BCS Certificate in Information Security Management Principles - CISMP

Developed with QA
This content is developed in partnership with QA
AVG Duration14h
Course Created with Sketch. 11 Resources Created with Sketch. 5 Exams Created with Sketch. 26


Learning Path Overview 

The BCS Certificate in Information Security Management Principles (CISMP) course is designed to provide you with the knowledge and skills required to manage information security,
information assurance and information risk-based processes. It is aligned with the latest national information assurance frameworks (IAMM), as well as ISO/IEC 27002 & 27001; the code of practice and standard for information security.  

The CISMP course follows the latest BCS syllabus and will prepare you for the BCS examination. This qualification provides you with detailed knowledge of the concepts relating to information security; (confidentiality, integrity, availability, vulnerability, threats, risks and countermeasures), along with an understanding of current legislation and regulations which impact information security management.   

Intended Audience 

Although perceived as an IT issue, information security is, in fact, a subject relevant to all business units. The CISMP course is relevant to anyone requiring an understanding of information security management as well as those with an interest in information security, either as a potential career, or as an additional part of their general business knowledge, including members of information security management teams, IT managers, security and systems managers, information asset owners and employees with legal compliance responsibilities.  

 The course acts as a foundation for more advanced managerial or technical qualifications and provides a thorough general understanding to enable businesses to ensure their information is protected appropriately.  

Prerequisites of the Certifications 

There are no specific pre-requisites to study the CISMP course or for entry to the examination. However, the following knowledge would be advantageous:  

  • A basic knowledge of IT 
  • An understanding of the general principles of information technology security 
  • An awareness of the issues involved with security control activity 

 Learning Objectives 

The CISMP course follows the latest BCS syllabus and covers the following areas: 

  • The need for information security 
  • Information Security Management System (ISMS) concepts and definitions 
  • Information risk management 
  • Corporate governance 
  • Organisational responsibilities 
  • Policies, standards and procedures 
  • Relevant ISO and IEC standards 
  • Information security controls 
  • Incident management 
  • The legal framework 
  • Cryptography 
  • Data communications and networks 
  •  Physical security 
  •  Security auditing 
  • Training and awareness 
  • Business continuity and disaster recovery 
  • Security investigations and forensics 


This Learning Path contains videos, quizzes and other resources for nine courses, together with the associated course Introduction and mock examination. Each course has exam quizzes for you to test your knowledge as you work through the Learning Path. 

Course Introduction 

We begin with an introduction to the course and what you can expect from the videos and quizzes in this Learning Path. This introduction allows you to gain further insight into: 

  • What information security means 
  • The structure and components of each of the nine courses  
  • Hints and tips for getting the most out of this Learning Path

 Module 1 - Information Security Management Principles 

  • What security means 
  • The core concepts and definitions used in information security 
  • The key business drivers and how they shape the organization’s approach to governance, risk management and compliance. 
  • The benefits of information security  
  • The role information security plays in an organization 
  • How an organization can make information security an integral part of its business. 

Module 2 - Information Risk Management 

  • What risk means, how it arises and the likelihood of it impacting an organization.  
  • The effect big data, the Internet of Things and social media have on the risk landscape. 
  • Management techniques used by organizations to understand the risks they face 
  • Risk treatment and risk reduction methods 
  • The risk management lifecycle, illustrating how risks are identified, analysed, treated and monitored 
  • Qualitative and quantitative methods of risk analysis 
  • How assets can be classified to help manage risk 

Module 3 - Information Security Framework 

  • Where the security function fits within the organizational structure 
  • The role of the Information Security Officer 
  • Developing information security policies, standards and procedures 
  • The principles of information security governance 
  • How to carry out a security audit 
  • Implementing an information assurance programme and the importance of stakeholder engagement 
  • The incident management process and the role of digital forensics  
  • The legal information security framework  
  • Information assurance standards and how they should be applied within an organization 

Module 4 - Procedural and People Security Controls 

  • The people threats facing organizations and the importance of a security culture 
  • Practical people controls, including employment contracts, service contracts, codes of conduct and acceptable use policies  
  • Access controls, including authentication and authorization, passwords, tokens and biometrics 
  • The importance of data ownership, privacy; access points, identification and authentication mechanisms, and information classification. 
  • How organizations can raise security awareness and the different approaches to deliver security-related training.  

 Module 5 - Technical Security Controls  

  • The different types of malware and the impact each one can have on an organization’s computer systems 
  • Methods of accessing networks and how related security risks can be controlled 
  • The security issues related to networking services, including mobile computing, instant messaging and voice over IP 
  • Cloud computing deployment models and the security implications of cloud services  
  • The security requirements of an organization’s IT infrastructure and the documentation required to support this. 

Module 6 - Software Deployment and Lifecycle  

  • The software development lifecycle 
  • The role of testing and change control in reducing security related vulnerabilities in a production system 
  • How the risks introduced by third-party and outsourced developments can be mitigated 
  • Test strategies and test approaches, including vulnerability testing, penetration testing and code analysis 
  • The importance of reporting, and how reports should be structured and presented to stakeholders 
  • The principles of auditing and the role played by digital forensics.  

 Module 7 - Physical Security

  • Physical, technical and procedural controls, including good environment design and premises security 
  • Clear screen and clear desk policies 
  • Reducing risks when moving property 
  • Securely disposing of property 
  • Maintaining security in delivery areas 

 Module 8 - Business Continuity and Disaster Recovery

  • The value of business continuity management to an organization 
  • The business continuity management process 
  • The impact of business disruption on an organization and how long disruption should be tolerated 
  • The business continuity implementation process and implementation planning 
  • Disaster recovery strategy and the importance of disaster recovery planning 
  • Different standby systems and how these relate to recovery time 
  • The importance of robust documentation and testing of the plan.  

Module 9 - Cryptography 

  • What cryptography is 
  • How cryptography works through symmetric ciphers, hash functions, asymmetric ciphers and digital
  • Key exchange and management 
  • Models of protection 
  • Cryptanalysis

 Preparing for the Examination 

The final module provides guidance on the structure, format and scoring mechanisms of the BCS Foundation Certificate in Information Security Management Principles examination and provides some hints and tips to help you succeed. 

 It contains a full mock examination that replicates the structure of the CISMP exam to help you prepare. Feedback is provided for each question so you can target your revision. 


We welcome all feedback and suggestions - please contact us at support@cloudacademy.com if you are unsure about where to start or if would like help getting


Your certificate for this learning path

Learning Path Steps


This introductory course explains what you can expect from the learning path BCS Foundation Certificate in Information Security Management Principles - CISMP.


This course introduces the core concepts and definitions used in information security and will provide you with an important foundation for the learning path.


Knowledge Check: Core Concepts


Knowledge Check: Benefits of Information Security


This course provides a strong risk management foundation by investigating what risk is and how it affects an organization.


Knowledge Check: Understanding Risk


Knowledge Check: Risk Management


This course looks at where the security function and the role of the Information Security Officer in developing information security policies, standards, and procedures.


Knowledge Check: Organization Responsibilities


Knowledge Check: Policies, Standards, and Procedures


Knowledge Check: Information Security Governance


Knowledge Check: Implementing Information Security


Knowledge Check: Security Incident Management


Knowledge Check: The Legal Framework


Knowledge Check: Standards and Procedures


This course looks at ways in which the threats and vulnerabilities associated with the people who use IT systems can be mitigated.


Knowledge Check: People Security


Knowledge Check: User Access Controls


Knowledge Check: Training and Awareness


This course defines the different types of malware and outlines the impact that each one can have on an organization’s computer systems.


Knowledge Check: Protection from Malicious Software


Knowledge Check: Networks and Communications


Knowledge Check: External Services


Knowledge Check: Cloud Computing


Knowledge Check: IT Infrastructure


This course introduces the development lifecycle and describes how robust development practices can considerably reduce security-related vulnerabilities in a production system.


Knowledge Check: Software Development


Knowledge Check: Testing, Audit, and Review


This course provides you with an understanding of the key areas of physical security.


Physical, Technical and Procedural Controls - PDF resource


Clear Screen and Desk Policy - PDF resource


Moving Property - PDF resource


Secure Disposal - PDF resource


Security in Delivery Areas - PDF resource


Knowledge Check: Physical Security


This course looks at what business continuity management is, why it’s important and how it can be implemented within the overall risk management process, before reviewing the disaster recovery process.


Knowledge Check: Business Continuity Management


Knowledge Check: Disaster Recovery


This course provides a basic understanding of what cryptography is and how it works through symmetric ciphers, hash functions, asymmetric ciphers, and digital signatures.


Knowledge Check: Cryptography


The final module provides guidance on the structure, format and scoring mechanisms of the BCS Foundation Certificate in Information Security Management Principles examination.


Cert Prep: Certificate in Information Security Management Principles (CISMP)

About the Author
Learning paths3

Fred is a trainer and consultant specializing in cyber security.  His educational background is in physics, having a BSc and a couple of master’s degrees, one in astrophysics and the other in nuclear and particle physics.  However, most of his professional life has been spent in IT, covering a broad range of activities including system management, programming (originally in C but more recently Python, Ruby et al), database design and management as well as networking.  From networking it was a natural progression to IT security and cyber security more generally.  As well as having many professional credentials reflecting the breadth of his experience (including CASP, CISM and CCISO), he is a Certified Ethical Hacker and a GCHQ Certified Trainer for a number of cybersecurity courses, including CISMP, CISSP and GDPR Practitioner.