ISSMP Training
Module 1: Leadership and Organizational Management
The heaviest domain at 21%. Establishing security's role in culture and governance, aligning strategy with organizational goals, building the policy framework, managing security in contracts, running awareness programs, defining metrics, owning the budget, and applying project management discipline to security programs.
- 1 What the ISSMP is and who it's for 8 min Free preview
- 2 Security's role in organizational culture, vision, and mission 9 min π
- 3 Aligning the security program with organizational governance 9 min π
- 4 Defining and implementing information security strategies 10 min π
- 5 Defining and maintaining the security policy framework 10 min π
- 6 Managing security requirements in contracts and agreements 9 min π
- 7 Managing security awareness and training programs 8 min π
- 8 Defining, measuring, and reporting security metrics 9 min π
- 9 Preparing, obtaining, and managing the security budget 8 min π
- 10 Managing security programs, teams, and cross-functional relationships 9 min π
- 11 Applying product development and project management principles to security 8 min π
Module 2: Systems Lifecycle Management
The management view of the system life cycle: integrating security decision points across every phase, overseeing configuration management, absorbing emerging technologies into the architecture without breaking it, running the vulnerability management program at scale, and enforcing security within change control.
- 1 Systems lifecycle management at the manager level 7 min π
- 2 Integrating security decision points and requirements throughout the life cycle 9 min π
- 3 Overseeing security configuration management (CM) processes 8 min π
- 4 Integrating organization initiatives and emerging technologies into the security architecture 9 min π
- 5 Designing a comprehensive vulnerability management program 9 min π
- 6 Managing security testing: scanning, pen testing, threat analysis 8 min π
- 7 Managing security aspects of change control 8 min π
- 8 MLSecOps: managing AI and ML in the system life cycle 8 min π
Module 3: Risk Management
The second-heaviest domain at 20%. Building and running a risk management program, understanding tolerance and appetite, conducting assessments, treating risk, controlling supply chain and third-party exposure, and using modern frameworks including NIST AI RMF and ISO/IEC 42001.
- 1 Building and managing the risk management program 9 min π
- 2 Risk tolerance, appetite, and organizational asset inventory 8 min π
- 3 Analyzing organizational risk and determining countermeasures 10 min π
- 4 Risk treatment options and cost-benefit analysis 9 min π
- 5 Documenting and managing agreed risks and treatments 8 min π
- 6 Managing security risks within the supply chain 9 min π
- 7 Conducting risk assessments: qualitative and quantitative 8 min π
- 8 Managing risk controls: effectiveness, coverage, monitoring 8 min π
- 9 Risk frameworks: NIST RMF, ISO 31000, FAIR, and how to choose 8 min π
- 10 AI risk management: NIST AI RMF and ISO/IEC 42001 8 min π
Module 4: Security Operations
Standing up and running the security operations center, the threat intelligence program, and the incident management program β with the manager's view of documentation, ownership, tooling choices, and the operational integration of AI as both defense and attack surface.
- 1 Establishing and running a Security Operations Center 9 min π
- 2 SOC documentation: runbooks, playbooks, standard operating procedures 7 min π
- 3 Establishing and maintaining a threat intelligence program 8 min π
- 4 Threat modeling and attack categorization at operational level 7 min π
- 5 Correlating security events and defining actionable alerts 7 min π
- 6 Establishing an incident management program: documentation and case management 9 min π
- 7 Incident response team, methodologies, and handling processes 8 min π
- 8 Investigation processes, quantifying impact, and root cause analysis 8 min π
- 9 AIOps and adversarial AI in security operations 8 min π
Module 5: Contingency Management
The manager's view of business continuity, disaster recovery, and continuity of operations: BIA-driven planning, alternative recovery strategies, plan maintenance and testing, and executing response and recovery through a real disruption.
- 1 Contingency planning fundamentals: BCP, DRP, COOP 9 min π
- 2 Business Impact Analysis and analyzing resiliency factors 8 min π
- 3 Crisis communications, roles, and third-party contingency dependencies 7 min π
- 4 Developing recovery strategies 8 min π
- 5 Maintaining and testing contingency plans 8 min π
- 6 Managing disaster response and recovery execution 8 min π
Module 6: Law, Ethics, and Security Compliance Management
The legal, regulatory, and ethical framework the ISSMP navigates: jurisdictions and trans-border data flow, applicable laws and privacy regimes, intellectual property, the ISC2 Code of Ethics, compliance framework selection and implementation, working with auditors and regulators, and managing compliance exceptions.
- 1 Legal jurisdictions and trans-border data flow 8 min π
- 2 Applicable security and privacy laws and regulations 9 min π
- 3 Intellectual property laws for information security 7 min π
- 4 The ISC2 Code of Ethics and organizational professional ethics 6 min π
- 5 Selecting, implementing, and monitoring compliance frameworks 8 min π
- 6 Coordinating with auditors and regulators 7 min π
- 7 Documenting and managing compliance exceptions and risk waivers 7 min π
