ISACA’s CISM Domain 2 Information Risk Management
                     ISACA’s CISM Domain 2: Information 
Risk Management
www.infosectrain.com | [email protected]
www.infosectrain.com | [email protected]
CISM Domains:
1.Information Security Governance
2.Information Risk Management
3.Information Security Program Development and Management
4.Information Security Incident Management
www.infosectrain.com | [email protected]
In this blog, let us discuss domain 2 of CISM, which is Information Risk 
Management.
Note: To get a clear understanding of Information Risk Management, let me explain 
them separately.
Information: Information is organized, structured, and processed data which helps 
in decision making. For example, assume you have a toy shop, a single customer 
sales of an item is called data, and this data becomes information when you can 
find the most popular and least popular toys. And with that information, you can 
add and remove toys from your shop/store.
Risk: Risk in this context is the potential possibility of occurrences of incidents or 
events that may materially harm the company’s data/information.
Management: Management means identifying, assessing, evaluating, and dealing 
with risks (coping with any changes) through proactive, deliberate, explicit, and 
systematic measures. Additionally, it means managing the process, controlling the 
authorization, resourcing, risk treatment, etc.
www.infosectrain.com | [email protected]
Information Risk Management process:
The process of Information Security management can be summed up as shown in this 
diagram.
www.infosectrain.com | [email protected]
The first stage of the process is to identify the potential risk factors like 
vulnerabilities, threats, incidents, and impacts.
The second stage is to evaluate the risks, which includes accessing or considering 
the information collected in the first stage to define the significance of various 
risks.
In the third stage, which is threat risks, we avoid, share, or mitigate them. In this 
stage, we usually implement the risk treatment decisions.
Handling changes may seem obvious, but their importance is emphasized in the 
above mentioned infographic. The information risks within an organization are 
constantly shifting, partly as a result of the risk treatment, partly as a result of 
various other factors.
At the end of the diagram, you can see that organizations must often respond to 
external obligations like market pressure, exceptions, and compliance.
www.infosectrain.com | [email protected]
Information Risk Management best practices:
No one can guarantee that the IRM process of one data asset can be 
successful with another data asset; hence it is essential for organizations to 
use a combination of various strategies and policies. But, there are a few 
best practices that every organization must commonly implement to 
maintain a strong cybersecurity posture.
https://youtu.be/eBnnpLD8cXE
Here are the three best practices that must be taken by every organization 
to maintain a great Information Risk Management program.
www.infosectrain.com | [email protected]
Monitor the IT environment:
Constantly monitoring the IT environment will help the organization 
identify vulnerabilities and help to prioritize the remediation activities.
For instance, many organizations struggle to configure cloud resources. 
News reports often mention Amazon’s S3 buckets. Inherently, these 
public cloud storage locations are not risky, but not configuring them 
appropriately opens them up to the public, including to attackers. By 
monitoring your IT environment continuously and consistently, you can 
identify misconfigured databases and storage locations, improving the 
security of your data.
www.infosectrain.com | [email protected]
Monitor the supply team:
Risk mitigation from third-party vendors is also an important aspect of your 
IT risk management approach. While you may have authority over your 
vendors, you may not be able to hold their vendors to the same contractual 
requirements. You require insight into the cybersecurity posture 
throughout your ecosystem as part of your holistic Information Risk 
Management approach.
You might be at risk if your vendor’s vendor uses a cloud database and 
stores your information as plain text. Continually monitor your supply 
stream for encryption, which makes data unreadable even if a hacker 
accesses it, this gives you insight into the cyber health of your ecosystem.
www.infosectrain.com | [email protected]
Monitor compliance:
Legislative agencies and industry standards groups have issued 
increasingly strict compliance rules as data breaches continue to make 
headlines. Several new legislation, like the General Data Protection 
Regulation (GDPR), the California Consumer Privacy Act (CCPA), and the 
New York Stop Hacks and Improve Electronic Data Security (NY SHIELD) 
Act, mandate constant monitoring as part of a cybersecurity compliance 
program.
You must monitor and record your efforts to offer assurance to internal 
and external auditors in order to develop a compliant IT risk management 
program. You must prioritize repair measures and record your operations 
as you regularly monitor your enterprise’s IT ecosystem, giving proof of 
governance to your auditors.
www.infosectrain.com | [email protected]
Why InfosecTrain?
 InfosecTrain allows you to customize your training schedules; our 
trainers will provide one-on-one training.
 You can hire a trainer from Infosec Train who will teach you at your 
own pace.
 As ISACA is our premium training partner, our trainers know how 
much and what exactly to teach to make you a professional.
 One more great part is that you will have access to all our recorded 
sessions.
www.infosectrain.com | [email protected]
That sounds exciting, right? So what are you waiting for? Enroll in our 
CISM course and get certified. Here you can get the best 
CISM domain training.
www.infosectrain.com | [email protected]
About InfosecTrain
• Established in 2016, we are one of the finest 
Security and Technology Training and 
Consulting company
• Wide range of professional training programs, 
certifications & consulting services in the IT 
and Cyber Security domain
• High-quality technical services, certifications 
or customized training programs curated with 
professionals of over 15 years of combined 
experience in the domain
www.infosectrain.com | [email protected]
Our Endorsements
www.infosectrain.com | [email protected]
Why InfosecTrain Global Learning Partners
Certified and Flexible modes Access to the 
Experienced Instructors of Training recorded 
sessions
Post training Tailor Made 
completion Training
www.infosectrain.com | [email protected]
Our Trusted Clients
www.infosectrain.com | [email protected]

Contact us
Get your workforce reskilled 
by our certified and 
experienced instructors!
IND: 1800-843-7890 (Toll Free) / US: +1 657-221-
1127  / UK : +44 7451 208413
[email protected]
www.infosectrain.com