CISM 國際認可證書課程


課程優惠!
現凡同時報讀以下兩個課程:

即減 $420!


本中心現已支援 轉數快 付款。



推介服務:課堂錄影隨時睇
(在家觀看 = 0%,在校觀看 = 100%)

100% 在校觀看日期及時間:
自由選擇,點選以下地區觀看辦公時間及位置

不限$2,580 (地點沒有限制)報名
旺角95折 $2,451 報名 phone
電話:2332-6544
觀塘9折 $2,322 報名 phone
電話:3563-8425
北角9折 $2,322 報名 phone
電話:3580-1893
沙田85折 $2,193 報名 phone
電話:2151-9360
屯門85折 $2,193 報名 phone
電話:3523-1560

課時: 18 小時

享用時期: 6 星期。進度由您控制,可快可慢。

課堂錄影導師:Franco
在校免費試睇:首 1 小時,請致電以上地點與本中心職員預約。

本課程提供在校免費重睇導師解答服務。




推介服務:課堂錄影隨時睇
(在家觀看 = 33%,在校觀看 = 67%)

33% 在家觀看日期及時間:
每天 24 小時全天候不限次數地觀看

67% 在校觀看日期及時間:
本中心辦公時間內自由選擇,點選以下地區觀看辦公時間及位置

旺角$2,580 報名 phone
電話:2332-6544
觀塘$2,580 報名 phone
電話:3563-8425
北角$2,580 報名 phone
電話:3580-1893
沙田$2,580 報名 phone
電話:2151-9360
屯門$2,580 報名 phone
電話:3523-1560

課時: 18 小時

在家及在校觀看: 在家觀看首 6 小時,在校觀看尾 12 小時。

享用時期: 6 星期。進度由您控制,可快可慢。

課堂錄影導師:Franco
在校免費試睇:首 1 小時,請致電以上地點與本中心職員預約。

本課程提供在校免費重睇導師解答服務。




ISACA® 成立於 1969 年,多年來不斷參與各項系統確認性與安全、企業資訊治理及資訊風險的活動,口碑載譽。

ISACA® 會員遍佈逾 180 個國家,總數超過 140,000 人。其頒授的全球認可的國際資訊安全經理人 (CISM® - Certified Information Security Manager®) 資格,更是各位資訊管理人員必考的證書。

CISM 認證是為信息安全經理和處理信息安全管理職責的專業人員而設計。擁有 CISM 認證標誌著該專業人員具備信息風險管理,同時在管理和設計資訊安全計劃上具備認可的專業知識。

課程名稱: CISM 國際認可證書課程
- 簡稱:CISM Training Course
課程時數: 合共 18 小時 (共 6 堂)
適合人士: 具備 5 年或以上安全管理工作經驗
授課語言: 以廣東話為主,輔以英語
課程筆記: 本中心導師親自編寫英文為主筆記,而部份英文字附有中文對照。

1. Franco Tsang (CCIE #19772) 親自教授: 本課程由擁有 CISM, CISA, CISSP, ITIL Expert 的 Franco Tsang 親自教授。
2. Franco Tsang 親自編寫筆記: Franco 親自編寫英文為主筆記,而部份英文字附有中文對照,令你無須「死鋤」如字典般厚及不適合香港讀書格調的書本。
3. 提供模擬考試題目: 本中心為學員提供充足的模擬考試題目,每條考試題目均附有標準答案。而較難理解的題目,均會附有解釋。
4. 理論與考試並重: Franco 會在課堂上深入淺出地講解相關概念,務求令同學理解抽象的電腦信息風險管理、管理和設計資訊安全計劃概念。並會在課堂上操練具質素的題目以應用所學的知識。
5. 免費重讀: 傳統課堂學員可於課程結束後三個月內免費重看課堂錄影。

本中心為 PSI 指定的 CISM 考試試場,導師會在課堂上講解考試程序。考試費用如下:

  • ISACA Member: US $575
  • ISACA Nonmember: US $760

通過考試後,同學需要

  • 具備 5 年或以上安全管理工作經驗
  • 同意遵守 ISACA 制定的職業道德準則
  • 提交 CISM 申請表

完成上述事項後,便能成為 CISM。


課程名稱:CISM 國際認可證書課程
- 簡稱:CISM Training Course


1 Information Security Governance
1.1 Enterprise Governance
1.1.1 Organizational Culture
1.1.2 Legal, Regulatory, and Contractual Requirements
1.1.3 Organizational Structures, Roles, and Responsibilities
1.2 Information Security Strategy
1.2.1 Information Security Strategy Development
1.2.2 Information Governance Frameworks and Standards
1.2.3 Strategic Planning (e.g., budgets, resources, business case).

2 Information Security Risk Management
2.1 Information Security Risk Assessment
2.1.1 Emerging Risk and Threat Landscape
2.1.2 Vulnerability and Control Deficiency Analysis
2.1.3 Risk Assessment and Analysis
2.2 Information Security Risk Response
2.2.1 Risk Treatment / Risk Response Options
2.2.2 Risk and Control Ownership
2.2.3 Risk Monitoring and Reporting

3 Information Security Program
3.1 Information Security Program Development
3.1.1 Information Security Program Resources (e.g., people, tools, technologies)
3.1.2 Information Asset Identification and Classification
3.1.3 Industry Standards and Frameworks for Information Security
3.1.4 Information Security Policies, Procedures, and Guidelines
3.1.5 Information Security Program Metrics
3.2 Information Security Program Management
3.2.1 Information Security Control Design and Selection
3.2.2 Information Security Control Implementation and Integrations
3.2.3 Information Security Control Testing and Evaluation
3.2.4 Information Security Awareness and Training
3.2.5 Management of External Services (e.g., providers, suppliers, third parties, fourth parties)
3.2.6 Information Security Program Communications and Reporting

4 Incident Management
4.1 Incident Management Readiness
4.1.1 Incident Response Plan
4.1.2 Business Impact Analysis (BIA)
4.1.3 Business Continuity Plan (BCP)
4.1.4 Disaster Recovery Plan (DRP)
4.1.5 Incident Classification/Categorization
4.1.6 Incident Management Training, Testing, and Evaluation
4.2 Incident Management Operations
4.2.1 Incident Management Tools and Techniques
4.2.2 Incident Investigation and Evaluation
4.2.3 Incident Containment Methods
4.2.4 Incident Response Communications (e.g., reporting, notification, escalation)
4.2.5 Incident Eradication and Recovery
4.2.6 Post-incident Review Practices



1 Information Security Governance
1.1 Enterprise Governance
1.1.1 Information, governance, management, value creation
1.1.2 Why enterprise governance?
1.1.3 Six basic outcomes of Information Security Governance or Information Security Program
1.1.4 Information security vs cybersecurity / Scope and Charter of Information Security Governance
1.1.5 Organizational Culture
1.1.5.1 Culture
1.1.5.2 General rules of use and acceptable use policies
1.1.5.3 Ethics
1.1.6 Legal, Regulatory, and Contractual Requirements
1.1.6.1 Data / Content retention
1.1.7 Organizational Structures, Roles, and Responsibilities
1.1.7.1 Roles and responsibilities with the RACI matrix
1.1.7.1.1 Skills
1.1.7.1.2 Board of directors
1.1.7.2 Senior management
1.1.7.3 Business Process Owners
1.1.7.4 Steering Committee
1.1.7.5 Chief Information Security Officer (CISO)
1.1.7.6 Risk Management Roles and Responsibilities
1.1.7.7 Roles and components of an organizational structure
1.2 Information Security Strategy
1.2.1 Information Security Strategy Development
1.2.1.1 Business Goals and Objectives
1.2.1.2 Information Security Strategy Objectives
1.2.1.3 Ensuring Objective and Business Integration
1.2.1.4 Business linkages
1.2.1.5 Avoiding Common Pitfalls and Bias
1.2.1.6 The Desired State
1.2.1.6.1 What is the desired state?
1.2.1.6.2 Challenges
1.2.1.6.3 Approaches
1.2.1.6.3.1 COBIT (Control Objectives for Information Technologies)
1.2.1.6.3.2 Business Model for Information Security (BMIS)
1.2.1.6.3.2.1 Four elements
1.2.1.6.3.2.2 Six dynamic interconnections
1.2.1.6.3.3 Governance, Risk Management and Compliance (GRC)
1.2.1.7 Information Security Strategy Development
1.2.1.8 Elements of a Strategy
1.2.2 Information Governance Frameworks and Standards
1.2.2.1 Balanced Scorecard (BSC)
1.2.2.2 Architectural Approaches
1.2.2.3 Enterprise Risk Management Frameworks
1.2.2.4 Information Security/Cybersecurity Management Frameworks
1.2.2.5 Other Frameworks
1.2.3 Strategic Planning (e.g., budgets, resources, business case).
1.2.3.1 Workforce Composition and Skills
1.2.3.1.1 Organizational structure
1.2.3.1.2 Centralized and Decentralized Approaches to Coordinating Information Security
1.2.3.1.3 Employee Roles and Responsibilities
1.2.3.1.4 Skills
1.2.3.1.5 Awareness and Education
1.2.3.2 Assurance Provisions
1.2.3.2.1 Audits
1.2.3.2.2 Compliance Enforcement
1.2.3.3 Risk Assessment and Management
1.2.3.3.1 Business Impact Analysis (BIA)
1.2.3.3.2 Business / Resource Dependency Analysis
1.2.3.3.3 Outsourced Services
1.2.3.3.4 Threat Assessment
1.2.3.3.5 Vulnerability Assessment
1.2.3.3.6 Insurance
1.2.3.3.7 Other Organizational Support and Assurance Providers
1.2.3.4 Action Plan to Implement Strategy
1.2.3.4.1 Gap analysis
1.2.3.4.2 Action Plan Metrics
1.2.3.4.2.1 Key Goal Indicators (KGIs)
1.2.3.4.2.2 Key Performance Indicators (KPIs)
1.2.3.4.2.3 Metrics
1.2.3.5 Information Security Program Objectives

2 Information Security Risk Management
2.1 Information Security Risk Assessment
2.1.1 Emerging Risk and Threat Landscape
2.1.1.1 Risk Identification
2.1.1.2 Threats
2.1.1.3 Defining a Risk Management Framework
2.1.1.3.1 Defining the Internal Environment
2.1.1.3.2 Defining the External Environment
2.1.1.4 Emerging Threats
2.1.1.5 Risk, Likelihood and Impact
2.1.1.6 Risk register
2.1.2 Vulnerability and Control Deficiency Analysis
2.1.2.1 Security Control Baselines
2.1.2.2 Events Affecting Security Baselines
2.1.3 Risk Assessment, Evaluation and Analysis
2.1.3.1 Determining the Risk Management Context
2.1.3.2 Operational Risk Management
2.1.3.3 Risk Management Integration with IT Life Cycle Management Processes
2.1.3.4 Risk Scenarios
2.1.3.5 Risk Assessment Process
2.1.3.6 Risk Assessment and Analysis Methodologies
2.1.3.6.1 NIST Risk Assessment Methodology
2.1.3.6.2 ISO/IEC 27005 Process Steps
2.1.3.6.3 Cascading Risk
2.1.3.7 Other Risk Assessment Approaches
2.1.3.7.1 Factor Analysis of Information Risk (FAIR)
2.1.3.7.2 Holistic Approach to Risk Management (HARM)
2.1.3.7.3 Probabilistic Risk Assessment (RPA)
2.1.3.8 Risk Analysis
2.1.3.8.1 Gap Analysis
2.1.3.8.2 Qualitative Analysis / Qualitative Risk Analysis and Semi-Quantitative (Hybrid) Analysis
2.1.3.8.3 Quantitative Risk Analysis
2.1.3.8.4 Other Risk Analysis Methods
2.1.3.9 Risk Evaluation
2.1.3.10 Risk Ranking
2.2 Information Security Risk Response
2.2.1 Risk Treatment / Risk Response Options
2.2.1.1 Determining Risk Capacity and Acceptable Risk (Risk Appetite)
2.2.1.2 Risk Response Options
2.2.1.2.1 Avoid
2.2.1.2.2 Transfer
2.2.1.2.3 Mitigate
2.2.1.2.4 Accept
2.2.1.3 Risk Acceptance Framework
2.2.1.4 Inherent and Residual Risk
2.2.1.5 Impact
2.2.1.6 Controls
2.2.1.7 Legal and Regulatory Requirements
2.2.1.8 Costs and Benefits
2.2.2 Risk and Control Ownership
2.2.2.1 Risk Ownership and Accountability
2.2.2.2 Risk owner
2.2.2.3 Control owner
2.2.3 Risk Monitoring and Reporting
2.2.3.1 Risk Monitoring
2.2.3.2 Key Risk Indicators (KRI)
2.2.3.3 Reporting Changes in Risk
2.2.3.4 Risk Communication, Awareness and Consulting
2.2.3.4.1 Risk Awareness
2.2.3.5 Documentation

3 Information Security Program
3.1 Information Security Program Development
3.1.1 Information Security Program Overview
3.1.1.1 Information Security Management Trends
3.1.1.2 Essential Elements of an Information Security Program
3.1.1.3 Importance of the Information Security Program
3.1.1.4 Applying the Security Program Business Case
3.1.1.5 Outcomes of Information Security Program Management
3.1.2 Information Security Program Resources (e.g., people, tools, technologies)
3.1.2.1 Information Security Program Objectives
3.1.2.2 Information Security Program Concepts
3.1.2.2.1 Management and Process Concepts
3.1.2.2.2 Technology Resources
3.1.2.3 Scope and Charter of an Information Security Program
3.1.2.4 Common Information Security Program Challenges
3.1.2.5 Common Information Security Program Constraints
3.1.3 Information Asset Identification and Classification
3.1.3.1 Information Asset Identification and Valuation
3.1.3.2 Information Asset Valuation Strategies
3.1.3.3 Information Asset Classification
3.1.3.4 Methods to Determine Criticality of Assets and Impact of Adverse Events
3.1.4 Industry Standards and Frameworks for Information Security
3.1.4.1 Enterprise Information Security Architectures
3.1.4.1.1 Enterprise Architecture Domains
3.1.4.1.2 TOGAF (The Open Group Architecture Framework)
3.1.4.1.3 Alternative Enterprise Architecture Frameworks (Just for reference)
3.1.4.1.4 Information Security Management Frameworks
3.1.4.1.4.1 Information Security Framework Components
3.1.5 Information Security Policies, Procedures, and Guidelines
3.1.5.1 Policies
3.1.5.2 Standards
3.1.5.3 Procedures
3.1.5.4 Guidelines
3.1.6 Information Security Program Metrics
3.1.6.1 Effective Security Metrics
3.1.6.2 Security Program Metrics and Monitoring and Metrics Tailored to Enterprise Needs
3.2 Information Security Program Management
3.2.1 Information Security Control Design and Selection
3.2.1.1 Managing Risk Through Controls
3.2.1.2 Controls and Countermeasures
3.2.1.3 Control Categories
3.2.1.4 Control Design Considerations
3.2.1.5 Control Methods
3.2.1.5.1 Countermeasures
3.2.1.5.2 Physical and Environmental Controls
3.2.1.5.3 Native Control Technologies
3.2.1.5.4 Supplemental Control Technologies
3.2.1.5.5 Management Support Technologies
3.2.1.5.6 Technical Control Components and Architecture
3.2.2 Information Security Control Implementation and Integrations
3.2.2.1 Baseline Controls
3.2.3 Information Security Control Testing and Evaluation
3.2.3.1 Control Strength
3.2.3.2 Control Recommendations
3.2.3.3 Control Testing and Modification
3.2.4 Information Security Awareness and Training
3.2.4.1 Developing an Information Security Awareness Program
3.2.4.2 Role-Based Training
3.2.4.3 Training and Education Metrics
3.2.5 Management of External Services (e.g., providers, suppliers, third parties, fourth parties) / Management of External Services and Relationships
3.2.5.1 Governance of Third-Party Relationships
3.2.5.2 Third-Party Service Providers
3.2.5.3 Outsourcing Challenges
3.2.5.4 Outsourcing Contracts
3.2.5.5 Third-Party Access
3.2.6 Information Security Program Communications and Reporting
3.2.6.1 Program Management Evaluation
3.2.6.2 The Plan-Do-Check-Act (PDCA) Cycle
3.2.6.3 Security Reviews and Audits
3.2.6.4 Compliance Monitoring and Enforcement
3.2.6.5 Monitoring Approaches
3.2.6.6 Measuring Information Security Management Performance
3.3 Miscellaneous topics

4 Incident Management
4.1 Incident Management Readiness
4.1.1 Incident Response Plan
4.1.1.1 Importance of Incident Management
4.1.1.2 Outcomes of Incident Management
4.1.1.3 Incident Management Resources
4.1.1.4 Policies and Standards
4.1.1.5 Incident Management Objectives
4.1.1.6 Detailed Plan of Action for Incident Management
4.1.1.7 Current State of Incident Response Capability
4.1.1.8 Developing an Incident Response Plan / Elements of an Incident Response Plan
4.1.1.9 Incident Management and Response Teams
4.1.1.10 Organizing, Training and Equipping the Response Staff
4.1.1.11 Challenges in Developing an Incident Management Plan
4.1.2 Business Impact Analysis (BIA)
4.1.2.1 Elements of a Business Impact Analysis
4.1.3 Business Continuity Plan (BCP)
4.1.3.1 Integrating Incident Response with Business Continuity
4.1.3.1.1 RTO
4.1.3.1.2 RPO
4.1.3.1.3 Relationship between RTO and RPO
4.1.3.1.4 SDO
4.1.3.1.5 AIW
4.1.3.1.6 MTO / MTD
4.1.3.2 Methods for Providing Continuity of Network Services
4.1.3.3 High-Availability Considerations / HA Considerations
4.1.3.4 Insurance
4.1.4 Disaster Recovery Plan (DRP)
4.1.4.1 Recovery Operations
4.1.4.2 Addressing Threats
4.1.4.3 Recovery Sites
4.1.4.4 Basis for Recovery Site Selections
4.1.5 Incident Classification/Categorization
4.1.5.1 Escalation Process for Effective Incident Management
4.1.5.2 Help/Service Desk Processes for Identifying Security Incidents
4.1.6 Incident Management Training, Testing, and Evaluation
4.1.6.1 Incident Management Roles and Responsibilities
4.1.6.2 Incident Management Metrics and Indicators
4.1.6.3 Performance Measurement
4.1.6.4 Updating Recovery Plans
4.1.6.5 Testing Incident Response and Business Continuity (BCP) /Disaster Recovery Plans (DRP)
4.1.6.6 Recovery Test Metrics
4.2 Incident Management Operations
4.2.1 Incident Management Tools and Techniques
4.2.1.1 Incident Management Systems, Endpoint Detection and Response, Extended Detection and Response
4.2.1.1.1 Incident Management Systems
4.2.1.1.2 Endpoint Detection and Response (EDR) and Extended Detection and Response (XDR)
4.2.1.2 Incident Response Technology Foundations
4.2.1.3 Personnel
4.2.1.4 Awareness and Education
4.2.1.5 Audits
4.2.1.6 Outsourced Security Providers
4.2.2 Incident Investigation and Evaluation
4.2.3 Incident Containment Methods
4.2.4 Incident Response Communications (e.g., reporting, notification, escalation)
4.2.4.1 Notification Requirements
4.2.4.2 Communication Networks
4.2.5 Incident Eradication and Recovery
4.2.5.1 Eradication Activities
4.2.5.2 Recovery
4.2.6 Post-incident Review Practices
4.2.6.1 Identifying Causes and Corrective Actions
4.2.6.2 Establishing Legal Procedures to Assist in Post-incident Activities
4.2.6.3 Requirements for Evidence
4.2.6.4 Legal Aspects of Forensic Evidence


回到頂端 keyboard_arrow_up