Module 1: Introduction to Information Security Governance

• About Information Security Governance
• Reason for Security Governance
• Security Governance Activities and Results
• Risk Appetite
• Organisation Culture

Module 2: Legal, Regulatory and Contractual Requirements

• Introduction
• Requirements for Content and Retention of Business Records

Module 3: Organisational Structures, Roles and Responsibilities

• Roles and Responsibilities
• Monitoring Responsibilities

Module 4: Information Security Strategy Development

• Introduction
• Business Goals and Objectives
• Information Security Strategy Objectives
• Ensuring Objective and Business Integration
• Avoiding Common Pitfalls and Bias
• Desired State
• Elements of a Strategy

Module 5: Information Governance Frameworks and Standards

• Security Balanced Scorecard
• Architectural Approaches
• Enterprise Risk Management Framework
• Information Security Management Frameworks and Models

Module 6: Strategic Planning

• Workforce Composition and Skills
• Assurance Provisions
• Risk Assessment and Management
• Action Plan to Implement Strategy
• Information Security Programme Objectives

Module 7: Emerging Risk and Threat Landscape

• Risk Identification
• Threats
• Defining a Risk Management Framework
• Emerging Threats
• Risk, Likelihood and Impact
• Risk Register

Module 8: Vulnerability and Control Deficiency Analysis

• Introduction
• Security Control Baselines
• Events Affecting Security Baselines

Module 9: Risk Assessment and Analysis

• Introduction
• Determining the Risk Management Context
• Operational Risk Management
• Risk Management Integration with IT Life Cycle Management Processes
• Risk Scenarios
• Risk Assessment Process
• Risk Assessment and Analysis Methodologies
• Other Risk Assessment Approaches
• Risk Analysis
• Risk Evaluation
• Risk Ranking

Module 10: Risk Treatment or Risk Response Options

• Risk Treatment/Risk Response Options
• Determining Risk Capacity and Acceptable Risk (Risk Appetite)
• Risk Response Options
• Risk Acceptance Framework
• Inherent and Residual Risk
• Impact
• Controls
• Legal and Regulatory Requirements
• Costs and Benefits

Module 11: Risk and Control Ownership

• Risk Ownership and Accountability
• Risk Owner
• Control Owner

Module 12: Risk Monitoring and Reporting

• Risk Monitoring
• Key Risk Indicators
• Reporting Changes in Risk
• Risk Communication, Awareness and Consulting
• Documentation

Module 13: Information Security Programme Resources

• Introduction
• Information Security Programme Objectives
• Information Security Programme Concepts
• Common Information Security Programme Challenges
• Common Information Security Programme Constraints

Module 14: Information Asset Identification and Classification

• Information Asset Identification and Valuation
• Information Asset Valuation Strategies
• Information Asset Classification
• Methods to Determine Criticality of Assets and Impact of Adverse Events

Module 15: Industry Standards and Frameworks for Information Security

• Enterprise Information Security Architectures
• Information Security Management Frameworks
• Information Security Frameworks Components

Module 16: Information Security Policies, Procedures, and Guidelines

• Policies
• Standards
• Procedures
• Guidelines

Module 17: Information Security Programme Metrics

• Introduction
• Effective Security Metrics
• Security Programme Metrics and Monitoring
• Metrics Tailored to Enterprise Needs

Module 18: Information Security Control Design and Selection

• Introduction
• Managing Risk Through Controls
• Controls and Countermeasures
• Control Categories
• Control Design Considerations
• Control Methods

Module 19: Security Programme Management

• Risk Management
• Risk Management Programme
• Risk Treatment
• Audit and Reviews
• Third-Party Risk Management

Module 20: Security Programme Operations

• Event Monitoring
• Vulnerability Management
• Security Engineering and Development
• Network Protection
• Endpoint Protection and Management
• Identity and Access Management
• Security Incident Management
• Security Awareness Training
• Managed Security Service Providers
• Data Security
• Cryptography
• Symmetric Key Algorithms

Module 21: IT Service Management

• Service Desk
• Incident Management
• Problem Management
• Change Management
• Configuration Management
• Release Management
• Service Levels Management
• Financial Management
• Capacity Management
• Service Continuity Management
• Availability Management
• Asset Management

Module 22: Controls

• Internal Control Objectives
• Information Systems Control Objectives
• General Computing Controls
• Control Frameworks
• Controls Development
• Control Assessment

Module 23: Metrics and Monitoring

• Types of Metrics
• Audiences
• Continuous Improvement

Module 24: Security Incident Response Overview

• Phases of Incident Response

Module 25: Incident Response Plan Development

• Objectives
• Maturity
• Resources
• Roles and Responsibilities
• Gap Analysis
• Plan Development

Module 26: Responding to Security Incidents

• Detection
• Initiation
• Evaluation
• Recovery
• Remediation
• Closure
• Post-Incident Review

Module 27: Business Continuity and Disaster Recovery Planning

• Business Continuity Planning
• Disaster
• Disaster Recovery Planning
• Testing BC and DR Planning

• Types of Social Engineering Attacks
• Why Employees are Susceptible to Social Engineering?
• Social Engineering Defences

Module 23: Asset Security

• Asset Inventory and Configuration
• Secure Configuration Baselines
• Vulnerability Management
• Asset Security Techniques

Module 24: Data Security

• Data at Rest
• Data in Transit
• Data in Use
• Data Life Cycle

Module 25: Identity and Access Management

• Identity and Access Management Fundamentals
• Identity Management Technologies
• Authentication Factors and Mechanisms
• Access Control Principles
• Access Control Models
• Access Control Administration
• Identity and Access Management Life Cycle

Module 26: Communication and Network Security

• WANs and LANs
• IP Addressing
• Network Address Translation
• Network Protocols and Communications
• Wireless
• Network Technologies and Defences

Module 27: Cryptography

• Cryptography
• Cryptographic Definitions
• Cryptographic Services
• Symmetric, Asymmetric And Hybrid Cryptosystems
• Hash Algorithms
• Message Authentication Codes
• Digital Signatures
• Public Key Infrastructure

Module 28: Cloud Security

• Cloud Security
• Cloud Computing Characteristics
• Cloud Deployment Models
• Cloud Service Models
• Cloud Security Risks and Assurance Levels
• Cloud Security Resources

Module 29: Physical Security

• Making Security Decisions
• Physical Security Threats
• Physical Security Programme Planning
• Physical Security Resources
• Physical Security Controls
• Physical Security Auditing and Measurement

Module 30: Personnel Security

• Personnel Security
• Software Development Security
• Integrating Security into the SDLC
• Security SDLC Roles and Responsibilities
• Software Vulnerabilities
• Secure Coding Practices
• Software Vulnerability Analysis and Assessments

Module 31: Forensics, Incident Handling and Investigations

• Relevant Law
• Logging and Monitoring
• Incident Response and Investigations
• Forensics and Digital Evidence

Module 32: Security Assessment and Testings

• Introduction to Security Assessment and Testings
• Vulnerability Assessments
• Penetration Testing
• Security Programme Assessments

Module 33: Business Continuity and Disaster Recovery

• Introduction to Business Continuity and Disaster Recovery
• Continuity Planning Initiation
• Business Impact Analysis
• Identify Preventive Controls
• Develop Recovery Strategies and Solutions
• Develop the Plan
• Test the Plan
• Maintain the Plan