Practitioner Certificate in Information Security Risk Management

By the end of this training, you will have learnt how to apply cyber security and information risk management techniques to cyber security operations.

Intermediate-level information security practitioners who wish to learn the knowledge and skills required to apply risk management methodologies to information security. Example roles might include:

• Information security consultants
• Cyber security practitioners
• Risk and/or compliance practitioners
• Privacy or data protection officers
• Cyber/information security managers
• Individuals who have information security and information assurance responsibilities.

• Determine how the management of information risk will bring about significant business benefits.
• Explain and make full use of information risk management terminology.
• Conduct threat and vulnerability assessments, business impact analyses and risk assessments.
• Understand the principles of controls and risk treatment.
• resent the results in a format which will form the basis of a risk treatment plan.
• Use information classification schemes.

Ideally, experience of working in an information security or an information assurance role and have undertaken the BCS Certificate in Information Security Management Principles (CISMP) exam and/or training.

Knowledge of:

• Cyber/information security controls and privacy requirements for the management of risks relating to data.
• Cyber/information security policies, procedures, and regulations.
• Confidentiality, integrity and availability principles and requirements.
• Best practice cyber/information security risk management methodologies.
• Their organisation’s formats for management and compliance reporting relating to cyber/information security risks, readiness, and progress against plans.
• Who is developing their organisation’s strategies, policies, and plans, along with their contact details and their expectations.
• Their organisation’s policies and standard operating procedures relating to cyber/information security.
• Which cyber threat actors are relevant to their organisation.
• The threat environment within which their organisation is operating.

This training can be tailored to an industry or for a defined audience, with various durations. Example topics typically include:

Concepts and Frameworks of Cyber Security Risk Management

• The need for cyber security risk management
• The context of risk in the organisation

Cyber Security Risk Management Fundamentals

• Review of cyber security fundamentals
• The use of cyber security risk management standards and good practice guides
• The process of cyber security risk management
• Terms and definitions
• Compliance and audit
• Risk Management modelling and tools

Establishing a Cyber Security Risk Management Programme

• The cyber security risk management programme requirements
• Risk management case study – UK Government Department for Business Innovation and Skills: Approach to risk
• Development of the strategic approach to cyber security risk management
• Information classification
• Identification and selection of open source risk management tools

Risk Identification

• Identification of assets
• Business impact analysis
• Threat and vulnerability assessment
• Performing a Business Impact Analysis

Risk Assessment

• Risk analysis
• Risk evaluation
• Risk assessment case study: Australian Mines Limited: Risk assessment and management
• Evaluating supply chain risks

Risk Treatment

• Risk treatment options, controls, and processes
• Risk treatment plans

Presenting Risks and Business Case

• Risk reporting and presentation
• Business case

Monitor and Review

• Cyber security risk monitoring
• Cyber security risk review
• Risk metrics
• Cyber security risk programme management reporting

Exam Preparation