Alignment Grid for the ISACA

Model Curriculum for Information Security Management

To map a program to the ISACA

Model Curriculum for Information Security Management, enter

the name of the course(s) or session(s) in the program that covers each topic area or subtopic
description along with the amount of time (in hours) devoted to covering the topic in each table.
If a described topic is not covered, record a 0 (zero) in the column for contact hours. To be in
alignment with the model, the total time spent, in hours, should be at least 244 hours and all
areas in the model curriculum should have reasonable coverage. ote! "hen mapping a
graduate program, include the prere#uisites from the undergraduate program.
$efore beginning this process!
The current course s%llabi should be obtained. &urrent and e'panded course outlines provide
more detail and are better sources.
The current te'tboo( supporting the classes and the visual media)pro*ects used in those
classes should be accessible. +or a #uestion on content, refer to the course te'tboo( or
,ower,oint slides.
If some of the sub*ect matter is taught in other departments or colleges, a representative who
is (nowledgeable of what is taught in those classes ma% need to provide assistance. +or this
reason, an undergraduate program ma% ta(e more time to map than a graduate program.
-ee if a second monitor is available. the process is facilitated b% loo(ing at the model matri'
on one and the s%llabus)e'panded course outline on another
The mapping process steps are listed in figure 6.
Figure 6Mapping Process Steps
/ Identif% all direct and support courses that appl% to the program. &ourse s%llabi are to contain at least the
following information! school name and address, course title, course number, contact hours, facult%
member names and credentials, terms offered, the purpose of the course, the ob*ectives of the course, and
the course te't.
2 0a(e sure the current s%llabi or e'panded course outlines and support materials for the courses are
accessible. It ta(es appro'imatel% /1 hours to complete the mapping, if e'panded course outlines are
available from which information can be e'tracted.
2 ,roceed one b% one. -elect the first course in the program, e'amine the elements and sub*ect matter, and
map to the model. 3iterall%, proceed wee( b% wee(.
4 4se (e% words from the I-5&5 template subtopics to search the s%llabi to identif% matches. 6nce a match
is made, estimate the amount of time the sub*ect was covered based on the s%llabus.
7 If unsure of the content of the sub*ect covered, go to the te'tboo( and ,ower,oint slides)materials used.
ote that generic titles used often cover more than what is implied.
1 8emember to allocate the time per course and identif% the course covering each sub*ect. +or e'ample, a
#uarter s%stem ma% have /0 wee(s and four contact hours per wee( (40 hours), but some courses ma% have
lab or pro*ect re#uirements that ma% result in more than 40 hours.
9 0ap course b% course, and (eep trac( of allocation. This is easiest for those familiar with the program and
who have the information available.
: 5fter completing all courses, go bac( and double;chec( that the selections)placement are the best possible
and seem reasonable.
< =ave a colleague chec( the mapping.
/0 -ubmit the completed tables to I-5&5 for review b% e;mail! sdonahue@isaca.org , fa' >/.:49.272./442 or
mail to the attention of the 0anager of Information -ecurit% ,ractices at I-5&5, 290/ 5lgon#uin 8oad,
-uite /0/0, 8olling 0eadows, I3 1000:, 4-5.
200: I-5&5. 5ll rights reserved. ,age /
Alignment Grid for the ISACA

Model Curriculum for Information Security Management

If the program is found to be in alignment with the ISACA Model Curriculum for Information
Security Management, the program ma% be posted on the I-5&5 web site and graduates of the
program will #ualif% for one %ear of wor( e'perience toward the &I-0 certification. The
following pages include figures / through 7 with blan( columns added for the course and
number of hours which institutions can use to map their programs to the model curriculum.
Figure 1Information Security Governance Domain
opics !ours Su"topics #ourse #overing opic !ours
-ecurit%
governance
22 ?ffective information securit%
governance
(&ourse number, item number on
s%llabus, paragraph description)
8oles and responsibilities of senior
management
Information securit% concepts (e.g.,
certified internal auditor @&I5A model,
borders and trust, encr%ption, trusted
s%stems, certifications, defense b%
diversit%, depth, obscurit%, least
privilege, life c%cle management,
technologies)
Information securit% manager
(responsibilities, senior management
commitment, reporting structures)
-cope and charter of information
securit% governance (laws, regulations,
policies, assurance process integration,
convergence)
Information securit% metrics
Information
securit%
strateg%
20 Biews of strateg%
Ceveloping an information securit%
strateg% aligned to business strateg%
Information securit% strateg% ob*ectives
5rchitectures and framewor(s (&6$IT,
I-6 29002)
Cetermining current state of securit%
-trateg% resources (e.g., policies,
standards, controls, education,
personnel)
-trateg% constraints (e.g., regulator%,
culture, costs, resources)
5ction plan for strateg%
otal !ours $%
200: I-5&5. 5ll rights reserved. ,age 2
Alignment Grid for the ISACA

Model Curriculum for Information Security Management

Figure %Information &is' Management
opics !ours Su"topics #ourse #overing opic !ours
8is(
management
24 6verview of ris( management
8is( management strateg%
?ffective information securit% ris(
management
Information securit% ris( management
concepts (e.g., threats, vulnerabilities,
ris(s, attac(s, $C,)C8, -35,
governance) and technologies (e.g.,
authentication, access controls,
nonrepudiation, environmental
controls, availabilit%)reliabilit%
management)
Implementing ris( management
8is(
assessment
20 8is( assessment (e.g., ris( assessment
methodologies, options on handling
ris()
&ontrols and countermeasures
Information resource valuation
8ecover% time ob*ectives
Integration with life c%cle processes
IT control baselines
8is(, monitoring and communication
otal !ours $(
200: I-5&5. 5ll rights reserved. ,age 2
Alignment Grid for the ISACA

Model Curriculum for Information Security Management

Figure )Information Security Program Development
opics !ours Su"topics #ourse #overing opic !ours
,rogram
development
44
?ffective information securit% program
development
Information securit% manager (roles,
responsibilities, obtaining senior
management commitment)
-cope and charter of information
securit% program development
(assurance function integration,
challenges in development)
Information securit% program
development ob*ectives (goal,
ob*ectives, outcomes, ris(s, testing,
standards, updating)
Cefining an information securit%
program development road map
Information securit% program resources
(e.g., documentation, controls,
architecture, personnel, change
processes)
Implementing an information securit%
program (e.g., policies, training and
awareness, controls)
Information infrastructure, architecture,
laws, regulations and standards
,h%sical and environmental controls
Information securit% program
integration
Information securit% program
development metrics (e.g., strategic
alignment, value deliver%, resource
management, performance)
otal !ours ((
200: I-5&5. 5ll rights reserved. ,age 4
Alignment Grid for the ISACA

Model Curriculum for Information Security Management

Figure (Information Security Program Management
opics !ours Su"topics #ourse #overing opic !ours
Information
securit%
management
overview
//
Importance and outcomes of effective
securit% management
6rganizational and individual roles and
responsibilities
Information securit% management
framewor(
0easuring
information
securit%
program
management
24
0easuring information securit%
management performance
&ommon information securit%
management challenges
Cetermining the state of information
securit% management
Information securit% management
resources
Implementing
information
securit%
management
22
Information securit% management
considerations
Implementing information securit%
management (e.g., action plans,
policies, service providers,
assessments)
otal !ours $*
200: I-5&5. 5ll rights reserved. ,age 7
Alignment Grid for the ISACA

Model Curriculum for Information Security Management

Figure $Information Management and &esponse Domain
opics !ours Su"topics #ourse #overing opic !ours
Incident
management
and response
overview
/2 Incident management and response
Incident management concepts
-cope and charter of incident
management
Information securit% manager
Incident management ob*ectives
Incident management metrics and
indicators
Cefining
incident
management
procedures
/2 Cefining incident management
procedures
Incident management resources
&urrent state of incident response
capabilit%
Ceveloping
an incident
response plan
/2 ?lements of an incident response plan
(gap anal%sis)
Ceveloping response and recover%
plans
Testing response and recover% plans
?'ecuting response and recover%
plans
Cocumenting events
,ostincident reviews
otal !ours )6
Grand otal %(( Total hours for figures / through 7
200: I-5&5. 5ll rights reserved. ,age 1