EXIN Information Security Management Professional based on ISO/IEC 27001 - Including Exam

This module is intended for everyone who is involved in the implementation, evaluation, and reporting of an information security program, such as an Information Security Manager (ISM), Information Security Officer (ISO) or a Line Manager, Process Manager or Project Manager with security responsibilities. Basic knowledge of Information Security is recommended, for instance through the EXIN Information Security Foundation based on ISO/IEC 27001 certification.

• Information security perspectives: the perspectives of the business, the customer, and the service provider
• Risk Management: Analysis of the risks, choosing controls, dealing with remaining risks
• Information security controls: Organizational, technical and physical controls

1 Information security perspectives

1.1 Business interest of information security
The candidate can…
1.1.1 distinguish types of information based on their business value.
1.1.2 explain the characteristics of a management system for information security.

1.2 Customer perspective on governance
The candidate can…
1.2.1 explain the importance of information governance when outsourcing.
1.2.2 recommend a supplier based on security controls.

1.3 Supplier’s responsibilities in security assurance
The candidate can…
1.3.1 distinguish security aspects in service management processes.
1.3.2 support compliance activities.

2 Risk management

2.1 Principles of risk management
The candidate can…
2.1.1 explain principles of analyzing risks.
2.1.2 identify risks for classified assets.
2.1.3 calculate risks for classified assets.

2.2 Control risks
The candidate can…
2.2.1 categorize controls based on confidentiality, integrity, and availability.
2.2.2 choose controls based on incident cycle stages.
2.2.3 choose relevant guidelines for applying controls.

2.3 Deal with residual risks
The candidate can…
2.3.1 distinguish risk strategies.
2.3.2 produce business cases for controls.
2.3.3 produce reports on risk analyses.

3 Information security controls

3.1 Organizational controls
The candidate can…
3.1.1 write policies and procedures for information security.
3.1.2 implement information security incident handling.
3.1.3 perform an awareness campaign in the organization.
3.1.4 implement roles and responsibilities for information security.
3.1.5 support the development and testing of a business continuity plan.

3.2 Technological controls
The candidate can…
3.2.1 explain the purpose of security architectures.
3.2.2 explain the purpose of security services.
3.2.3 explain the importance of security elements in the IT infrastructure.

3.3 Physical controls and people controls
The candidate can…
3.3.1 recommend controls for physical access.
3.3.2 recommend security controls for employment life cycle.

Requirements for certification

• Successful completion of the EXIN Information Security Management Professional based on ISO/IEC 27001 exam.
• Accredited EXIN Information Security Management Professional based on ISO/IEC 27001 training, including completion of the practical assignments.

Examination details

Examination type: Multiple-choice questions
Number of questions: 30
Pass mark: 65% (20/30 questions)
Open book: No
Notes: No
Electronic equipment/aides permitted: No
Exam duration: 90 minutes

The Rules and Regulations for EXIN’s examinations apply to this exam.