1 Information security perspectives

1.1 Business interest of information security
The candidate can…
1.1.1 distinguish types of information based on their business value.
1.1.2 explain the characteristics of a management system for information security.

1.2 Customer perspective on governance
The candidate can…
1.2.1 explain the importance of information governance when outsourcing.
1.2.2 recommend a supplier based on security controls.

1.3 Supplier’s responsibilities in security assurance
The candidate can…
1.3.1 distinguish security aspects in service management processes.
1.3.2 support compliance activities.

2 Risk management

2.1 Principles of risk management
The candidate can…
2.1.1 explain principles of analyzing risks.
2.1.2 identify risks for classified assets.
2.1.3 calculate risks for classified assets.

2.2 Control risks
The candidate can…
2.2.1 categorize controls based on confidentiality, integrity, and availability.
2.2.2 choose controls based on incident cycle stages.
2.2.3 choose relevant guidelines for applying controls.

2.3 Deal with residual risks
The candidate can…
2.3.1 distinguish risk strategies.
2.3.2 produce business cases for controls.
2.3.3 produce reports on risk analyses.

3 Information security controls

3.1 Organizational controls
The candidate can…
3.1.1 write policies and procedures for information security.
3.1.2 implement information security incident handling.
3.1.3 perform an awareness campaign in the organization.
3.1.4 implement roles and responsibilities for information security.
3.1.5 support the development and testing of a business continuity plan.

3.2 Technological controls
The candidate can…
3.2.1 explain the purpose of security architectures.
3.2.2 explain the purpose of security services.
3.2.3 explain the importance of security elements in the IT infrastructure.

3.3 Physical controls and people controls
The candidate can…
3.3.1 recommend controls for physical access.
3.3.2 recommend security controls for employment life cycle.