Information Security Management Expert Based On ISO/IEC 27002
Information Security Management Expert Based On ISO/IEC 27002
Information Security
Management Expert based
on ISO/IEC 27002
1. Overview 3
2. Exam requirements 7
3. List of basic concepts 15
4. Literature 16
Module name
Information Security Management Expert based on ISO/IEC 27002 (ISMES.EN 1)
Summary
Information security is becoming increasingly important. Globalization of the
economy leads to a growing exchange of information between organizations (their
employees, customers and suppliers) and a growing use of networks, such as the
internal company network, connection with the networks of other companies an d
the Internet.
Other relevant trends include:
(international) standards and certification in the field of information security
continuing computerization of (IT) management
development of automated security tools
remote control
outsourcing of management tasks
compliancy
Furthermore, activities of many companies now rely on IT, and information has
become a valuable asset. Protection of information is crucial for the continuity and
proper functioning of the organization: information must be reliable.
The international standard, the Code of Practice for Information Security ISO/IEC
27002:2013 structures the organization of information security. For that reason, it is
an important point of departure for this module.
In the Information Security modules the definition of the Dutch platform of
information security professionals is being used: Information Security deals with the
definition, implementation, maintenance, compliance and evaluation of a coherent
set of measures which safeguard the availability, integrity and confidentiality of the
(manual and automated) information supply.
The module Information Security Management Expert based on ISO/IEC 27002
(ISMES.EN) tests specialized knowledge, understanding and skills in structuring,
maintaining and optimizing the security of information within an organization.
Context
The ISMES module is the continuation of Information Security Foundation based on
ISO/IEC 27002 (ISFS.EN) and Information Security Management Advanced based
on ISO/IEC 27002 (ISMAS.EN).
1
The S in the module code stands for: based on the standard.
Target group
IT professionals responsible for the partial or overall set up and development of
structural information security, like the Chief Information Security Officer, CISO, the
Information Security Manager, ISM, or the Business Information Security Architect,
BISA.
Examination type
The Information Security Management Expert exam contains two parts:
1. The written part, a practical project
In the chapter on the structure of the exam, the procedure for the practical project
is outlined.
2. The oral examination
In the chapter on the structure of the exam, the procedure of the oral exam is
outlined.
The written part has to be successfully completed before the oral exam can be
taken.
The language for all parts of the exam is English. The candidate can make use of
translators and translations.
Practical assignments
Not applicable.
Examination details
Number of questions: not applicable
Pass mark: 55%
Open book/notes: power point presentation
Electronic equipment permitted: yes, for power point presentation
Sample questions
To prepare for your examination you can order the Guide for candidates at
http://www.exin.com.
Contact hours
The training can consist of a course of several days, complemented with coaching or
can consist of only coaching. The number of contact hours depends on how much
coaching the participant needs in order to be ready for the exam.
Procedure
A documented procedure for the ISMES training could be:
Intake
Filing
Assessment of prerequisites (certificates, experience)
Analysis of gaps between current level and required competencies and
deliverables for ISMES
Services offered to fill in the gaps (for example training, coaching, project
paper evaluation, peer interaction) The services can be composed according
to the individual’s needs
Design individual training plan
Exam registration at EXIN
Exam preparation (i.e. practice the oral exam, individually or in peer group)
Evaluation
Training provider
A list of accredited training providers may be found on EXIN’s website
http://www.exin.com.
The exam requirements are specified in the exam specifications. The following table
lists the topics of the module (exam requirements). The weight of the different topics in
the exam is expressed as a percentage of the total.
Exam matrix
The exam matrix specifies the number and weight of the questions in the oral exam,
based on the exam requirements and specifications.
1 Organization 20
1.1 Risk management
1.2 Roles
1.3 Reporting
2 Policy 10
2.1 Establish policy
2.2 Promote policy
3 Risk analysis 10
3.1 Conduct analysis
3.2 Analyze
4 Organizational change 40
4.1 Plan
4.2 Awareness
4.3 Interventions
5 Standards 10
5.1 Choose standards
Total 100
Justification of choices
At the mastery level, there is no need to provide details on the underlying
specifications for the breakup of the curriculum questions.
The number of questions per exam, is dependent upon what the candidate has
presented/answered during the oral exam. During the exam, the examiners will
determine which specifications warrant further questioning, and doing so, they weigh
the significance of each area carefully.
Exam specifications
1.1 The candidate can substantiate the risk management process in relationship
with the ISMS.
Within a particular organization, in a specific situation, the candidate can:
1.1.1 pinpoint the importance and the consequences of various ISMS
activities for the organization;
1.1.2 define the scope of the ISMS in terms of the characteristics of the
business activities, the organization, the location, assets and
technology;
1.1.3 describe the importance of the ISMS in a convincing way.
1.3 The candidate can set up and use a reporting system for the management.
Within a particular organization, in a specific situation, the candidate can:
1.3.1 review the ISMS for suitability and effectiveness;
1.3.2 define opportunities for improvement.
2.1 The candidate can participate in the process of establishing the information
security policy.
The candidate can, within an organization, in a specific situation:
2.1.1 indicate what steps need to be taken to establish an information
security policy.
2.2 The candidate can formulate, present and promote an information security policy.
Within a particular organization, in a specific situation, the candidate can:
2.2.1 formulate an information security policy, while taking into account the
goals of the organization, the legal framework and the organizational
and technical options;
2.2.2 present and promote the established information security policy;
2.2.3 ensure acceptance of the consequences at the management level.
3.1 Based on an understanding of various risk analysis methods, the candidate can
conduct a risk analysis or guide the execution of a risk analysis.
Within a particular organization, in a specific situation, the candidate can:
3.1.1 apply the risk analysis method of choice;
3.1.2 clarify various steps of the risk analysis.
3.2 The candidate can analyze the results of the risk analysis.
Within a particular organization, in a specific situation, the candidate can:
3.2.1 evaluate the various intermediate results of the risk analysis;
3.2.2 evaluate the relationship between intermediate results from the risk
analysis for consistency;
3.2.3 evaluate the end result of the risk analysis based on usefulness and
comprehensiveness.
4.1 In a certain situation, the candidate is able to come up with or adapt a plan for
change.
Within a particular organization, in a specific situation, the candidate can:
4.1.1 evaluate the developmental level (level of growth) of the ISMS;
4.1.2 name the characteristics of the organizational culture as well as the
opportunities and limitations for the development of the ISMS;
4.1.3 define a strategy for change and formulate the intended results.
5.1 In a particular situation, the candidate can choose and use relevant standards.
Within a particular organization, in a specific situation, the candidate can:
5.1.1 indicate what the consequences are when choosing a particular
standard;
5.1.2 guide the process of using a particular standard;
5.1.3 evaluate and maintain the implemented framework of norms or a
baseline construction.
Examination design
The exam for the module Security Management Expert based on ISO/IEC 27002
(ISMES.EN) is divided into two parts:
1. the candidate’s practical project
2. the oral exam
About eight weeks prior to the proposed date for the oral exam, three copies of this
project have to be sent to EXIN.
The candidate is expected to include and send a management summary of the project.
The criteria for the summary can be found in the Guide.
The candidate also has to include a short resume to the project, outlining that he or
she has had at least 2 years of management work experience at the management
level in the areas of at least 2 examination requirements.
The trainer will add an account of the relation between the selected topic and the
examination requirement.
The content of the practical project has to be related to the professional context of the
candidate. The heart of the project could consist of one (of the aforementioned)
documents, provided that the candidate is the author or co-author who has had a clear
say in the contents of the document. In that case it should -at least- be supplemented
by an introductory and final chapter, making clear what the level of involvement of the
candidate has been.
Ideally, the entire practical project should be written for ISMES; for example, as the
logical continuation of an ongoing project, or because of the needs of the organization
the candidate works for. The aforementioned guidelines for an introductory and final
chapter also apply.
There are criteria for every one of the aforementioned types of projects. These are
listed in detail in a candidate’s Guide.
It is highly recommended that the candidate sends a plan for the project paper to EXIN
in an early stage in order to have the minimum requirements checked.
When a candidate is not able to write a practical paper based on his or her work
environment, the candidate can write a paper based on the case study. This decision
is taken by the trainer together with the candidate. The case study is available in the
ISMES Guide. Should the candidate choose to use the case study, he or she needs to
make clear what kind of personal experience was used, what relevant
similarities/differences there are with his/her own work professional context, what
he/she has learned from the case study that is relevant to his/her own professional
environment etcetera.
The project is evaluated by two EXIN examiners. Criteria have been developed for the
aforementioned ISMES sections, and a project needs to meet those criteria. Apart from
the contents, the layout and motivation of the project will also be evaluated (including
correct use of language and style).
After the evaluation, EXIN will send project feedback to the trainer.
Oral exam
The candidate only has access to the oral exam when his or her practical project has
received a satisfactory rating (55% or more).
IV Final result
Immediately following the exam, the examiners will reach mutual agreement and will
come to a final conclusion, resulting in a final mark. This takes 25 minutes. After that,
the examiners notify the candidate verbally of the final mark, and they will clarify their
final decision. This takes 10 minutes. The entire exam will take a maximum total of 90
minutes.
Time frame
The entire examination session lasts a maximum of 90 minutes, including
communication of the result. The examination is structured as follows:
15 minutes (maximum) for the presentation
15 minutes for discussing the presentation
25 minutes for the examination interview about the other exam requirements
25 minutes evaluation meeting among the examiners
10 minutes for discussing the outcome with the candidate
Conclusion
The examiners evaluate the three parts of the exam based on three evaluation tools.
Once the exam is over, the examiners discuss and determine the final mark and justify
the result.
Exam literature
The literature as required by ISFS and ISMAS is expected to be common knowledge.
The following list contains reading suggestions pertaining to the examination
requirements and examination specifications.
F FIPS 200
Minimum Security Requirements for Federal Information and Information
Systems
http://csrc.nist.gov/publications/fips/fips200/FIPS-200-final-march.pdf
H ISO/IEC 27035:2011
Information technology -- Security techniques -- Information security incident
management Switzerland, ISO/IEC, 2011
www.iso.org
I Carnal, C.A.
Managing Change in Organizations
Financial Times/ Prentice, fourth ed., 2007
ISBN10 0273704141
ISBN13 9780273704140
K Robbins, S.P.
Organizational Behavior
Prentice Hall, 13th edition, 2008
ISBN10 013207964X
ISBN13 9780132079648
L Clinch, J.
ITIL V3 and Information Security
OGC White Paper May 2009
http://www.best-management-
practice.com/gempdf/ITILV3_and_Information_Security_White_Paper_May09.pdf
Justification of choices
At expert level, candidates are responsible for their own information needs. In order to
guide this process, suggestions of pertaining literature, articles have been included.
www.exin.com