Information Systems Security Management Professional (ISSMP)

Domain 1: Leadership and Business Management

1.1 Establish security’s role in organizational culture, vision and mission

1.2 Align security program with organizational governance

1.3 Define and implement information security strategies

1.4 Define and maintain security policy framework Determine applicable external standards

1.5 Manage security requirements in contracts and agreements

1.6 Manage security awareness and training programs

1.7 Define, measure and report security metrics

1.8 Prepare, obtain and administer security budget

1.9 Manage security programs

1.10 Apply product development and project management principles

Domain 2: Systems Lifecycle Management

2.1 Manage integration of security into Systems Development Life Cycle (SDLC)

2.2 Integrate new business initiatives and emerging technologies into the security architecture

2.3 Define and oversee comprehensive vulnerability management programs (e.g., vulnerability scanning, penetration testing, threat analysis)

2.4 Manage security aspects of change control

Domain 3: Risk Management

3.1 Develop and manage a risk management program

3.2 Conduct risk assessments

3.3 Manage security risks within the supply chain (e.g., supplier, vendor, third-party risk)

Domain 4: Threat Intelligence and Incident Management

4.1 Establish and maintain threat intelligence program

4.2 Establish and maintain incident handling and investigation program

Domain 5: Contingency Management

5.1 Facilitate development of contingency plans

5.2 Develop recovery strategies

5.3 Maintain contingency plan, Continuity of Operations Plan (COOP), business continuity plan (BCP) and disaster recovery plan (DRP)

5.4 Manage disaster response and recovery process

Domain 6: Law, Ethics and Security Compliance Management

6.1 Identify the impact of laws and regulations that relate to information security

6.2 Adhere to the (ISC)2 Code of Ethics as related to management issues

6.3 Validate compliance in accordance with applicable laws, regulations and industry best practices

6.4 Coordinate with auditors and regulators in support of the internal and external audit processes

6.5 Document and manage compliance exceptions