Information Security Management Principles – including definitions, meanings and use of concepts and terms across information security management. It will continue by explaining the need for and the benefits of information security.
Information Risk – including outlining threats to and vulnerabilities of information systems and the process for understanding and managing risk relating to information systems.
Information Security Framework – including an explanation of how risk management should be implemented in an organisation; general principles of law, legal jurisdiction and associated topics as they affect information security; and a number of common established standards and procedures that relate to information security management.
Security Lifecycle – including the importance, relevance and stages of the information lifecycle; the concepts of the design process lifecycle; the importance of audit and review processes, effective change control; and configuration management; and the risks to security brought about by systems development and support.
Procedural/People Security Controls – the risks to information security involving people; user access controls to manage these; and the importance of appropriate training.
Technical Security Controls – technical controls used to ensure protection from malicious software; information security principles associated with the underlying networks and communications; information security issues relating to value-added services that use the underlying networks and communications systems; information security issues that relate to the organisation’s use of cloud computing; and security of information systems in relation to operating systems, database and file management systems, network systems and application systems.
Physical and Environmental Security Controls – an outline of the physical aspects of security available in multi-layered defences; how the environmental risks relate to information in terms of the need, for example, for appropriate power supplies, protection from natural risks (fire, flood etc.) and in the everyday operations of an organisation.
Disaster Recovery and Business Continuity Management – understanding the differences between and the need for business continuity and disaster recovery.
Other Technical Aspects – understanding the principles and common practices, including any legal constraints and obligations, appropriate to investigations; the role of cryptography in protecting systems and assets, including awareness of the relevant standards and practices.