Bruce Passed ISC2 CISSP-ISSMP Exam on 6th November


After studying for 40 hours within 8 days (from 2018/10/29 to 2018/11/05), I cleared the ISC2 CISSP-ISSMP (Information Systems Security Management Professional) exam today. This exam is one of the 3 CISSP concentrations. As its name denotes, this exam is all about basic management concepts and the difficulty level is not that high as far as an experienced CISSP is concerned.

My original plan of the year for learning and growth is scheduled to be completed by the end of October with one month buffer (November as the worst case). Since my goals are achieved ahead of the schedule, I decide to do more as final optimization using the one-month buffer, that is, the month of November.

My plan of the year is revised as follows:

  • Milestone #1: PMI + CISSP
    • 2018/04/09 ACP
    • 2018/04/27 PBA
    • 2018/06/19 CISSP
    • 2018/07/10 RMP
  • Milestone #2: ISACA
    • 2018/07/24 CISM
    • 2018/08/13 CRISC
    • 2018/08/28 CISA
  • Milestone #3: ISC2
    • 2018/09/07 CCSP (originally scheduled on 2018/09/14)
    • 2018/09/13 CSSLP (originally scheduled on 2018/09/28)
    • 2018/09/25 CISSP-ISSEP (bonus)
  • Milestone #4: EC-Council
    • 2018/10/09 CEH (originally scheduled on 2018/10/15)
    • 2018/10/12 ECSA (originally scheduled on 2018/10/29)
  • Bonus Exams:
    • 2018/10/21, PSM I
    • 2018/10/23, ISO 27001 LA
    • 2018/10/27, PSPO I
    • 2018/10/28, PSD
  • Final Optimization
    • 2018/11/06 CISSP-ISSMP

Vision, Goal, Objectives, and Strategy

  • An organization establishes goals that will move it towards its vision.
  • These goals will have objectives that are measures of goal achievement.
  • Strategies are developed for how the goals will be achieved.
  • Theses strategies direct the execution of work intended to achieve the goals.
  • Organizational strategy is a plan that describes how the organization’s strengths and core competencies will be used to:
    • Manage resources effectively;
    • Manage stakeholder value;
    • Capitalize on opportunities;
    • Minimize the impact of threats;
    • Respond to changes in the market, legal, and regulatory environments; and
    • Reinforce focus on critical operational activities.
  • Business value is defined as the entire value of the business – the total sum of all tangible and intangible elements.
  •  References
    • The Standard for Portfolio Management


Security Activities in SDLC



Source: NIST SP 800-64R2

  • Information Security Policy [NIST SP 800-100 2.2.5]
    An aggregate of directives, rules, and practices that prescribes how an organization manages, protects, and distributes information.
  • Information Security Architecture [NIST SP 800-39 2.4.3]
    A description of the structure and behavior for an enterprise’s security processes, information security systems, personnel and organizational sub-units, showing their alignment with the enterprise’s mission and strategic plans.
  • Generally Accepted Principles and Practices for Securing Information Technology Systems [NIST SP 800-14]
    SP 800-14 is withdrawn in its entirety. Revised content from the original publication can now be found in the following publications:

  • Information Security Program
    Building an information security program means designing and implementing security practices to protect critical business processes and IT assets. These security practices that make up this program are meant to mature over time. An information security program also helps to define policies and procedures for assessing risk, monitoring threats, and mitigating attacks.