BCS Foundation Certificate in Information Security Management Principles V9.0
Last Update May 14, 2024
Total Questions : 100
Our Information security and CCP scheme certifications CISMP-V9 exam questions and answers cover all the topics of the latest BCS Foundation Certificate in Information Security Management Principles V9.0 exam, See the topics listed below. We also provide BCS CISMP-V9 exam dumps with accurate exam content to help you prepare for the exam quickly and easily. Additionally, we offer a range of BCS CISMP-V9 resources to help you understand the topics covered in the exam, such as Information security and CCP scheme certifications video tutorials, CISMP-V9 study guides, and CISMP-V9 practice exams. With these resources, you can develop a better understanding of the topics covered in the exam and be better prepared for success.
| Exam Name | BCS Foundation Certificate in Information Security Management Principles V9.0 |
| Exam Code | CISMP-V9 |
| Actual Exam Duration | The duration of the BCS CISMP-V9 exam is 2 hours. |
| What exam is all about | BCS CISMP-V9 is an exam that tests the knowledge and understanding of individuals in the field of information security management. It covers topics such as risk management, security policies, security standards, security incident management, and business continuity planning. The exam is designed for professionals who are responsible for managing information security within their organizations, including IT managers, security managers, and risk managers. Passing the exam demonstrates that an individual has the necessary skills and knowledge to effectively manage information security in a business environment. |
| Passing Score required | The passing score required in the BCS CISMP-V9 exam is 65%. |
| Competency Level required | According to the BCS website, the CISMP-V9 exam is designed for individuals who have a basic understanding of information security management principles and practices. The exam is suitable for those who are working in or aspiring to work in roles such as information security managers, security officers, and IT managers. The exam covers topics such as risk management, security controls, legal and regulatory requirements, and incident management. To pass the exam, candidates must demonstrate a good understanding of these topics and their practical application in real-world scenarios. |
| Questions Format | Based on the exam pattern and syllabus, the questions in the BCS CISMP-V9 exam are likely to be in the following formats: 1. Multiple-choice questions (MCQs) 2. True/false questions 3. Matching questions 4. Fill-in-the-blank questions 5. Scenario-based questions 6. Essay questions The exam may also include practical exercises or case studies that require candidates to apply their knowledge and skills to real-world situations. The exam is designed to test the candidate's understanding of information security management principles, concepts, and best practices. |
| Delivery of Exam | The BCS CISMP-V9 exam is a computer-based exam (CBE) that is delivered through Pearson VUE testing centers. |
| Language offered | Based on the exam objectives and syllabus, it can be assumed that the exam would be offered in English and would cover technical and non-technical cybersecurity concepts and terminology. The exam may also include industry-specific jargon and acronyms commonly used in the cybersecurity field. |
| Cost of exam | You can visit the official website of the British Computer Society (BCS) to get the latest information on the cost/price of the CISMP-V9 exam. |
| Target Audience | The BCS CISMP-V9 certification is designed for individuals who are responsible for managing information security in their organization. The target audience for this certification includes: 1. Information security managers 2. IT managers 3. Risk managers 4. Compliance managers 5. Security consultants 6. Security auditors 7. Business continuity managers 8. Data protection officers 9. Network administrators 10. System administrators The certification is also suitable for individuals who are looking to enhance their knowledge and skills in information security management. It is recommended that candidates have some prior experience in information security or IT management before attempting the CISMP-V9 certification. |
| Average Salary in Market | The average salary for a Certified Information Security Management Professional (CISMP) in the United States is around $100,000 per year. However, the salary may vary depending on the location, industry, and experience level. |
| Testing Provider | You can visit the official website of BCS, The Chartered Institute for IT, to find authorized training providers who offer the CISMP-V9 exam. Additionally, you can also check with online learning platforms such as Udemy, Coursera, or EdX, which may offer CISMP-V9 exam preparation courses. |
| Recommended Experience | according to the official BCS CISMP-V9 exam website, the recommended experience for the exam includes: - A basic understanding of information security concepts and principles - Experience in an information security-related role, such as a security analyst or manager - Familiarity with relevant laws and regulations related to information security - Knowledge of risk management and assessment methodologies - Understanding of security controls and their implementation - Awareness of emerging threats and vulnerabilities in the information security landscape. |
| Prerequisite | The prerequisites for the BCS CISMP-V9 exam are:
|
| Retirement (If Applicable) | it is recommended to check the official website of BCS or contact their customer support for the latest updates on the retirement date of the exam. |
| Certification Track (RoadMap): | The BCS CISMP-V9 (Certificate in Information Security Management Principles) exam is a certification track/roadmap that focuses on providing individuals with the knowledge and skills required to manage information security within an organization. The certification is designed for professionals who are responsible for managing information security, including IT managers, security managers, and information security officers. The certification track/roadmap for the BCS CISMP-V9 exam includes the following steps: 1. Understanding the principles of information security management 2. Understanding the legal and regulatory requirements for information security 3. Understanding the risk management process and how to apply it to information security 4. Understanding the importance of security controls and how to implement them 5. Understanding the importance of incident management and how to respond to security incidents 6. Understanding the importance of business continuity and disaster recovery planning 7. Understanding the importance of security awareness and training for employees To achieve the BCS CISMP-V9 certification, individuals must pass a single exam that covers all of these topics. The exam is designed to test the individual's knowledge and understanding of information security management principles and their ability to apply them in a real-world setting. |
| Official Information | https://www.bcs.org/get-qualified/certifications-for-professionals/information-security-and-ccp-scheme-certifications/bcs-foundation-certificate-in-information-security-management-principles/ |
| See Expected Questions | BCS CISMP-V9 Expected Questions in Actual Exam |
| Take Self-Assessment | Use BCS CISMP-V9 Practice Test to Assess your preparation - Save Time and Reduce Chances of Failure |
| Section | Weight | Objectives |
|---|---|---|
| 1.Information Security Management Principles | 10% | 1.1. Identify definitions, meanings and use of concepts and terms across information security management. It includes the following concepts and terms: 1.1.1. Information security (confidentiality, integrity, availability andnon-repudiation) 1.1.2. Cybersecurity 1.1.3. Asset and asset types (information, physical,software) 1.1.4. Asset value and assetvaluation 1.1.5. Threat, vulnerability, impactand risk 1.1.6. Organisational risk appetite and risk tolerance 1.1.7. Information security policyconcepts 1.1.8. The types, uses and purposes ofcontrols 1.1.9. Defence in depth and breadth 1.1.10. Identity, authentication,authorisationand accounting(AAA) framework 1.1.11. Accountability, audit andcompliance 1.1.12. Information security professionalism andethics 1.1.13. The information security management system (ISMS)concept 1.1.14. Information assurance and informationgovernance 1.2. Explain the need for, and the benefits of information securityincluding: 1.2.1. Importance of information security as part of the general issue of protection of business assets and of the creation of new business models (e.g. cloud, mergers, acquisitions and outsourcing) 1.2.2. Different business models and their impact on security (e.g. online business vs. traditional manufacturing vs. financial services vs. retail; commercial vs. governmental) 1.2.3. Effectsof rapidly changing information and business environment on information security 1.2.4. Balancing the cost/impact of security against the reduction in risk achieved 1.2.5. Information security as part of overall company security policy 1.2.6. The need for a security policy and supporting standards, guidelines and procedures 1.2.7. The relationship with corporate governance and other areas of risk management 1.2.8. Security asan enabler; delivering value rather thancost |
| 2. Information Risk | 10% | 2.1. Outlinethe threats to and vulnerabilities of information systems, including 2.1.1. Threat intelligence and sharing, the speed of change of threats and the need for a timelyresponse 2.1.2. Threat categorisation (accidental vs. deliberate, internal vs. external,etc.) 2.1.3. Types of accidental threats (e.g. hazards, human error, malfunctions, fire, flood,etc.) 2.1.4. Types of deliberate threats (e.g. hacking, malicious software, sabotage, cyber terrorism, hi-tech crime,etc.) 2.1.5. Threats fromthe Dark Web and vulnerabilities of big dataandthe Internet of things 2.1.6. Sources of accidental threat (e.g. internal employee, trusted partner, poor software design, weak procedures and processes, managed services, social media, etc.) 2.1.7. Sources of deliberate threat (internal employee, trusted partner, random attacker, targeted attack, managed and outsourced services, web sites,etc.) 2.1.8. Vulnerability categorisation (e.g. weaknesses in software, hardware, buildings/facilities, people,procedures) 2.1.9. Vulnerabilities of specific information system types (e.g. PCs, laptops, hand held devices, bring your own devices (BYOD), servers, network devices, wireless systems, web servers, email systems,etc.) 2.1.10. The contribution of threats, vulnerabilities and asset value to overallrisk 2.1.11. Impact assessment of realised threats (e.g. loss of confidentiality, integrity, and availability, leading to financial loss, brand damage, loss of confidence,etc.) 2.2. Describetheprocesses for understanding and managing risk relating to information systems 2.2.1. Risk management process: 1. establish the context, 2. assessment(including identification, analysis and evaluation) 3. treatment, communication and consultationand 4. monitoring and review 2.2.2. Strategicoptions for dealing with risksand residual riski.e. avoid/eliminate/terminate, reduce/modify, transfer/share, accept/tolerate 2.2.3. Tacticalways in which controls may be used –preventive, directive, detective and corrective 2.2.4. Operationaltypes of controls –physical, procedural (people) and technical 2.2.5. The purpose of and approaches to impact assessment including qualitative quantitative, software tools and questionnaires 2.2.6. Identifying and accounting for the value of information assets 2.2.7. Principles of information classification strategies 2.2.8. The need to assess the risks to the business in business terms 2.2.9. Balancing the cost of information security against the cost of potential losses 2.2.10.The role of management in accepting risk 2.2.11.Contribution to corporate risk registers |
| 3.Information Security Framework | 15% | 3.1. Explain how risk management should be implemented in an organisation. 3.1.1.The organisation’s management of information security 3.1.1.1. Information security roles in an enterprise 3.1.1.2. Placement in the organisation structure 3.1.1.3. Senior leadership teamresponsibilities 3.1.1.4. Responsibilities across thewiderorganisation 3.1.1.5. Need to take account of statutory (e.g. data protection, health & safety), regulatory (e.g. financial conductregulations) and advisory (e.g. accounting practices, corporate governance guidelines) requirements 3.1.1.6. Need for, and provision of specialist information security advice and expertise 3.1.1.7. Creating an organisationalculture of good information security practice 3.1.2. Organisational policy, standards and procedures 3.1.2.1. Developing, writing and getting commitment to security policies 3.1.2.2. Developing standards, guidelines, operating procedures, etc. internally and with third parties (outsourcing), managed service providers, etc. 3.1.2.3. Balance between physical, procedural and technical security controls 3.1.2.3.1. Defence in depth and breadth 3.1.2.4. End user codes of practice 3.1.2.5. Consequences of policy violation 3.1.3. Information security governance 3.1.3.1. Review, evaluation and revision of security policy 3.1.3.2. Security audits and reviews 3.1.3.3. Checks for compliance with security policy 3.1.3.4. Reporting on compliance status with reference to legal and regulatory requirements, (e.g. Sarbanes Oxley, PCIDSS, data protection legislation (e.g.GDPR)) 3.1.3.5. Compliance of contractors, third parties and sub-contractors 3.1.4. Information securityimplementation 3.1.4.1. Planning –ensuring effective programme implementation 3.1.4.2. How to present information security programmes as a positive benefit (e.g. business case, ROI case, competitive advantage, getting management buy-in) 3.1.4.3. Security architecture and strategy 3.1.4.4. Need to link with business planning, risk management and audit processes 3.1.5. Security incidentmanagementNote: This covers incidents that affect the confidentiality, integrity, availabilityor non-repudiation of information either directly or indirectly. This includes: 3.1.5.1. Security incident reporting, recording, management 3.1.5.2. Incident response teams/procedures 3.1.5.3. Need forlinks to corporate incident management systems 3.1.5.4. Processes for involving law enforcement or responding to requests from them 3.2. Interpretgeneral principles of law, legal jurisdiction and associated topics as they affect information security management covering a broad spectrum from the security implications on compliance with legal requirements affecting business (e.g. international electronic commerce) to laws that directly affect the way information can be monitored and copied. Topics include: 3.2.1. Protection of personal data, restrictions on monitoring, surveillance, communications interception and trans-border data flows 3.2.2. Employment issues and employee rights (e.g. relating to monitoring, surveillance and communications interception rights and employment law) 3.2.3. Common concepts of computer misuse 3.2.4. Requirements for records retention 3.2.5. Intellectual property rights, (e.g. copyright, including its application to software, databases and documentation) 3.2.6. Contractual safeguards including common security requirements in outsourcing contracts, third party connections, information exchange, etc. 3.2.7. Collectionand preservationof admissible evidence 3.2.8. Securing digital signatures (e.g. legal acceptance issues) 3.2.9. Restrictions on purchase, use and movement of cryptography technology(e.g. export licences) 3.3. Describe the number of common, established standards and procedures that directly affect information security management. Awareness of these to include: 3.3.1. Where to find national and international information security standards 3.3.2. ISO/IEC 27000 series, ISO/IEC 20000 (ITIL®), Common Criteria and other relevant international standards 3.3.3. International industry sector standardse.g. ISA/IEC 62443 and ISO/IEC 27011 3.3.4. Certification of information security management systems to appropriate standards–e.g. ISO/IEC 27001 3.3.5. Product certification to recognised standards –e.g. ISO/IEC 15408 (the Common Criteria) 3.3.6. Keytechnical standards –e.g. IETF RFCs, FIPS, ETSI, NIST, NIS |
| 4.Security Lifecycle | 10% | 4.1. Demonstrate an understanding of the importance and relevance of the information lifecycle 4.2. Identify the following stages of theinformation lifecycle. 4.2.1. The creation and/or acquisition of the information, (e.g. through emails, letters, phone calls, etc.) 4.2.2. The publicationand/or useof the information. 4.2.3. The retention, removaland/or disposalof the information. 4.3. Outline the following concepts of the design process lifecycle including essential and non-functional requirements 4.3.1. Use of architecture frameworks e.g. SABSA, TOGAF 4.3.2. Agiledevelopment i.e.DevOps, DevSecOpsand potential conflict with security 4.3.3. Sharing of information by design (e.g.cloud, Office 365 etc.) 4.3.4. Service continuity and reliability 4.4. Demonstrate an understanding of the importance of appropriate technical audit and review processes, of effective change control and of configuration management 4.4.1. Methods and strategies for security testing of business systems, including vulnerability assessmentsand penetration testing 4.4.2. Need for correct reporting of testing and reviews 4.4.3. Verifying linkage between computer and clerical processes 4.4.4. Techniques for monitoring system and network access and usage including the role of audit trails, logs and intrusion detection systems, and techniques for the recovery of useful data from them 4.5. Explain the risks to security brought about by systems development and support 4.5.1. Security requirement specification 4.5.2. Security involvement in system and product assessment –including open source vs proprietary solutions 4.5.3. Security issues associated with commercial off-the-shelf systems/applications/ products 4.5.4. Importance of links with the whole business process –including clerical procedures 4.5.5. Separation of development, test and support from operational systems 4.5.6. Security of acceptance processes and security aspects in process for authorising business systems for use 4.5.7. Role of accreditation of new or modified systems as meeting their security policy 4.5.8. Change control for systems under development to maintain software integrity 4.5.9. Security issues relating to outsourcing software development 4.5.10. Preventing covert channels, Trojan code, rogue code, etc. –code verification techniques 4.5.11. Handling of security patchesand non-security patches (e.g. OS upgrades) 4.5.12. Use of certified products/systemsincluding source libraries and templates 4.5.13. Use of “Escrow” to reduce risk of loss of source code |
| 5.Procedural/People Security Controls | 15% | 5.1. Explain the risks to information security involving people. 5.1.1. Organisational culture of security 5.1.2. Employee, contractor and business partner awareness of the need for security 5.1.3. Security clearance and vetting 5.1.4. Role of contracts of employment 5.1.5. Need for and topics within service contracts and security undertakings 5.1.6. Rights, responsibilities, authorities and duties of individuals -codes of conduct 5.1.7. Typical topics in acceptable use policies 5.1.8. Role of segregation of duties/avoiding dependence on key individuals 5.1.9. Typical obligations on interested parties (e.g. supply chain, managed service providers, outsourced services, etc.) 5.2. Describeuser access controls that may be used to manage those risks 5.2.1. Authentication and authorisation mechanisms (e.g. passwords, tokens, biometrics, multi-factor authentication,etc.) and their attributes (e.g. strength, acceptability, reliability) 5.2.2. Approaches to use of controls on access to information and supporting resources taking cognisance of data ownership rights (e.g. read/write/delete, control), privacy, operational access, etc. 5.2.3. Approaches to administering and reviewing access controls including role-based access, management of privileged users, management of users (joining, leaving, moving, etc.), emergency access 5.2.4. Access points –remote, local, web-based, email, etc. -and appropriate identification and authentication mechanisms 5.2.5. Information classification and protection processes, techniques and approaches 5.3. Identify the importance of appropriate training for all those involved with information 5.3.1. Purpose and role of training –need to tailor to specific needs of different interested parties (e.g. users vs. specialistvs. business manager vs.external parties) 5.3.2. Approaches to training and promotingawareness –e.g. videos, books, reports, computer based training and formal trainingcourses 5.3.3. Sources of information, including internal and external conferences, seminars, newsgroups, trade bodies, government agencies,etc. 5.3.4. Developing positive securitybehaviour 5.3.5. Continual professional development and training refreshment |
| 6.Technical Security Controls | 25% | 6.1. Outline the technical controls that can be used to help ensure protection from Malicious Software. 6.1.1. Types of malicious software –Trojans, botnets, viruses, worms, active content (e.g. Java, Active-X, XSS),ransomware,etc. 6.1.2. Different ways systems can getinfected(e.g. phishing, spear-phishing, click-bait, third party content) 6.1.3. Methods of control –internal and external, client/server, common approaches, use of good practice guides, opensource intelligence, need for regular updates, Open Web Application Security Project,etc. 6.1.4. Security by design, security by default and configuration management 6.2. Identify information security principles associated with the underlying networks and communications systems. 6.2.1. Entry points in networks and associated authentication techniques 6.2.2. Partitioning of networks to reduce risk –role of firewalls, routers, proxy servers and network boundary separationarchitectures 6.2.3. The role of cryptography in network security –common protocols and techniques (HTTPS, PKI, SSL/TLS, VPN, IPSec,etc.) 6.2.4. Controlling third party access (types of and reasons for) and external connections 6.2.5. Network and acceptable usagepolicy 6.2.6. Intrusion monitoring and detection methods andapplication 6.2.7. End-to-end assessmentof vulnerabilities and penetration testing of networks andconnections,etc. 6.2.8. Secure network management (including configuration control and the periodic mapping and management of firewalls, routers, remote access points, wireless devices,etc.) 6.3. Recognise the information security issues relating to value-added services that use the underlying networks and communications systems. This includes: 6.3.1. Securing real-time services (instant messaging, video conferencing, voice over IP, streaming, etc.) 6.3.2. Securing data exchange mechanisms e.g. e-commerce, email, internet downloads, file transfers, virtual private network (VPN), etc. 6.3.3. Protection of web servers and e-commerce applications 6.3.4. Mobile computing, home working and BYOD 6.3.5. Security of information being exchanged with other organisations.The management of information security within managed service and outsourced operations including during the circumstances of subsequent in-sourcing and changes of supplier 6.4. Recall the information security issues relating to organisations that utilise cloud computing facilities. Cloud computing is location independent computing providing off-site resources,(e.g. services, applications and storage facilities). Thisincludes: 6.4.1. Legalimplications for cloud computing notably for personal data, IPR and related issues 6.4.2. The particular information security considerations when selecting a cloud computing supplier 6.4.3. Comparing the risks of maintaining a ‘classical’ organisation and architecture with the risks in a cloud computing environment 6.4.4. The importance of distinguishing between commercial risk (of a supplier) and the other consequences of risk to the purchaser 6.5. Define the following aspects of security in information systems, including operating systems, database and file management systems, network systems and applications systemsand how they apply to the IT infrastructure. This includes: 6.5.1. Security information and event monitoring(SIEM) 6.5.2. Separation of systems to reducerisk 6.5.3. Conformance with security policy, standards andguidelines 6.5.4. Access control lists and roles, including control of privilegedaccess 6.5.5. Correctness of input and ongoing correctness of all stored data including parameters for all generalisedsoftware 6.5.6. Visualisation and modelling of threats and attacks 6.5.7. Recovery capability, including back-up and audittrails 6.5.8. Intrusion monitoring, detection methods andapplication 6.5.9. Installation baseline controls to secure systems and applications -dangers of defaultsettings 6.5.10. Configuration management and operational changecontrol 6.5.11. The need to protect system documentation and promote security documentation within the organisation, within partner organisations and within managed service and outsourced operations |
| 7. Physical and Environmental Security Controls | 5% | 7.1. Outlinethe physical aspects of security available in multi-layered defencesand explain how the environmental risks to information in terms of the need, for example, for appropriate power supplies, protection from natural risks (fire, flood,etc.) and in the everyday operations of an organisation. 7.1.1. General controls and monitoring ofaccess to and protection of physical sites, offices, secure areas, cabinets androoms 7.1.2. Protection of IT equipment –servers, routers, switches, printers,etc. 7.1.3. Protection of non-IT equipment, power supplies, cabling,etc. 7.1.4. Need for processes to handle intruder alerts, deliberate or accidental physical events,etc. 7.1.5. Clear screen and desk 7.1.6. Moving property on andoff-site 7.1.7. Procedures for secure disposal of documents, equipment, storage devices,etc. 7.1.8. Proceduresfor the disposal of equipment with digital-data retention facilities e.g.multi-function devices, photocopiers, network printers,etc. 7.1.9. Security requirements in delivery and loadingareas |
| 8. Disaster Recovery and Business Continuity Management | 5% | 8.1. Describe (K1/2)the differences between and the need for business continuity and disaster recovery. 8.1.1. Relationship with risk assessment and impact analysis 8.1.2. Resilienceof systems and infrastructure 8.1.3. Approaches to writing and implementingplans 8.1.4. Need for documentation, maintenance and testing of plans 8.1.5. Need for links to managed service provision andoutsourcing 8.1.6. Need for secure off-site storage of vital material 8.1.7. Need to involve personnel, suppliers, IT systems providers,etc. 8.1.8. Relationship with security incidentmanagement 8.1.9. Compliance with standards -ISO 22300series or other relevant international standards |
| 9. Other Technical Aspects | 5% | 9.1. Demonstrate understanding of the principles and common practices, including any legal constraints and obligations, so they can contribute appropriately to investigations. 9.1.1. Common processes, tools and techniques for conductinginvestigations, including intelligence sharing platforms (e.g.CiSP) 9.1.2. Legal and regulatory guidelines for disclosures, investigations, forensic readinessand evidence preservation 9.1.3. Need for relations with law enforcement, including specialist computer crime unitsand security advice 9.1.4. Issues when buying-in forensics and investigative support from third parties 9.2. Describe the role of cryptography in protecting systems and assets, including awareness of the relevant standards and practices 9.2.1. Basic cryptographic theory, techniques and algorithm types, their use in confidentiality and integrity mechanisms and common cryptographicstandards 9.2.2. Policies for cryptographic use, common key management approaches and requirements for cryptographic controls 9.2.3. Link, file, end-to-end, and other common encryption models and common public key infrastructures and trust models e.g. two-waytrust 9.2.4. Common practical applications of cryptography (e.g. for digital signatures, authentication andconfidentiality)9.2.5.Use by individuals of encryption facilitieswithin applications(e.g. WhatsApp, VPN, certificates) |
TESTED 15 May 2024
