DOMAIN 1 – INFORMATION SECURITY GOVERNANCE
ENTERPRISE GOVERNANCE
- Organizational Culture
- Legal, Regulatory, and Contractual Requirements
- Organizational Structures, Roles, and Responsibilities
INFORMATION SECURITY STRATEGY
- Information Security Strategy Development
- Information Governance Frameworks and Standards
- Strategic Planning (e.g., Budgets, Resources, Business Case)
DOMAIN 2 – INFORMATION SECURITY RISK MANAGEMENT
INFORMATION SECURITY RISK ASSESSMENT
- Emerging Risk and Threat Landscape
- Vulnerability and Control Deficiency Analysis
- Risk Assessment and Analysis
INFORMATION SECURITY RISK RESPONSE
- Risk Treatment / Risk Response Options
- Risk and Control Ownership
- Risk Monitoring and Reporting
DOMAIN 3 – INFORMATION SECURITY PROGRAM
INFORMATION SECURITY PROGRAM DEVELOPMENT
- Information Security Program Resources (e.g., People, Tools, Technologies)
- Information Asset Identification and Classification
- Industry Standards and Frameworks for Information Security
- Information Security Policies, Procedures and Guidelines
- Information Security Program Metrics
INFORMATION SECURITY PROGRAM MANAGEMENT
- Information Security Control Design and Selection
- Information Security Control Implementation and Integrations
- Information Security Control Testing and Evaluation
- Information Security Awareness and Training
- Management of External Services (e.g., Providers, Suppliers, Third Parties, Fourth Parties)
- Information Security Program Communications and Reporting
DOMAIN 4 – INCIDENT MANAGEMENT
INCIDENT MANAGEMENT READINESS
- Incident Response Plan
- Business Impact Analysis (BIA)
- Business Continuity Plan (BCP)
- Disaster Recovery Plan (DRP)
- Incident Classification/Categorization
- Incident Management Training, Testing and Evaluation
INCIDENT MANAGEMENT OPERATIONS
- Incident Management Tools and Techniques
- Incident Investigation and Evaluation
- Incident Containment Methods
- Incident Response Communications (e.g., Reporting, Notification, Escalation)
- Incident Eradication and Recovery
- Post-Incident Review Practices