EXIN Information Security Management Professional based on ISO/IEC 27001

Globalization of the economy is leading to an ever-growing exchange of information. This information crosses not only national borders but also the thin lines between private and business domains. The scope of accountability grows together with the information that is managed. This information must be protected against unauthorized access, safeguarded from accidental or malicious modification or destruction, and must remain available when needed.

There are other trends that are enhancing the importance of the information security discipline:

  • Compliance requirements are increasing. Most countries have multiple laws or regulations governing the use and requiring protection of various types of data. These laws are increasing in number and their requirements are growing.
  • Many industries, particularly the financial world, have regulations in addition to those imposed by the government. These are growing in number and complexity too.
  • Security standards are being developed and refined at industrial, national, and international levels.
  • Security certifications and auditable proof that an organization is complying with security standards and/or best practices are sometimes required as a condition of conducting business.

In order to become certified, a professional need:

  • Successful completion of the EXIN Information Security Management Professional based on ISO/IEC 27001 exam.
  • Accredited EXIN Information Security Management Professional based on ISO/IEC 27001 training, including completion of the practical assignments.

This certification is intended for all security professionals who are involved in the implementation, evaluation and reporting of an information security program, including the following roles:

  • information security manager (ISM)
  • Information security officer (ISO)
  • line manager
  • process manager
  • project manager with security responsibilities
1.1 Business interest of information security
The candidate can…
1.1.1 distinguish types of information based on their business value.
1.1.2 explain the characteristics of a management system for information security.

1.2 Customer perspective on governance
The candidate can…
1.2.1 explain the importance of information governance when outsourcing.
1.2.2 recommend a supplier based on security controls.

1.3 Supplier’s responsibilities in security assurance
The candidate can…
1.3.1 distinguish security aspects in service management processes.
1.3.2 support compliance activities.

2.1 Principles of risk management
The candidate can…
2.1.1 explain principles of analyzing risks.
2.1.2 identify risks for classified assets.
2.1.3 calculate risks for classified assets.

2.2 Control risks
The candidate can…
2.2.1 categorize controls based on confidentiality, integrity, and availability.
2.2.2 choose controls based on incident cycle stages.
2.2.3 choose relevant guidelines for applying controls.

2.3 Deal with residual risks
The candidate can…
2.3.1 distinguish risk strategies.
2.3.2 produce business cases for controls.
2.3.3 produce reports on risk analyses.

3.1 Organizational controls
The candidate can…
3.1.1 write policies and procedures for information security.
3.1.2 implement information security incident handling.
3.1.3 perform an awareness campaign in the organization.
3.1.4 implement roles and responsibilities for information security.
3.1.5 support the development and testing of a business continuity plan.

3.2 Technological controls
The candidate can…
3.2.1 explain the purpose of security architectures.
3.2.2 explain the purpose of security services.
3.2.3 explain the importance of security elements in the IT infrastructure.

3.3 Physical controls and people controls
The candidate can…
3.3.1 recommend controls for physical access.
3.3.2 recommend security controls for employment life cycle.
Length of exam 90 Minutes
Number of questions 30 questions
Question format Multiple choice
Passing grade 65%
Exam availability English, Chinese, Portuguese
Testing center Online Proctored/ Paper-based