk Modelling
   • Quantitative analysis using loss expectancy (SLE, ARO, ALE)
   • Scenario-based assessments
2. Control Frameworks
   • NIST 800-53, ISO 27005, and CIS Controls
   • Control design, implementation, and testing
3. Integration and Monitoring
   • Security Operations Center (SOC) role
   • Continuous monitoring and improvement

Module 7: Program Assessment and Certification Preparation

Objectives

• Review key CISSM I & II concepts.
• Prepare for certification assessment.

Topics

1. Review of Core Domains
   • Governance, Risk, Program Management, and Incident Handling
2. Study and Exam Techniques
   • Case study analysis
   • Practice question review
3. Professional Ethics and Conduct
   • Code of ethics for security managers
   • Maintaining certification and continuing education

Want to learn more? Tonex offers Certified Information Systems Security Manager (CISSM I & II), a 2-day course where participants apply ISSM responsibilities across lifecycle, authorization, and compliance oversight as well as learn map controls to NIST RMF, CNSSI 1253, DoDI 8510.01, and agency overlays.

Attendees also build risk registers, treatment plans, and POA&Ms with measurable KPIs, orchestrate audit readiness and artifacts for assessments and ATO packages, lead incident response governance and post-incident corrective actions, and elevate enterprise outcomes by strengthening cybersecurity governance impact.

This course is especially beneficial for:

• Cybersecurity Professionals
• Information System Security Managers (ISSM)
• Security Control Assessors / AO Staff
• System Owners and Program Managers
• Governance, Risk & Compliance (GRC) Leads
• Security Engineers and Architects

Additionally, Tonex offers dozens of Certification Courses in a wide variety of topics.

Tonex has worked with industry organizations and clients to insure our Certification Courses are up-to-date and provide pragmatic training knowledge to insure immediate results from your certification experience.

We offer Tonex certifications that are recognized by our clients as valuable in insuring a consistent and thorough knowledge of the subject and how to apply that knowledge.

For more information, questions, comments, contact us.