Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Save more on your purchases now! discount-offer-chevron-icon
Savings automatically calculated. No voucher code required.
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Conferences
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
Certified Information Security Manager Exam Prep Guide

You're reading from   Certified Information Security Manager Exam Prep Guide Gain the confidence to pass the CISM exam using test-oriented study material

Arrow left icon
Product type Paperback
Published in Dec 2022
Publisher Packt
ISBN-13 9781804610633
Length 718 pages
Edition 2nd Edition
Arrow right icon
Author (1):
Arrow left icon
Hemang Doshi Hemang Doshi
Author Profile Icon Hemang Doshi
Hemang Doshi
Arrow right icon
View More author details
Toc

Table of Contents (12) Chapters Close

Preface 1. Enterprise Governance 2. Information Security Strategy FREE CHAPTER 3. Information Risk Assessment 4. Information Risk Response 5. Information Security Program Development 6. Information Security Program Management 7. Information Security Infrastructure and Architecture 8. Information Security Monitoring Tools and Techniques 9. Incident Management Readiness 10. Incident Management Operations 11. Answers to Practice Questions

Maturity Model

CISM aspirants are expected to understand the basic details of a maturity model.

A maturity model is a tool that helps the organization assess the current effectiveness of a process and determine what capabilities they need to improve their performance.

Capability maturity models (CMMs) are useful to determine the maturity level of governance processes. The following list defines the different maturity levels of an organization:

  • Level 0: Incomplete: On this level, the process is not implemented or does not achieve its intended purpose.
  • Level 1: Performed: On this level, the process can achieve its intended purpose.
  • Level 2: Managed: On this level, the process can achieve its intended purpose. Also, the process is appropriately planned, monitored, and controlled.
  • Level 3: Established: Along with what is required for a Level 2 process, there is a well-defined, documented, and established process to manage the process.
  • Level 4: Predictable: On this level, the process is predictable and operates within the defined parameters and limits to achieve its intended purpose.
  • Level 5: Optimized: This is the level at which the process is continuously improved to meet the current as well as projected goals.

The CMM uses a scale of 0 to 5 based on process maturity level. It is the most common method applied by organizations to measure their existing state and then determine the desired one.

Maturity models identify the gaps between the current state of the governance process and the desired state. This helps the organization to determine the remediation steps required for improvement. A maturity model calls for continuous improvement in the governance framework. This requires continuous evaluation, monitoring, and improvement to move toward the desired state from the current state.

The process performance and capabilities approach also provides a detailed perspective of the maturity levels, just like the maturity model.

Key Aspects from the CISM Exam Perspective

The following are some key aspects from the exam perspective:

Question

Possible Answer

Which models are used to determine the extent and level of processes?

  • The maturity model
  • Process performance and capability models

What is the best way to determine the continuous improvement of the risk management process?

The adoption of the maturity model

Figure 1.9: Key aspects from the CISM exam perspective

Practice Question Set 7

  1. As an information security manager, you recommend adopting a maturity model for the organization's information security governance framework. The most important reason for this recommendation is:
    1. Continuous evaluation, monitoring, and improvement
    2. The return on technology investment
    3. Continuous risk mitigation
    4. Continuous KRI monitoring
  2. What best indicates the level of information security governance?
    1. A defined maturity model
    2. The size of the security team
    3. The availability of policies and procedures
    4. The number of security incidents
  3. What is the most effective indicator of the level of security governance?
    1. The annual loss expectancy
    2. The maturity level
    3. A risk assessment
    4. An external audit
lock icon The rest of the chapter is locked
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at $19.99/month. Cancel anytime