Business Impact Analysis
Business Impact Analysis (BIA) is the process of determining the effect of disruptions on business functions to prioritize recovery. CISM uses the BIA to derive recovery objectives such as RTO and RPO.
Business Impact Analysis (BIA) is the process of determining the effect of disruptions on business functions to prioritize recovery. CISM uses the BIA to derive recovery objectives such as RTO and RPO.
Information Security Governance is the system of leadership, structure, and processes that ensures security supports and extends the organization's strategy and objectives.
Security Strategy is the long-term plan that defines how information security will achieve the organization's desired state and support its objectives.
Risk Appetite is the amount and type of risk an organization is willing to accept in pursuit of its objectives.
Risk Management is the coordinated process of identifying, assessing, responding to, and monitoring information risk.
Residual Risk is the risk that remains after controls and other responses have been applied.
Business Impact Analysis (BIA) is the process of determining the effect of disruptions on business functions to prioritize recovery.
RTO and RPO are the two core recovery objectives: Recovery Time Objective is the target time within which a process must be restored after disruption, and Recovery Point Objective is the maximum tolerable data loss measured in time.
A Key Risk Indicator (KRI) is a metric that provides an early signal of increasing risk exposure.
Security Metrics are measurements used to gauge the effectiveness and value of the security program.
A Security Program is the coordinated set of activities, resources, and controls that executes the security strategy.
Security Controls are the administrative, technical, and physical safeguards used to reduce risk to an acceptable level.
Defense in Depth is the practice of layering multiple independent controls so the failure of one does not expose the asset.
Incident Management is the structured process of preparing for, detecting, responding to, and recovering from security incidents.
An Incident Response Plan is the documented set of procedures and responsibilities for handling a security incident.
Third-Party Risk is the risk introduced by vendors, suppliers, and other external service providers.