CISM Exam Preparation Course


This workshop not only recognizes the vital requirements of passing the CISM exam, but also share directly with the integration of audit concepts, live audit experience, audit cases, and CISM exam techniques across different areas of IS audit in preparing the CISM exam with the goal “Pass the exam for sure”. The facilitator Danny Ha will go through all concepts, questions and cases that are frequently asked and will explain many hard-to-remember audit theories and techniques.

Designed for

This course is mainly for CISM examination candidates who want to pass the examination, and also for in-house control managers, information security officers, risk planners, accountants, CEO, SMB owner, and those people who are interested to understand the requirements of the operation regarding information systems security, controls, and management.

Feature of the workshop

  • Experienced and qualified trainer, Danny Ha, with 27-year practical industrial experience in the IT, information systems audit, security and business risk management industry, holding designations of CISA, CISM, CISSP, CPM, FCRP, CRT, PMP, MBA, ISLA ISC2. For his bio, please visit

  • Comprehensive coverage of course material and past exam questions discussion

  • Precise and clear presentation slides with live audit experience sharing

  • In depth revision and explanation to help students passing the examination

  • Exam techniques sharing

Information Security Governance (21%)

  • Develop the information security strategy in support of business strategy and direction.

  • Obtain senior management commitment and support for information security throughout the enterprise.  

  • Ensure that definitions of roles and responsibilities throughout the enterprise include information security governance activities.

  • Establish reporting and communication channels that support information security governance activities.

  • Identify current and potential legal and regulatory issues affecting information security and assess their impact on the enterprise.

  • Establish and maintain information security policies that support business goals and objectives.

  • Ensure the development of procedures and guidelines that support information security policies.

  • Develop business case and enterprise value analysis that support information security program investments.

  • Knowledge of information security concepts


Risk Management (21%)

  • Develop a systematic, analytical and continuous risk management process

  • Ensure that risk identification, analysis and mitigation activities are integrated into life cycle processes

  • Apply risk identification and analysis methods

  • Define strategies and prioritize options to mitigate risk to levels acceptable to the enterprise

  • Report significant changes in risk to appropriate levels of management on both a periodic and event-driven basis

  • Knowledge of information resources used in support of business processes


Information Security Program Management (21%)

  • Create and maintain plans to implement the information security governance framework

  • Develop information security baseline(s)

  • Develop procedures and guidelines to ensure business processes address information security risk

  • Develop procedures and guidelines for IT infrastructure activities to ensure compliance with information security policies

  • Integrate information security program requirements into the organization’s life cycle activities

  • Develop methods of meeting information security policy requirements that recognize the impact on end-users

  • Promote accountability by business process owners and other stakeholders in managing information security risks

  • Establish metrics to manage the information security governance framework

  • Ensure that internal and external resources for information security are identified, appropriated and managed


Information Security Management (24%)

  • Ensure that the rules of use for information systems comply with the enterprise’s information   security policies.

  • Ensure that the administrative procedures for information systems comply with the enterprise’s information security policies

  • Ensure that services provided by other enterprises including outsourced providers are consistent with established information security policies.

  • Use metrics to measure, monitor and report on the effectiveness and efficiency of information security controls and compliance with information security policies

  • Ensure that information security is not compromised throughout the change management process

  • Ensure that vulnerability assessments are performed to evaluate effectiveness of existing controls

  • Ensure that noncompliance issues and other variances are resolved in a timely manner

  • Ensure the development and delivery of the activities that can influence culture and behavior of staff including information security education and awareness


Response Management (13%)

  • Develop and implement processes for detecting, identifying and analyzing security-related events

  • Develop response and recovery plans including organizing, training and equipping the teams

  • Ensure periodic testing of the response and recovery plans where appropriate

  • Ensure the execution of response and recovery plans as required

  • Establish procedures for documenting an event as a basis for subsequent action including     forensics when necessary



Back to the top