NOTE: this learning path is currently under review and will be updated in due course. You are welcome to study it, but please bear in mind that some of the content is outdated.
Learning Path Overview
The BCS Certificate in Information Security Management Principles (CISMP) course is designed to provide you with the knowledge and skills required to manage information security,
information assurance and information risk-based processes. It is aligned with the latest national information assurance frameworks (IAMM), as well as ISO/IEC 27002 & 27001; the code of practice and standard for information security.
The CISMP course follows the latest BCS syllabus and will prepare you for the BCS examination. This qualification provides you with detailed knowledge of the concepts relating to information security; (confidentiality, integrity, availability, vulnerability, threats, risks and countermeasures), along with an understanding of current legislation and regulations which impact information security management.
Although perceived as an IT issue, information security is, in fact, a subject relevant to all business units. The CISMP course is relevant to anyone requiring an understanding of information security management as well as those with an interest in information security, either as a potential career, or as an additional part of their general business knowledge, including members of information security management teams, IT managers, security and systems managers, information asset owners and employees with legal compliance responsibilities.
The course acts as a foundation for more advanced managerial or technical qualifications and provides a thorough general understanding to enable businesses to ensure their information is protected appropriately.
Prerequisites of the Certifications
There are no specific pre-requisites to study the CISMP course or for entry to the examination. However, the following knowledge would be advantageous:
- A basic knowledge of IT
- An understanding of the general principles of information technology security
- An awareness of the issues involved with security control activity
The CISMP course follows the latest BCS syllabus and covers the following areas:
- The need for information security
- Information Security Management System (ISMS) concepts and definitions
- Information risk management
- Corporate governance
- Organisational responsibilities
- Policies, standards and procedures
- Relevant ISO and IEC standards
- Information security controls
- Incident management
- The legal framework
- Data communications and networks
- Physical security
- Security auditing
- Training and awareness
- Business continuity and disaster recovery
- Security investigations and forensics
This Learning Path contains videos, quizzes and other resources for nine courses, together with the associated course Introduction and mock examination. Each course has exam quizzes for you to test your knowledge as you work through the Learning Path.
We begin with an introduction to the course and what you can expect from the videos and quizzes in this Learning Path. This introduction allows you to gain further insight into:
- What information security means
- The structure and components of each of the nine courses
- Hints and tips for getting the most out of this Learning Path
Module 1 - Information Security Management Principles
- What security means
- The core concepts and definitions used in information security
- The key business drivers and how they shape the organization’s approach to governance, risk management and compliance.
- The benefits of information security
- The role information security plays in an organization
- How an organization can make information security an integral part of its business.
Module 2 - Information Risk Management
- What risk means, how it arises and the likelihood of it impacting an organization.
- The effect big data, the Internet of Things and social media have on the risk landscape.
- Management techniques used by organizations to understand the risks they face
- Risk treatment and risk reduction methods
- The risk management lifecycle, illustrating how risks are identified, analysed, treated and monitored
- Qualitative and quantitative methods of risk analysis
- How assets can be classified to help manage risk
Module 3 - Information Security Framework
- Where the security function fits within the organizational structure
- The role of the Information Security Officer
- Developing information security policies, standards and procedures
- The principles of information security governance
- How to carry out a security audit
- Implementing an information assurance programme and the importance of stakeholder engagement
- The incident management process and the role of digital forensics
- The legal information security framework
- Information assurance standards and how they should be applied within an organization
Module 4 - Procedural and People Security Controls
- The people threats facing organizations and the importance of a security culture
- Practical people controls, including employment contracts, service contracts, codes of conduct and acceptable use policies
- Access controls, including authentication and authorization, passwords, tokens and biometrics
- The importance of data ownership, privacy; access points, identification and authentication mechanisms, and information classification.
- How organizations can raise security awareness and the different approaches to deliver security-related training.
Module 5 - Technical Security Controls
- The different types of malware and the impact each one can have on an organization’s computer systems
- Methods of accessing networks and how related security risks can be controlled
- The security issues related to networking services, including mobile computing, instant messaging and voice over IP
- Cloud computing deployment models and the security implications of cloud services
- The security requirements of an organization’s IT infrastructure and the documentation required to support this.
Module 6 - Software Deployment and Lifecycle
- The software development lifecycle
- The role of testing and change control in reducing security related vulnerabilities in a production system
- How the risks introduced by third-party and outsourced developments can be mitigated
- Test strategies and test approaches, including vulnerability testing, penetration testing and code analysis
- The importance of reporting, and how reports should be structured and presented to stakeholders
- The principles of auditing and the role played by digital forensics.
Module 7 - Physical Security
- Physical, technical and procedural controls, including good environment design and premises security
- Clear screen and clear desk policies
- Reducing risks when moving property
- Securely disposing of property
- Maintaining security in delivery areas
Module 8 - Business Continuity and Disaster Recovery
- The value of business continuity management to an organization
- The business continuity management process
- The impact of business disruption on an organization and how long disruption should be tolerated
- The business continuity implementation process and implementation planning
- Disaster recovery strategy and the importance of disaster recovery planning
- Different standby systems and how these relate to recovery time
- The importance of robust documentation and testing of the plan.
Module 9 - Cryptography
- What cryptography is
- How cryptography works through symmetric ciphers, hash functions, asymmetric ciphers and digital
- Key exchange and management
- Models of protection
Preparing for the Examination
The final module provides guidance on the structure, format and scoring mechanisms of the BCS Foundation Certificate in Information Security Management Principles examination and provides some hints and tips to help you succeed.
It contains a full mock examination that replicates the structure of the CISMP exam to help you prepare. Feedback is provided for each question so you can target your revision.
We welcome all feedback and suggestions - please contact us at firstname.lastname@example.org if you are unsure about where to start or if would like help getting
Fred is a trainer and consultant specializing in cyber security. His educational background is in physics, having a BSc and a couple of master’s degrees, one in astrophysics and the other in nuclear and particle physics. However, most of his professional life has been spent in IT, covering a broad range of activities including system management, programming (originally in C but more recently Python, Ruby et al), database design and management as well as networking. From networking it was a natural progression to IT security and cyber security more generally. As well as having many professional credentials reflecting the breadth of his experience (including CASP, CISM and CCISO), he is a Certified Ethical Hacker and a GCHQ Certified Trainer for a number of cybersecurity courses, including CISMP, CISSP and GDPR Practitioner.