All Episodes
Displaying 21 - 40 of 71 in total
Episode 21: Conducting Effective Risk Analysis Workshops
CISM candidates must know how to facilitate cross-functional risk workshops. In this episode, we walk through the process—from identifying participants and setting obj...
Episode 22: Risk Mitigation and Acceptance Strategies
When risks can't be eliminated, they must be managed. This episode covers the two most frequently used risk treatment options: mitigation and acceptance. Learn how to ...
Episode 23: Risk Transfer and Avoidance Strategies
Sometimes the best risk response is walking away—or handing it off. This episode focuses on transferring and avoiding risk, from insurance and outsourcing to project t...
Episode 24: Establishing Risk and Control Ownership
Ownership is essential to accountability. In this episode, we explain how to assign ownership for risks and controls, and how to ensure those responsibilities are clea...
Episode 25: Best Practices in Risk Monitoring and Reporting
CISM exam scenarios often involve risk communication. This episode covers how to monitor risks over time and report findings in ways that drive decision-making. You'll...
Episode 26: Staffing and Managing Security Teams
Domain 3 covers security program development—and that includes managing people. In this episode, we examine how to build and lead an effective security team, define ro...
Episode 27: Selecting and Implementing Security Tools and Technologies
Technology supports security—but strategy drives selection. This episode helps you evaluate tools based on business needs, risk reduction, and operational fit. You’ll ...
Episode 28: Information Asset Identification and Classification Fundamentals
CISM professionals must protect what matters most. This episode covers how to identify, categorize, and classify information assets, including systems, data, and servi...
Episode 29: Applying Industry Standards and Frameworks to Your Security Program
Domain 3 expects you to apply security frameworks—not just memorize them. In this episode, we explain how to align your program with standards like ISO 27001, NIST SP ...
Episode 30: Developing Effective Security Policies
Every security program is built on policy. In this episode, we cover how to draft policies that support governance, define behavior, and reflect organizational risk ap...
Episode 31: Writing Actionable Procedures and Guidelines
Policies set direction—but procedures make things happen. This episode teaches you how to translate security policies into actionable procedures and practical guidelin...
Episode 32: Developing and Using Information Security Program Metrics
If you can’t measure it, you can’t manage it. In this episode, we cover how to create meaningful metrics for tracking the effectiveness of your security program. You’l...
Episode 33: Designing and Selecting Effective Information Security Controls
Controls are at the heart of any security program. This episode shows you how to choose the right controls based on risk assessments, business impact, and regulatory r...
Episode 34: Implementing and Integrating Information Security Controls
CISM candidates must know how to implement controls—not just select them. This episode covers how to plan, deploy, and integrate security controls across the enterpris...
Episode 35: Techniques for Information Security Control Testing and Evaluation
Testing controls is how you validate effectiveness—and it’s a must-know area for the exam. In this episode, we walk through test design, performance validation, and ho...
Episode 36: Developing Engaging Information Security Awareness and Training Programs
Security programs fail without user participation. This episode explores how to build training and awareness initiatives that promote secure behavior and reinforce gov...
Episode 37: Vendor Risk Assessment and Selection
Third-party vendors can expand capabilities—or introduce serious risk. This episode explains how to evaluate vendors before selection by conducting security assessment...
Episode 38: Contractual Security Requirements and Ongoing Vendor Monitoring
Once a vendor is onboarded, the work doesn’t stop. This episode covers how to include security clauses in contracts, define SLAs, and monitor vendor compliance over ti...
Episode 39: Communications and Reporting for the Information Security Program
Strong security programs communicate effectively. In this episode, we explain how to report program performance, risks, and control status to senior leaders, stakehold...
Episode 40: Designing and Documenting the Incident Response Plan
Domain 4 begins here. This episode walks you through how to design a comprehensive incident response plan—from defining roles and escalation paths to documenting proce...