
Welcome to this course taught by Thor Pedersen. Thor is an experienced instructor with a background in cybersecurity and project management, with extensive work experience in IT, Cyber Security, and project management, he holds CISSP, CISM, , CC, CDPSE, CCNP, CCNA, and PMP certifications. His courses on Udemy are the best-selling and highest rated, and he has helped thousands of students pass their exams over the years. In this course, Thor will provide you with the knowledge and skills you need to succeed on your certification exam. He is eager to connect with you and help you along the way, and you can reach out to him through his LinkedIn profile (linkedin.thorteaches.com) or by joining his Facebook group (fb.thorteaches.com). You can also watch some of his free videos on YouTube (youtube.thorteaches.com). Don't wait any longer - let Thor help you achieve your certification goals.
In this lesson, we will be discussing various tips and tricks for getting the most out of my courses. First, I will introduce the concept of the "little elephant," which indicates that a particular topic is particularly important. Next, we will discuss the use of ",..." in lists, which indicates that the list is not exhaustive. I will also explain the use of bold text to indicate keywords. Additionally, we will take a look at the Udemy interface and its various features, including the ability to pause, play, rewind, and fast forward lectures, as well as the option to change the speed of the lecture to better match your preference. We will also discuss the availability of professionally done subtitles in English, as well as autogenerated subtitles in other languages. Finally, we will explore the option to add your own notes, access a question and answer section, view educational announcements, and receive a certificate of completion upon completing the course.
In this lesson, we will be discussing various tips and tricks for getting the most out of my courses. First, I will introduce the concept of the "little elephant," which indicates that a particular topic is particularly important. Next, we will discuss the use of ",..." in lists, which indicates that the list is not exhaustive. I will also explain the use of bold text to indicate keywords. Additionally, we will take a look at the Udemy interface and its various features, including the ability to pause, play, rewind, and fast forward lectures, as well as the option to change the speed of the lecture to better match your preference. We will also discuss the availability of professionally done subtitles in English, as well as autogenerated subtitles in other languages. Finally, we will explore the option to add your own notes, access a question and answer section, view educational announcements, and receive a certificate of completion upon completing the course.
In this lecture, we introduce CISM Domain 1: Information Security Governance, which serves as the foundation for the entire CISM exam. With the 2022 exam changes, this domain now constitutes 17% of the curriculum, translating to approximately 26 questions on the exam. The shift from governance towards management reflects the exam's focus on the managerial aspects of information security. Throughout the course, the content covered extends beyond the official ISACA book, as ISACA assumes a certain level of prior knowledge from exam takers. ISACA also recommends studying a wide range of supplementary materials, as outlined in their extensive suggested reading list for Domain 1. The official CISM Review Manual even includes a disclaimer emphasizing the importance of using multiple sources to prepare for the exam. Domain 1 covers various topics such as governance, values, vision, mission, strategies, policies, standards, processes, laws, regulations, ethics, the CIA triad, data protection, NIST frameworks, ISO standards, administrative security controls, and roles and responsibilities. The current exam version will be tested until the next curriculum change, which is expected to occur in 2027, following ISACA's typical 5-year cycle for exam updates.
In this lecture, we will be discussing the difference between management and governance within an organization and how they work together to achieve the overall goals and direction set by leadership. We will also be looking at different standards and control frameworks that an organization may adhere to and the concept of defense in depth to protect against potential threats. It is important to remember that as an IT security manager, our role is to advise on risk and plan, build, run, and monitor activities to align with the direction set by governance, rather than being a hands-on techie or senior leadership. We will also delve into the concept of risk appetite and how it plays a role in determining the direction and actions of an organization.
In this lesson, we will be covering various standards and control frameworks that are important to know for the exam, including PCI- DSS, OCTAVE, COBIT, COSO, ITIL, and FRAP. We will learn about the purpose of each framework, but will not need to know how to implement them. Specifically, PCI-DSS is a standard used in the payment card industry, OCTAVE is a team-oriented approach to self-directed risk management, COBIT is a set of goals for the IT organization, COSO is a set of goals for the entire organization, ITIL is a set of frameworks for aligning IT services with business needs, and FRAP is a facilitated risk analysis process focused on one business unit, application, or system at a time.
In this lecture, we will discuss the principles of security governance and how they shape the values, vision, mission, and strategic objectives of an organization. We will also explore the importance of understanding and adhering to these principles in order to effectively support the goals of the organization and make informed decisions as IT security professionals. The lecture will cover the process of building long and short term plans based on these principles and how they drive the development of policies, standards, and procedures. Additionally, we will discuss the role of IT security in supporting the overall success of the organization and the importance of knowing the purpose and values of the organization when starting a new job.
In this lecture, we will discuss the various policies, standards, procedures, guidelines, and baselines that are important for our exam. It is important to understand the role of each of these and how they work together, as they are influenced by our values, vision, and mission, as well as laws and regulations. Policies can be regulatory, advisory, or informational and are high level and nonspecific. Standards are mandatory and more detailed, while guidelines are discretionary recommendations and baselines are minimum requirements. Procedures are specific steps that are taken to follow the standards and guidelines, and all of these work together to ensure a consistent security posture across the organization. We will discuss the importance of training and educating users to protect against attackers who often target the weakest link in a system - the user. We will also cover the role of hiring practices, including background checks and non-disclosure agreements, in maintaining secure employment and protecting company secrets. Finally, we will discuss the proper procedure for terminating employees in a secure manner and the importance of coaching and offering additional training to employees who may be struggling with security mistakes.
In this lecture, we will discuss the importance of gap analysis, a tool used to identify and bridge the gap between the current state and the desired future state of a process or system. The gap analysis process begins by identifying the current processes and their outcomes, followed by defining the desired future outcomes. The difference between the current and future states is then determined, and a plan is developed to bridge that gap. The lecture provides a simplified example of a lemonade stand and emphasizes the importance of prioritizing gap analysis efforts among other ongoing projects. The steps in a gap analysis include identifying the existing problem and outcome, determining the desired future state, identifying the gap, developing a solution to fill the gap, and finally, bridging the gap. The first six steps are considered due diligence, while the final implementation step is due care. In the context of IT security, gap analysis is used to minimize risk to an acceptable level by implementing effective countermeasures, preventing intrusions, and saving money.
In this lecture, we explore the concept of SWOT analysis, a tool used to identify an organization's Strengths, Weaknesses, Opportunities, and Threats. Strengths and weaknesses are internal factors, with strengths representing areas where the organization excels and weaknesses indicating limitations or areas where competitors outperform. The lecture emphasizes the importance of moving from weaknesses to strengths, such as cross-training staff to reduce dependence on individual employees. Opportunities and threats are external factors, with opportunities being areas where the organization can expand or improve based on its strengths, such as adding new products or services. Threats are external factors that can harm or hinder the organization's projects or business, such as changes in regulations, the economy, or international events. While opportunities can be seized to grow the business, threats often require adaptation and mitigation since they are typically beyond the organization's control. The lecture provides examples of each component of the SWOT analysis to illustrate their practical application in a business context.
In this lecture, we discuss the importance of understanding budgets, business plans, and roadmaps in IT leadership roles. OpEx (operational expenses) refers to ongoing costs required to maintain day-to-day business operations, while CapEx (capital expenditure) represents money spent on purchasing new assets and improving existing systems to grow the business. Business plans are built based on the organization's vision and mission, with 1-3 year plans and a regularly updated roadmap. In IT security, the rapidly evolving landscape may make five-year plans less common. The lecture also highlights the concept of the fiscal year or budget year, which often differs from the calendar year, and the importance of aligning plans with the fiscal year. As the end of the fiscal year approaches, IT security professionals should begin planning for the upcoming year, determining the necessary improvements and associated costs to achieve the desired security posture.
In this lecture, we will be discussing KGIs (Key Goal Indicators), KPIs (Key Performance Indicators), and KRIs (Key Risk Indicators). KGIs are used to measure the success of a goal after it has been completed, while KPIs measure the performance of a specific task and have a direct correlation to the overall goal. KRIs are used to measure and demonstrate the risks that an organization may face and to ensure that the organization is adhering to its risk appetite. KRIs can also serve as an early warning system for potential events that could be harmful to the organization's activities. It is important to properly manage and monitor KGIs, KPIs, and KRIs in order to improve processes, meet targets, and identify and mitigate potential risks.
This lesson is an introduction to the CIA triad, which is a fundamental concept in the field of IT security. The CIA triad consists of three components: confidentiality, integrity, and availability. Confidentiality refers to the protection of sensitive information from unauthorized access. Integrity involves ensuring that data is not modified without proper authorization. Availability refers to the ability of authorized users to access data when needed. The lesson explains that the importance of each component of the CIA triad can vary depending on the type of data being protected and the needs of the business. The lesson also discusses common threats to confidentiality, such as attacks on encryption and social engineering, and methods for protecting data at rest, in motion, and in use.
In this lesson, we will be discussing the concept of availability in cybersecurity. This refers to the ability for authorized individuals and systems to access data when it is needed. If access is not available, it can hinder work and potentially lead to lost sales or revenue. We will also discuss the different types of attacks that can compromise availability, including DDOS attacks, physical attacks, and even disgruntled employees. To protect against these threats, we will discuss the use of intrusion detection and prevention systems, patch management, and backup systems. It is important to consider the cost versus benefit of implementing these measures and to determine the appropriate level of availability needed for an organization.
In this lecture, we will discuss the three states of data and how to protect sensitive information from disclosure, alteration, and destruction. These states include data at rest, data in motion, and data in use, and we will discuss the various methods of encryption and compensating controls that can be used to protect each state. We will also cover industry best practices for storing and transmitting data, including the use of hardware and software encryption, clean desk policies, and user training to raise awareness of data protection.
In this lecture, we will be discussing data classification and how it impacts a system's protection profile. We will cover the various classifications of data, including top secret, secret, confidential, sensitive, unclassified, and sensitive but unclassified, and how they apply to both the military and private sector. We will also discuss clearance and how it is assigned to subjects based on their current and future trustworthiness, as well as the concepts of full access approval, need to know, and least privilege. Understanding these keywords and concepts is important for exams and for understanding how data is protected within a system.
In this lesson, we will be discussing data handling and data storage, two important administrative controls that help ensure that only trusted individuals have access to data. We will also address the importance of having clear policies on who can access data and the need for auditing and logs to ensure that access is justified. We will discuss the importance of securely storing data, including the use of backup tapes and their proper storage in a secure and geographically distant location. We will also cover the importance of considering Maximum Tolerable Downtime (MTD) and the need to have a disaster recovery plan in place to ensure that data can be restored in a timely manner. Finally, we will discuss the importance of ensuring that vendors who store and transport data are licensed and bonded to protect against data loss.
In this lecture, we will be discussing the various roles and responsibilities within an organization to ensure that data is secure. These roles include the mission or business owner, the data or information owner, the data custodian, the system owner, the data controller and data processor, and the security administrator. Each role has its own specific responsibilities, ranging from creating and managing data to ensuring that proper security controls are in place and that data is processed securely. It is important to understand the nuances of each role and the importance of proper data security within an organization.
In this lecture, we discuss the importance of understanding ethics, particularly in the context of the ISACA Code of Ethics. The lecture begins by reading through the seven points of the ISACA Code of Ethics, which cover topics such as supporting appropriate standards and procedures, performing duties with objectivity and professional care, serving stakeholders' interests lawfully, maintaining privacy and confidentiality, maintaining competency, reporting results honestly, and supporting the education of stakeholders. The lecture then simplifies these points, emphasizing the importance of following standards, conducting due diligence and due care, acting in the best interest of stakeholders, maintaining privacy and confidentiality, continuous learning, honest reporting, and educating stakeholders. Violating the ISACA Code of Ethics can result in disciplinary measures, including the loss of certification. The lecture also covers the Computer Ethics Institute's top 10 commandments, which focus on not using computers to harm, interfere, snoop, steal, lie, or disrespect others. Additionally, the lecture touches on the ethics of the Internet Architecture Board (IAB) and the importance of understanding the ethical standards of one's organization. The lecture concludes by advising exam takers to closely follow ISACA's guidelines and to prioritize ethical behavior, even if it means seeking new employment.
As an IT Security professional, it is important to understand the various laws and regulations that apply to your company and industry in order to effectively adhere to them and perform your job duties. These laws include criminal, civil, administrative, private regulations, customary, and religious laws, and each have different levels of proof required and punishments for non-compliance. Additionally, IT professionals should be aware of concepts such as liability, due diligence, due care, and negligence, which all play a role in ensuring the security of an organization.
In this lecture, we will be discussing the importance of evidence and how it is obtained and handled in a court of law. We will examine the different types of evidence, including real evidence, direct evidence, circumstantial evidence, corroborating evidence, and hearsay. We will also discuss the best evidence rule and the importance of preserving the crime scene and the integrity of the evidence. We will cover the use of computer-generated records and logs as hearsay evidence, and the importance of maintaining a clear chain of custody and ensuring that the evidence is unaltered.
In this lecture, we will be discussing privacy and the various laws and regulations surrounding the protection of Personal Identifiable Information (PII) in the United States, European Union, and internationally. PII is data that can uniquely identify an individual, such as their full name, national ID number, and biometric information. We will also explore the differences in privacy laws between the U.S. and European Union, and how these laws impact companies like Google, Apple, and Microsoft. Finally, we will go over the specific laws and regulations that are relevant for the exam, including the Fair Credit Reporting Act, Children's Online Privacy Protection Act, and the General Data Protection Regulation (GDPR).
In this lesson, we will be discussing the General Data Protection Regulation (GDPR), a data protection law in the European Union (EU) that governs data protection and privacy for all individuals in the EU and the European Economic Area. The GDPR was enacted in 2018 and is much more proactive in its approach to IT security and privacy compared to the patchwork of laws in the United States. If a company violates the GDPR, they can be fined up to 20 million euro or 4% of their annual revenue, whichever is greater. The GDPR covers data collection and privacy for individuals and gives individuals in the EU numerous rights, including the right to see all data held about them, the right to be forgotten, and the right to object to the processing of their data.
In this lesson, we will be discussing two international laws and regulations: the OECD Privacy Guidelines and the Wassenaar Arrangement. The OECD Privacy Guidelines are guidelines established by the Organization for Economic Cooperation and Development (OECD) that focus on protecting data and privacy as it passes over borders. These guidelines have eight driving principles, including the collection limitation principle, data quality principle, purpose specification principle, use limitation principle, and security safeguard principle, among others. The Wassenaar Arrangement is an international agreement that initially focused on conventional arms but has also added dual-use goods and technologies, including cryptography. There are 41 countries participating in the Wassenaar Arrangement and it imposes import and export restrictions on cryptographic algorithms for some countries, including Iran, Iraq, China, and Russia. It is important for IT security professionals to be aware of these laws and regulations as they may impact their ability to import or export certain goods and technologies.
In this lesson, we will be discussing intellectual property and the different types of protection it offers, including copyright, trademarks, patents, and trade secrets. We will also cover common attacks against intellectual property, such as piracy, counterfeiting, and patent infringement. It is important to understand the protection and potential issues surrounding intellectual property, especially for those working in the creative industries or with proprietary information.
In this lecture, we will discuss Administrative Personnel Security Controls. We will specifically focus on the directive controls which include policies, procedures, and regulations that organizations must adhere to in their industry. We will also talk about how training is used to raise employee awareness and the concept of least privilege which is giving employees exactly the access rights they need, no more and no less. We will also touch on need-to-know, separation of duties, and job rotation which are all internal controls used to prevent fraud and errors in organizations. We will use real-world examples to illustrate these concepts and discuss how they are implemented in different settings.
In this lecture, we discuss how to ensure that IT frameworks, standards, and bodies of knowledge align with business goals and vision using a Governance Enterprise IT (GeIT) system, such as COBIT 5. COBIT 5 is an overarching governance and management framework integrator that works with various standards. The framework consists of five principles: meeting stakeholders' needs, covering the enterprise end-to-end, applying a single integrated framework, enabling a holistic approach through seven categories, and separating governance from management. The lecture emphasizes the importance of senior management's buy-in and the role of IT security professionals in assisting and guiding management and C-level executives to translate the vision and mission from governance into actionable items. The lecture also includes a visual representation of the COBIT 5 processes, highlighting the need for IT security professionals to understand how COBIT works in conjunction with other frameworks and standards.
In this lecture, we discuss the importance of having an overarching Information Security Management System (ISMS) to organize and effectively manage an organization's various information security controls. Without an ISMS, organizations often take a reactive approach, implementing countermeasures and security controls only after a breach or compromise occurs. This piecemeal approach is ineffective and leaves the organization vulnerable to future attacks.
To address this issue, we can use the ISO 27001 and 27002 standards. These standards are separate but interrelated, with ISO 27001 providing specific requirements on how to bring information security under management control and serving as a framework against which an organization can be certified. In many cases, ISO 27001 certification is either required or preferred for conducting business with other organizations.
ISO 27002, on the other hand, provides practical steps and detailed guidance on how to implement the ISO 27001 standard. It outlines the process of initiating, implementing, and maintaining an ISMS. Due to its comprehensive nature, ISO 27002 is significantly longer than ISO 27001, which is a more basic, watered-down version of the standard.
In this lecture, we explore NIST SP 800-53 Revision 5, a comprehensive guidebook for creating, operating, and maintaining secure systems in an ever-changing threat landscape. This publication presents detailed security and privacy controls primarily intended for US federal systems but is highly customizable and useful for any organization. It guides organizations in defending information systems, managing risks effectively, and addressing privacy concerns through a continuous cycle of risk assessment, control implementation, and monitoring. Revision 5 emphasizes a risk-based, organization-wide approach to information security, focusing on the entire lifecycle of systems, people, processes, and the operational environment. The publication uses control families, control classes, and baseline controls to categorize and prioritize security and privacy measures. Major updates in Revision 5 include the inclusion of privacy controls to protect personally identifiable information (PII), outcome-based controls that allow for tailored security measures, increased focus on supply chain risk management, and protection against insider threats. Understanding the key concepts and updates in NIST SP 800-53 Revision 5 is essential for professionals seeking certification in information security.
In this lecture, we will be discussing NIST special publication 800-37, which covers the risk management framework for federal information systems and the security lifecycle approach. We will be covering both revision one, published in 2010 and updated in 2014, and revision two, published in 2018. It is important to cover both revisions because revision one is still being used in exams and the question pool is constantly being updated with new questions. Revision two updates the framework to include a step for preparing and getting senior management on board, as well as integrating privacy risk management processes and aligning with other NIST publications. We will also discuss how the NIST cybersecurity framework can be implemented using the risk management processes.
In this lecture, we explore the importance of RACI charts in project management, IT governance, and information security management. RACI is an acronym that stands for Responsible, Accountable, Consulted, and Informed, and the chart is used to define roles and responsibilities for each task or step in a project or process. The Responsible party is tasked with completing the work, while the Accountable person has the ultimate authority and accountability for the task or decision. Consulted individuals provide input through two-way communication before work begins and decisions are made, while Informed parties are kept up-to-date on progress and decisions through one-way communication, such as progress reports. RACI charts are crucial in information security management because they provide a visual representation of communication channels, ensuring that all necessary parties are informed and consulted, and that responsibilities are clearly defined. The chart resembles a spreadsheet, with tasks or responsibilities listed in rows and teams or individuals in columns, with each square assigned an R, A, C, or I as appropriate. RACI charts are iterative and can evolve as the project or process progresses, making them an effective tool for promoting efficiency and effectiveness in information security management.
In this lecture, we delve into the comprehensive approach of Governance, Risk Management, and Compliance (GRC) in analyzing and managing risks while aligning with business objectives and compliance standards. Governance ensures strategic alignment between IT and business objectives, proper resource management, performance monitoring, value delivery, and integration of policies, compliance, and ethics. Risk Management involves identifying, assessing, and responding to risks through qualitative and quantitative risk analysis, and implementing appropriate risk responses such as acceptance, avoidance, mitigation, or transference. Compliance ensures conformity with laws, regulations, and internal policies, and involves auditing, monitoring, incident response compliance, ethics, and privacy. The interconnectedness of GRC is crucial, as governance guides risk management through risk appetite, establishes guidelines for compliance, and compliance requirements feed into governance policies and procedures. Risk management identifies threats and vulnerabilities that can cause non-compliance, and compliance highlights areas of non-compliance for risk assessments. A strong GRC approach reinforces each element, resulting in a more resilient and effective information security program, preventing legal penalties, reputational damage, and financial losses.
In this lecture, we will be discussing the concepts of scoping, tailoring, certification, and accreditation in the context of building data security controls and frameworks within an organization. We will be looking at how these concepts can be used to determine which controls to use and how to deploy them, taking into consideration the unique environment and needs of the organization. Certification refers to the process of ensuring that a system has the appropriate protection profile for the data it stores, while accreditation is when the data owner accepts the certification and residual risks associated with the system. We will also address the scenario in which the data owner refuses to accept the certification and how to address their concerns in order to achieve accreditation.
In this lecture, we will be discussing three different technologies that are used to protect digital media: Digital Rights Management (DRM), Cloud Access Security Brokers (CASB), and Data Loss Prevention (DLP). DRM refers to the use of systems and technologies to protect copyrighted digital media, such as by using serial numbers, expiration dates, and IP restrictions. CASB acts as a gatekeeper between users and cloud applications, monitoring user activity and protecting against malicious actions, malware, and Shadow IT. DLP involves tracking and preventing the loss of sensitive data, whether through accidental or intentional means.
In the next couple of lectures, we will be discussing security models and their strengths and weaknesses. We will explore the different types of models such as DAC, MAC, RBAC, and ABAC and when to use them. DAC or Discretionary Access Control is when the data owner has the discretion to give or deny access to the data. An example of this is sharing files on a computer, where the user can change the permissions to share with specific individuals or everyone on the network. MAC or Mandatory Access Control is used in highly secure organizations, where access is granted based on a subject's clearance and objects have labels. RBAC or Role Based Access Control is used in most organizations in the private sector, where access is granted based on the user's role and predefined set of access rules and rights. ABAC or Attribute Based Access Control is not heavily used yet but is a better system as access is granted based on subjects, objects, and environmental conditions and attributes can be assigned to both subjects, objects, and the environment.
In this lesson, we take a deeper look at some of the specific high level models that you need to know for the exam. We start off with Bell-LaPadula, which is a mandatory access control model developed by the US Department of Defense. It is focused solely on confidentiality and has three properties: Simple Security Property, Star Security Property, and Strong Star Property. Next, we move on to BIBA, another mandatory access control model that focuses on data integrity. It also has three properties: Simple Integrity Axiom, Star Integrity Axiom, and Invocation Property. Finally, we cover Lattice Based Access Control (LBAC), which is a complex system of clearance levels and is also mandatory access control. The lesson concludes with the introduction of the Graham-Denning model, which uses objects, subjects, and rules to control access.
In this lecture, we will continue to explore security models that will be covered on the exam. We will begin with the Clark-Wilson rule which emphasizes integrity by separating users from the back end data through well-formed transactions and separation of duties. The Clark-Wilson rule uses subjects, objects, and an intermediary program to ensure that transactions are conducted in a secure and consistent manner. We will also discuss the Brewer-Nash model, also known as the information barriers model, which provides controls to mitigate conflicts of interest in commercial organizations. Additionally, we will explore the non-interference model and the Take-Grant Protection Model, which uses rules to govern interactions between objects and subjects. Lastly, we will review the access control matrix, which describes the rights of every subject in relation to every object on the system, allowing for easy tracking of access rights and capabilities of each user.
In this lecture, we will discuss Artificial Intelligence (AI) and its different forms. We will talk about the concept of true AI, which has various opinions and definitions. We will also look at some of the types of AI that are currently being used, such as Expert Systems, Artificial Neural Networks (ANNs), and Genetic Programming (GP). We will examine how each type of AI operates and the technologies behind them, such as the use of if-then statements in Expert Systems and the connecting units in ANNs called artificial neurons. We will also explore the concept of GP and how it evolves computer programs using an evolutionary algorithm and is traditionally represented in memory as tree structures.
In this lecture, we conclude our discussion of CISM Domain 1: Information Security Governance, which serves as the foundation for the CISM exam. Approximately 17% of the weighted exam questions will be from Domain 1. Throughout the domain, we covered topics such as governance, values, mission, vision, strategies, policies, standards, processes, laws, regulations, ethics, the CIA triad, NIST and ISO frameworks, and roles and responsibilities. The course aims to provide a comprehensive understanding of the domain, acknowledging that individuals pursuing the CISM certification come from diverse backgrounds and experiences.
In this lecture, we discuss various strategies and techniques that can help you stay motivated, reach your goals more efficiently, and ultimately achieve your CISM certification. These tips include:
Clarifying your motivation and making a detailed study plan
Sharing your goal with a partner or trusted friend
Avoiding multitasking and using techniques like sequencing, batching, and time blocking
Limiting social media use and prioritizing tasks using the Eisenhower principle
Optimizing your study time by identifying peak hours, getting enough sleep, eating well, and exercising regularly
Using visualization techniques, motivational sentences, and visual aids to stay focused
Celebrating milestones and rewarding yourself for significant achievements
Celebrating your success when you pass the CISM certification
Remember, these tips can be applied to any goal you set for yourself. Choose the strategies that work best for you and adapt them to your unique circumstances. By focusing on what's important and giving yourself the best possible chance to succeed, you can achieve your CISM certification and any other goal you set your mind to.
In this lecture, we discuss a comprehensive approach to studying for the CISM certification, which includes:
Finding high-quality video courses taught by an experienced instructor.
Watching all the videos, especially if the topic is new or unfamiliar.
Reading the official CISM book (15th edition) and/or the CISM All-in-One book.
Purchasing the official CISM practice questions book (9th edition) to familiarize oneself with the exam format.
The length of time needed to prepare varies depending on prior experience, but candidates must have at least three years of active security management experience and additional qualifications.
To pass the CISM certification, candidates must answer questions from ISACA's perspective, deconstructing each question to select the most appropriate answer.
After watching videos and reading books, students should focus on practice questions, reviewing weak areas, and repeating the process until consistently scoring between 75% and 80% on all tests.
Creating a detailed study plan and committing to it is crucial for success. Students should allocate specific study times each day, communicate the importance of the certification to family and friends, and seek their support throughout the process.
In this lecture, we discuss the compelling reasons to pursue a CISM certification in the current job market. The demand for IT security certified professionals, particularly those with the CISM certification, is exceptionally high, with more than twice as many open jobs seeking CISM-certified individuals than there are certified professionals in the United States.
The global demand for IT security professionals is expected to rise significantly within the next two years. Compared to other high-level certifications, the CISM remains in high demand due to its difficulty and prestige. While obtaining knowledge is valuable, taking the CISM certification exam is highly recommended, as CISM-certified IT security professionals earn, on average, 35% more than their non-certified colleagues, with a mean salary ranging from $115,000 to $125,000 per year in the United States.
Pursuing a CISM certification can lead to better job opportunities, increased income, and a more fulfilling career in the ever-growing field of IT security.
In this lecture, we discuss the importance of mental clarity and preparation for the CISM certification exam day. Key strategies include booking the exam during peak hours, getting plenty of sleep, arriving early, bringing two forms of identification, using headphones to minimize distractions, taking short breaks, deconstructing questions, marking questions for review but always selecting an answer, and finding a strategy to cope with brain fatigue.
The lecture provides a detailed walkthrough of the exam day experience, from arriving at the test center to receiving results. It emphasizes time management, as the CISM exam consists of 150 multiple-choice questions (125 scored and 25 unscored) to be completed within 4 hours.
The lecture acknowledges that the CISM is challenging, and not everyone passes on their first attempt. Learning to cope with failure and maintaining a positive attitude are crucial for long-term success in both the certification process and life in general.
In this lecture, we discuss the steps you need to take after passing your CISM exam to become fully certified and maintain your certification. First, you need to get endorsed by your current or past bosses, who will vouch for your five years of IT security work experience, with three years in information security management. Some certifications and degrees can waive up to two years of the general IT security experience requirement. After submitting the endorsement forms and paying a $50 processing fee, ISACA will review your application. Once endorsed, you can officially use the CISM logo. To keep your certification current, you need to pay annual maintenance fees and earn at least 20 Continuing Professional Education (CPE) credits per year, with a minimum of 120 per three-year cycle. There are many ways to earn CPEs, often at no cost. Submitting CPEs is a simple process through the ISACA website, and you may occasionally be audited to provide proof of completion.
Free CPE’s:
ISC2 – 500+ CPE’s available (Webinar).
SANS – 500+ CPE’s available (Webinar).
ISACA – 100+ CPE’s available (Webinar).
Infosecurity-magazine - 350+ CPE’s available (Webinar).
wh1t3rabbit – 250+ CPE’s available (Podcast).
OWASP - 100+ CPE’s available (Podcast).
Certs.org – 200+ CPE’s available (Podcast).
Edx.org – 250+ CPE’s available (Online training).
Coursera – 250+ CPE’s available (Online training).
Securitytube – 10,000+ CPE’s available (Videos).
Youtube – 100,000+ CPE’s available (Videos).
In this lecture, we discuss what to do if you fail your ISACA certification exam. While it can be disappointing and discouraging, it's important to remember that failure is not the end of the world. Many successful professionals have failed certification exams before ultimately passing and achieving their goals. After failing an exam, take some time to process your emotions, but then get back to studying as soon as possible while the knowledge is still fresh. Book your next exam right away, as you can only test once in each four-month window for ISACA exams. If you wait too long, you risk forgetting the material and having to start over. Focus on your weak areas and seek support from loved ones to maintain a positive attitude. Remember why you started this journey and don't let the certification get the better of you. With the right mindset and preparation, you can turn failure into success. Keep in mind that after passing, no one will care about your previous failed attempts. Embrace failure as a learning opportunity and use it to fuel your determination to succeed.
* Updated for the 2022 CISM curriculum. We do in-place updates, meaning any future exam updates you get for free *
Welcome, I am Thor Pedersen, and I am here to help you pass your CISM certification.
With over 760,000 enrollments from 209 countries, my CISSP, CISM, and Certified in Cybersecurity (CC) courses are both the “Best Selling” and “Highest Rated” on Udemy.
Getting your CISM certification now is a very smart career move.
The CISM is highly sought after by Cyber Security recruiters.
There are over 44,000 open CISM jobs in the US.
The average CISM salary in the US is over USD165,000 a year.
I think my courses are fantastic but don't just take my word for it. Here's what some of my other students have to say about them:
This CISM Domain 1 offers a lot of materials and links that I can go over. Thanks a lot! (Kelly, ★★★★★)
After the really good explanations and background Thor covered, I feel that I have an excellent grasp on Domain one. Well Worth my time in watching. (Jim, ★★★★★)
I have bought all 4 domains for the CISM and I have just completed the 1st one. I love the videos the details and the guidance of how to study/pass the CISM certifications. So yes these courses are great! (Cornelius, ★★★★★)
Course was definitely valuable to my CISM study practice. Thor's recordings are clear, relevant and helpful. (William, ★★★★★)
Excellent course! I had attended an on-site CISM course a few months back which left me hungry for more. I didn't feel I had learnt much and the content was very dry. Thor's course, on the contrary, is very well structured, rich in content and well explained. I truly enjoyed it and will study the other domains with him also. (Regis, ★★★★★).
Join our community of successful students and reach your certification goals!
When you buy this course you get all this:
5.5 hours of CISM videos: Covering the 2022 CISM Domain 1 exam topics.
32-page PDF CISM study guides: Detailed guides made from our lectures.
20-page PDF CISM Quick Sheets: For your review sessions.
9 Detailed CISM Mind Maps.
2-page PDF CISM Mnemonics: Memory aids to help you remember key concepts.
93 website links: Additional resources to deepen your understanding of Domain 1 topics.
Subtitles in multiple languages: English, Spanish (Latin America), Portuguese (Brazil), French, Arabic, Japanese, Chinese, and Hindi.
An automatic certificate of completion: Hang on your wall or use for CEUs/PDUs. (5 CEUs).
30-day money-back guarantee: No questions asked.
Lifetime Access to the course and all course updates.
Offline video viewing: Available on the Udemy mobile apps.
In Domain 1 we cover:
A Enterprise Governance
1A1 Organizational Culture
1A2 Legal, Regulatory, and Contractual Requirements
1A3 Organizational Structures, Roles, and Responsibilities
B Information Security Strategy
1B1 Information Security Strategy Development
1B2 Information Governance Frameworks and Standards
1B3 Strategic Planning (e.g., budgets, resources, business case).
We continue to update our courses to make sure you have the latest and most effective study materials:
2025: Added 9 CISM Domain 1 Mind Maps. Added CISM Quick Sheets (20 pages).
2024: Added CISM Mnemonics. Added subtitles in Japanese and Portuguese (Brazil).
2023: Added updates/new videos: Mission, data, system owners, and data custodians, Mission, data, system owners, and data custodians, Security models and concepts - part 2,
2022: Full course update for the 2022 curriculum.
2021: 10+ updates: Entirely new content, clearer explanations/examples in videos, and study guides.
2020: 10+ updates: Entirely new content, clearer explanations/examples in videos, and study guides.
2019: My initial course release of my CISM courses.
Start Your Certification Journey Today!
Join thousands of successful professionals who have transformed their careers with ThorTeaches. Let me guide you to CISM certification success.
Enroll now and let's achieve your certification goals together!
Thor Pedersen