Alignment Grid for the ISACA Model Curriculum for Information Security Management
To map a program to the ISACA Model Curriculum for Information Security Management, enter the name of the course(s) or session(s) in the program that covers each topic area or subtopic description along with the amount of time (in hours) devoted to covering the topic in each table. If a described topic is not covered, record a 0 (zero) in the column for contact hours. To be in alignment with the model, the total time spent, in hours, should be at least 244 hours and all areas in the model curriculum should have reasonable coverage. Note: When mapping a graduate program, include the prerequisites from the undergraduate program.
Before beginning this process:
- The current course syllabi should be obtained. Current and expanded course outlines provide more detail and are better sources.
- The current textbook supporting the classes and the visual media/projects used in those classes should be accessible. For a question on content, refer to the course textbook or PowerPoint slides.
- If some of the subject matter is taught in other departments or colleges, a representative who is knowledgeable of what is taught in those classes may need to provide assistance. For this reason, an undergraduate program may take more time to map than a graduate program.
- See if a second monitor is available; the process is facilitated by looking at the model matrix on one and the syllabus/expanded course outline on another
The mapping process steps are listed in figure 6.
Figure 6—Mapping Process Steps1 / Identify all direct and support courses that apply to the program. Course syllabi are to contain at least the following information: school name and address, course title, course number, contact hours, faculty member names and credentials, terms offered, the purpose of the course, the objectives of the course, and the course text.
2 / Make sure the current syllabi or expanded course outlines and support materials for the courses are accessible. It takes approximately 16 hours to complete the mapping, if expanded course outlines are available from which information can be extracted.
3 / Proceed one by one. Select the first course in the program, examine the elements and subject matter, and map to the model. Literally, proceed week by week.
4 / Use key words from the ISACA template subtopics to search the syllabi to identify matches. Once a match is made, estimate the amount of time the subject was covered based on the syllabus.
5 / If unsure of the content of the subject covered, go to the textbook and PowerPoint slides/materials used. Note that generic titles used often cover more than what is implied.
6 / Remember to allocate the time per course and identify the course covering each subject. For example, a quarter system may have 10 weeks and four contact hours per week (40 hours), but some courses may have lab or project requirements that may result in more than 40 hours.
7 / Map course by course, and keep track of allocation. This is easiest for those familiar with the program and who have the information available.
8 / After completing all courses, go back and double-check that the selections/placement are the best possible and seem reasonable.
9 / Have a colleague check the mapping.
10 / Submit the completed tables to ISACA for review by e-mail: , fax +1.847.253.1443 or mail to the attention of the Manager of Information Security Practices at ISACA, 3701 Algonquin Road, Suite 1010, Rolling Meadows, IL60008, USA.
If the program is found to be in alignment with the ISACA Model Curriculum for Information SecurityManagement, the program may be posted on the ISACA web site and graduates of the program will qualify for one year of work experience toward the CISM certification. The following pages include figures 1 through 5 with blank columns added for the course and number of hours which institutions can use to map their programs to the model curriculum.
Figure 1—Information Security Governance DomainTopics / Hours / Subtopics / Course Covering Topic / Hours
Security governance / 22 / Effective information security governance / (Course number,item number on syllabus, paragraph description)
Roles and responsibilities of senior management
Information security concepts (e.g., certified internal auditor [CIA] model, borders and trust, encryption, trusted systems, certifications, defense by diversity, depth, obscurity, least privilege, life cycle management, technologies)
Information security manager (responsibilities, senior management commitment, reporting structures)
Scope and charter of information security governance (laws, regulations, policies, assurance process integration, convergence)
Information security metrics
Information security strategy / 30 / Views of strategy
Developing an information security strategy aligned to business strategy
Information security strategy objectives
Architectures and frameworks (COBIT, ISO27002)
Determining current state of security
Strategy resources (e.g., policies, standards, controls, education, personnel)
Strategy constraints (e.g., regulatory, culture, costs, resources)
Action plan for strategy
Total Hours / 52
Figure 2—Information Risk Management
Topics / Hours / Subtopics / Course Covering Topic / Hours
Risk management / 24 / Overview of risk management
Risk management strategy
Effective information security risk management
Information security risk management concepts (e.g., threats, vulnerabilities, risks, attacks, BDP/DR, SLA, governance) and technologies (e.g., authentication, access controls, nonrepudiation, environmental controls, availability/reliability management)
Implementing risk management
Risk assessment / 30 / Risk assessment (e.g., risk assessment methodologies, options on handling risk)
Controls and countermeasures
Information resource valuation
Recovery time objectives
Integration with life cycle processes
IT control baselines
Risk, monitoring and communication
Total Hours / 54
Figure 3—Information Security Program Development
Topics / Hours / Subtopics / Course Covering Topic / Hours
Program development / 44 / Effective information security program development
Information security manager (roles, responsibilities, obtaining senior management commitment)
Scope and charter of information security program development (assurance function integration, challenges in development)
Information security program development objectives (goal, objectives, outcomes, risks, testing, standards, updating)
Defining an information security program development road map
Information security program resources (e.g., documentation, controls, architecture, personnel, change processes)
Implementing an information security program (e.g., policies, training and awareness, controls)
Information infrastructure, architecture, laws, regulations and standards
Physical and environmental controls
Information security program integration
Information security program development metrics (e.g., strategic alignment, value delivery, resource management, performance)
Total Hours / 44
Figure 4—Information Security Program Management
Topics / Hours / Subtopics / Course Covering Topic / Hours
Information security management overview / 11 / Importance and outcomes of effective security management
Organizational and individual roles and responsibilities
Information security management framework
Measuring information security program management / 24 / Measuring information security management performance
Common information security management challenges
Determining the state of information security management
Information security management resources
Implementing information security management / 23 / Information security management considerations
Implementing information security management (e.g., action plans, policies, service providers, assessments)
Total Hours / 58
Figure 5—Information Management and Response Domain
Topics / Hours / Subtopics / Course Covering Topic / Hours
Incident management and response overview / 12 / Incident management and response
Incident management concepts
Scope and charter of incident management
Information security manager
Incident management objectives
Incident management metrics and indicators
Defining incident management procedures / 12 / Defining incident management procedures
Incident management resources
Current state of incident response capability
Developing an incident response plan / 12 / Elements of an incident response plan (gap analysis)
Developing response and recovery plans
Testing response and recovery plans
Executing response and recovery plans
Documenting events
Postincident reviews
Total Hours / 36
Grand Total / 244 / Total hours for figures 1 through 5
2008 ISACA. All rights reserved. Page 1