ISACA Model Curriculum for IS Audt and Control

Alignment Grid for the ISACA Model Curriculum for Information Security Management
To map a program to the ISACA Model Curriculum for Information Security Management,
enter the name of the course(s) or session(s) in the program that covers each topic area or
subtopic description along with the amount of time (in hours) devoted to covering the topic in
each table. If a described topic is not covered, record a 0 (zero) in the column for contact hours.
To be in alignment with the model, the total time spent, in hours, should be at least 244 hours
and all areas in the model curriculum should have reasonable coverage. Note: When mapping a
graduate program, include the prerequisites from the undergraduate program.
Before beginning this process:
 The current course syllabi should be obtained. Current and expanded course outlines provide
more detail and are better sources.
 The current textbook supporting the classes and the visual media/projects used in those
classes should be accessible. For a question on content, refer to the course textbook or
PowerPoint slides.
 If some of the subject matter is taught in other departments or colleges, a representative who
is knowledgeable of what is taught in those classes may need to provide assistance. For this
reason, an undergraduate program may take more time to map than a graduate program.
 See if a second monitor is available; the process is facilitated by looking at the model matrix
on one and the syllabus/expanded course outline on another
The mapping process steps are listed in figure 6.
1
2
3
4
5
6
7
8
9
10
Figure 6—Mapping Process Steps
Identify all direct and support courses that apply to the program. Course syllabi are to contain at least the
following information: school name and address, course title, course number, contact hours, faculty
member names and credentials, terms offered, the purpose of the course, the objectives of the course, and
the course text.
Make sure the current syllabi or expanded course outlines and support materials for the courses are
accessible. It takes approximately 16 hours to complete the mapping, if expanded course outlines are
available from which information can be extracted.
Proceed one by one. Select the first course in the program, examine the elements and subject matter, and
map to the model. Literally, proceed week by week.
Use key words from the ISACA template subtopics to search the syllabi to identify matches. Once a match
is made, estimate the amount of time the subject was covered based on the syllabus.
If unsure of the content of the subject covered, go to the textbook and PowerPoint slides/materials used.
Note that generic titles used often cover more than what is implied.
Remember to allocate the time per course and identify the course covering each subject. For example, a
quarter system may have 10 weeks and four contact hours per week (40 hours), but some courses may have
lab or project requirements that may result in more than 40 hours.
Map course by course, and keep track of allocation. This is easiest for those familiar with the program and
who have the information available.
After completing all courses, go back and double-check that the selections/placement are the best possible
and seem reasonable.
Have a colleague check the mapping.
Submit the completed tables to ISACA for review by e-mail: sdonahue@isaca.org , fax +1.847.253.1443
or mail to the attention of the Manager of Information Security Practices at ISACA, 3701 Algonquin Road,
Suite 1010, Rolling Meadows, IL 60008, USA.
 2008 ISACA. All rights reserved. Page 1
Alignment Grid for the ISACA Model Curriculum for Information Security Management
If the program is found to be in alignment with the ISACA Model Curriculum for Information
Security Management, the program may be posted on the ISACA web site and graduates of the
program will qualify for one year of work experience toward the CISM certification. The
following pages include figures 1 through 5 with blank columns added for the course and
number of hours which institutions can use to map their programs to the model curriculum.
Topics
Hours
22
Security
governance
30
Information
security
strategy
Total Hours
Figure 1—Information Security Governance Domain
Subtopics
Course Covering Topic
Effective information security
(Course number, item number on
governance
syllabus, paragraph description)
Roles and responsibilities of senior
management
Information security concepts (e.g.,
certified internal auditor [CIA] model,
borders and trust, encryption, trusted
systems, certifications, defense by
diversity, depth, obscurity, least
privilege, life cycle management,
technologies)
Information security manager
(responsibilities, senior management
commitment, reporting structures)
Scope and charter of information
security governance (laws, regulations,
policies, assurance process integration,
convergence)
Information security metrics
Views of strategy
Developing an information security
strategy aligned to business strategy
Information security strategy objectives
Architectures and frameworks (COBIT,
ISO 27002)
Determining current state of security
Strategy resources (e.g., policies,
standards, controls, education,
personnel)
Strategy constraints (e.g., regulatory,
culture, costs, resources)
Action plan for strategy
52
 2008 ISACA. All rights reserved. Page 2
Hours
Alignment Grid for the ISACA Model Curriculum for Information Security Management
Topics
Hours
24
Risk
management
30
Risk
assessment
Total Hours
Figure 2—Information Risk Management
Subtopics
Course Covering Topic
Overview of risk management
Risk management strategy
Effective information security risk
management
Information security risk management
concepts (e.g., threats, vulnerabilities,
risks, attacks, BDP/DR, SLA,
governance) and technologies (e.g.,
authentication, access controls,
nonrepudiation, environmental
controls, availability/reliability
management)
Implementing risk management
Risk assessment (e.g., risk assessment
methodologies, options on handling
risk)
Controls and countermeasures
Information resource valuation
Recovery time objectives
Integration with life cycle processes
IT control baselines
Risk, monitoring and communication
54
 2008 ISACA. All rights reserved. Page 3
Hours
Alignment Grid for the ISACA Model Curriculum for Information Security Management
Topics
Hours
Program
development
44
Total Hours
44
Figure 3—Information Security Program Development
Subtopics
Course Covering Topic
Effective information security program
development
Information security manager (roles,
responsibilities, obtaining senior
management commitment)
Scope and charter of information
security program development
(assurance function integration,
challenges in development)
Information security program
development objectives (goal,
objectives, outcomes, risks, testing,
standards, updating)
Defining an information security
program development road map
Information security program resources
(e.g., documentation, controls,
architecture, personnel, change
processes)
Implementing an information security
program (e.g., policies, training and
awareness, controls)
Information infrastructure, architecture,
laws, regulations and standards
Physical and environmental controls
Information security program
integration
Information security program
development metrics (e.g., strategic
alignment, value delivery, resource
management, performance)
 2008 ISACA. All rights reserved. Page 4
Hours
Alignment Grid for the ISACA Model Curriculum for Information Security Management
Topics
Hours
Information
security
management
overview
11
Measuring
information
security
program
management
24
Implementing
information
security
management
23
Total Hours
58
Figure 4—Information Security Program Management
Subtopics
Course Covering Topic
Importance and outcomes of effective
security management
Organizational and individual roles and
responsibilities
Information security management
framework
Measuring information security
management performance
Common information security
management challenges
Determining the state of information
security management
Information security management
resources
Information security management
considerations
Implementing information security
management (e.g., action plans,
policies, service providers,
assessments)
 2008 ISACA. All rights reserved. Page 5
Hours
Alignment Grid for the ISACA Model Curriculum for Information Security Management
Figure 5—Information Management and Response Domain
Topics
Hours
12
Incident
management
and response
overview
Defining
incident
management
procedures
12
12
Developing
an incident
response plan
Subtopics
Incident management and response
Incident management concepts
Scope and charter of incident
management
Information security manager
Incident management objectives
Incident management metrics and
indicators
Defining incident management
procedures
Incident management resources
Current state of incident response
capability
Elements of an incident response plan
(gap analysis)
Developing response and recovery
plans
Testing response and recovery plans
Course Covering Topic
Executing response and recovery
plans
Documenting events
Postincident reviews
Total Hours
36
Grand Total
244
Total hours for figures 1 through 5
 2008 ISACA. All rights reserved. Page 6
Hours