Skip links

Ec-council | Learning

Certified Chief Information Security Officer | CCISO Certification

Request information

The programme of Director of Certified Information Security (CCISO) EC-Council a Certified leading information security professionals worldwide. A central high-level information security executive group, the CCISO Advisory Board, formed the basis of the programme and defined the content covered by the examination, the body of knowledge and training. Some Council members have contributed as authors, others as review writers, others as quality controllers, and others as instructors. Each segment of the program has been developed with a focus on both aspiring and current ISOC, and aims to transfer knowledge from experienced leaders to the next generation of leaders in areas most critical to the development and maintenance of a successful information security program.

Getting deer

About the Certified Information Director Course (CCISO)

Certification CCISO : A High Level Programme for Information Security Leaders

The CCISO certification is an industry-recognized leading program that validates the practical experience needed to succeed at the highest executive levels of information security. This programme covers all aspects essential for a level C position, including audit management, governance, information security controls, and the management of human resources and finance for a successful security program.

A High Level Strategic Role

The role of CISO is crucial, and it must not be learned by testing and error. Executive management skills do not develop in the field, but rather through structured training. This is why certification CCISO is designed to bridge the gap between technical knowledge and executive management skills, allowing professionals to make the transition to leadership roles.

A Practical and Strategic Training

The programme CCISO requires a good understanding of technical subjects. However, it focuses more on the application of this technical knowledge in the daily life of an information security framework. This allows applicants to acquire the skills necessary to effectively run a company-wide security program.

A Successful Transition Towards Leadership Roles

Many information security professionals begin with intermediate roles and seek executive positions. The programmeme CCISO fThis transition is facilitated by targeted training beyond the experience gained in the field. With this certification, future CISOs are better prepared to manage complex strategic challenges within their organization.

Area 1: Governance and risk management

  1. Define, implement, manage and maintain an information security governance program
    1.1. Form of commercial organization
    1.2. Industry
    1.3. Organizational maturity
  2. Information security factors
  3. Establish an information security management structure
    3.1. Organizational structure
    3.2. Position of CISO within the organisational structure
    3.3. Executive ISOC
    3.4. Non-executive ISOC
  4. Legislation/Regulations/Standards as Policy Drivers/Standards/Organizational Procedures
  5. Management of an enterprise-level information security compliance programme
    5.1. Security policy
    5.1.1. Need for a security policy
    5.1.2. Security policy challenges
    5.2. Policy content
    5.2.1. Types of policies
    5.2.2. Policy implementation
    5.3. Reporting structure
    5.4. Standards and best practices
    5.5. Leadership and ethics
    5.6. EC-Council Code of Ethics
  6. Introduction to Risk Management
    6.1. Organizational structure
    6.2. Position of CISO within the organisational structure
    6.3. Executive ISOC
    6.4. Non-executive ISOC

Area 2: Information security controls, compliance and audit management

  1. Information security checks
    1.1. Identify the organization's information security needs
    1.1.1. Identify the optimal information security framework
    1.1.2. Designing safety checks
    1.1.3. Control life cycle management
    1.1.4. Classification of controls
    1.1.5. Selection and implementation of controls
    1.1.6. Catalogue of controls
    1.1.7. Maturity of controls
    1.1.8. Monitoring of safety checks
    1.1.9. Remediation of control gaps
    1.1.10. Maintenance of security controls
    1.1.11. Reporting of controls
    1.1.12. Catalogue of Information Security Services

  2. Compliance management
    2.1. Acts, laws and statutes
    2.1.1. FISMA
    2.2. Regulations
    2.2.1. GDPR
    2.3. Standards
    2.3.1. ASD—Information Security Manual
    2.3.2. Basel III
    2.3.3. FFIEC
    2.3.4. ISO 00 family of standards
    2.3.5. NERC-CIP
    2.3.6. PCI DSS
    2.3.7. Special publications NIST
    2.3.8. Statement of Standards for Certification Commitments No. 16 (SAAE 16)

  3. Guidelines, good and best practices
    3.1. CIS
    3.1.1. OWASP

  4. Audit management
    4.1. Audit expectations and results
    4.2. Audit practices IS
    4.2.1. ISO/IEC audit guidance
    4.2.2. Internal versus external audits
    4.2.3. Partnership with the audit organisation
    4.2.4. Audit process
    4.2.5. General auditing standards
    4.2.6. Compliance-based audits
    4.2.7. Risk-based audits
    4.2.8. Management and protection of audit documentation
    4.2.9. Conduct of an audit
    4.2.10. Evaluation of audit results and report
    4.2.11. Remediation of audit findings
    4.2.12. Use of RCMP software to support audits

  5. Executive summary

Area 3: Security programme management and operations

  1. Programme management
    1.1. Define a safety charter, objectives, requirements, stakeholders and strategies
    1.1.1. Charter of the security programme
    1.1.2. Objectives of the safety programme
    1.1.3. Safety Program Requirements
    1.1.4. Security programme stakeholders
    1.1.5. Development of the security programme strategy
    1.2. Implementation of an information security programme
    1.3. Define, develop, manage and monitor the information security program
    1.3.1. Define the budget for an information security programme
    1.3.2. Develop budget for information security program
    1.3.3. Managing the budget of an information security programme
    1.3.4. Monitoring the budget of an information security programme
    1.4. Identify and develop the information security program's personnel requirements
    1.5. Managing people in a security program
    1.5.1. Solving personnel and teamwork problems
    1.5.2. Manage the training and certification of members of the security team
    1.5.3. Clear career path
    1.5.4. Design and implement a user awareness programme
    1.6. Manage the security programme architecture and roadmap
    1.6.1. Information Security Program Architecture
    1.6.2. Information Security Program Roadmap
    1.7. Programme management and governance
    1.7.1. Understanding Project Management Practices
    1.7.2. Identify and manage project stakeholders
    1.7.3. Measuring project effectiveness
    1.8. Business Continuity Management (BCM) and Disaster Recovery Planning (DRP)
    1.9. Data backup and recovery
    1.10. Safeguard strategy
    1.11. ISO BCM standards
    1.11.1. Business Continuity Management (BCM)
    1.11.2. Disaster Recovery Planning (DRP)
    1.12. Security continuity
    1.12.1. Integration of the Privacy, Integrity and Availability Model (CIA)
    1.13. BCM Plan Tests
    1.14. DRP tests
    1.15. Planning, operations and testing programs to mitigate risks and comply with Service Level Agreements (SLAs)
    1.16. Response to computer incidents
    1.16.1. Incident Response Tools
    1.16.2. Incident Response Management
    1.16.3. Incident response communications
    1.16.4. Post-incident analysis
    1.16.5. Tests of incident response procedures
    1.17. Digital Criminalistics
    1.17.1. Crisis management
    1.17.2. Life cycle of digital forensics

  2. Operations management
    2.1. Establish and operate a Security Operations Capability (SecOps)
    2.2. Security Monitoring and Information and Security Event Management (SISM)
    2.3. Event Management
    2.4. Model incident response
    2.4.1. Development of specific incident response scenarios
    2.5. Threat management
    2.6. Threat information
    2.6.1. Information Sharing and Analysis Centres (ISAC)
    2.7. Vulnerability management
    2.7.1. Vulnerability assessments
    2.7.2. Vulnerability management in practice
    2.7.3. Intrusion tests
    2.7.4. Safety testing teams
    2.7.5. Remediation
    2.8. Threat hunting

  3. Executive summary

Area 4: Basic skills in information security

  1. Access control
    1.1. Authentication, Authorization and Audit
    1.2. Authentication
    1.3. Authorization
    1.4. Audit
    1.5. User access restrictions
    1.6. Managing user access behaviour
    1.7. Types of access control models
    1.8. Design of an access control plan
    1.9. Access administration

  2. Physical security
    2.1. Design, implement and manage a physical security program
    2.1.1. Physical Risk Assessment
    2.2. Physical location considerations
    2.3. Obstacles and prevention
    2.4. Design of secure facilities
    2.4.1. Security Operations Centre
    2.4.2. Installation of compartmentalized sensitive information
    2.4.3. Digital Forensics Laboratory
    2.4.4. Data centre
    2.5. Preparation for physical security audits

  3. Network security
    3.1. Network security assessments and planning
    3.2. Network Security Architecture Challenges
    3.3. Network security design
    3.4. Network security standards, protocols and controls
    3.4.1. Network security standards
    3.4.2. Protocols
    4.1.1. Network security controls
    4.2. Wireless security (Wi-Fi)
    4.2.1. Wireless risks
    4.2.2. Wireless controls
    4.3. Voice security on IP

  4. Protection of termination points
    5.1. Threats to termination points
    5.2. Vulnerabilities of termination points
    5.3. Awareness of end-user safety
    5.4. Hardening of termination point devices
    5.5. Journalization of termination point devices
    5.6. Security of mobile devices
    5.6.1. Risks of mobile devices
    5.6.2. Security checks on mobile devices
    5.7. Internet of Things (IoT) security
    5.7.1. Protection of IoT devices

  5. Application Security
    6.1. Secure SDLC model
    6.2. Separation of development, testing and production environments
    6.3. Application security testing approaches
    6.4. DevSecOps
    6.5. Crash methodology and safety
    6.6. Agile methodology and security
    6.7. Alternative approaches to application development
    6.8. Application hardening
    6.9. Application security technologies
    6.10. Version control and patch management
    6.11. Database security
    6.12. Database hardening
    6.13. Secure coding practices

  6. Encryption technologies
    7.1. Crypting and decrypting
    7.2. Cryptosystems
    7.2.1. Blockchain
    7.2.2. Digital signatures and certificates
    7.2.3. PKI
    7.2.4. Key Management
    7.3. Hashish
    7.4. Encryption algorithms
    7.5. Development of the encryption strategy
    7.5.1. Determination of the location and type of critical data
    7.5.2. Decide what to encrypt
    7.5.3. Determine encryption requirements
    7.5.4. Select, integrate and manage encryption technologies

  7. Virtualization security
    8.1. Overview of virtualization
    8.2. Risks of virtualization
    8.3. Security concerns related to virtualization
    8.4. Virtualization security checks
    8.5. Virtualization Security Reference Model

  8. Cloud computing security
    9.1. Overview of cloud computing
    9.2. Cloud security and resilience services
    9.3. Cloud security concerns
    9.4. Cloud Security Controls
    9.5. Cloud computing protection considerations

  9. Transforming technologies
    10.1. Artificial intelligence
    10.2. Increased reality
    10.3. Autonomous SOC
    10.4. Dynamic disappointment
    10.5. Cyber security defined by software

  10. Executive summary

Area 5: Strategic planning, finance, procurement and vendor management

  1. Strategic planning
    1.1. Understanding the organization
    1.1.1. Understanding the structure of the enterprise
    1.1.2. Identify and align business and information security objectives
    1.1.3. Identify key sponsors, stakeholders and influencers
    1.1.4. Understanding organizational finance
    1.2. Create a strategic information security plan
    1.2.1. Basic strategic planning
    1.2.2. Alignment with organizational strategy and objectives
    1.2.3. Defining short-, medium- and long-term tactical information security objectives
    1.2.4. Communication of the information security strategy
    1.2.5. Creating a culture of security

  2. Design, development and maintenance of an information security programme within the company
    2.1. Providing a solid foundation for the programme
    2.2. Architectural perspectives
    2.3. Create measures and indicators
    2.4. Balanced Scoreboard
    2.5. Continuous monitoring and reporting of results
    2.6. Continuous improvement
    2.7. Continuous Service Improvement (CSI) according to ITIL

  3. Understanding of Enterprise Architecture (EA)
    3.1. Types of EA
    3.1.1. Zachman's Framework
    3.1.2. Open Group Architecture Framework (TOGAF)
    3.1.3. Sherwood Applied Business Security Architecture (SABSA)
    3.1.4. Federal Enterprise Architecture Framework (FAEF)

  4. Finance
    4.1. Understanding funding for security programs
    4.2. Analyze, plan and develop a security budget
    4.2.1. Resource requirements
    4.2.2. Defining financial indicators
    4.2.3. Technological renewal
    4.2.4. Financing new projects
    4.2.5. Contingency financing
    4.3. Management of the information security budget
    4.3.1. Getting financial resources
    4.3.2. Allocate financial resources
    4.3.3. Monitoring and monitoring of the information security budget
    4.3.4. Report of indicators to sponsors and stakeholders
    4.3.5. Balance the information security budget

  5. Supply
    5.1. Terms and concepts of the procurement programme
    5.1.1. Declaration of objectives (SOO)
    5.1.2. Working Declaration (SOW)
    5.1.3. Total Cost of Possession (TCO)
    5.1.4. Request for information (RFI)
    5.1.5. Request for proposals (RFP)
    5.1.6. Service Framework Agreement (MSA)
    5.1.7. Level of Service Agreement (SLA)
    5.1.8. Terms and conditions (T&C)
    5.2. Understand the organization's procurement program
    5.2.1. Internal policies, processes and requirements
    5.2.2. External or regulatory requirements
    5.2.3. Local requirements relative to global requirements
    5.3. Supply Risk Management
    5.3.1. Standard contractual language

  6. Vendor management
    6.1. Understanding organizational acquisition policies and procedures
    6.1.1. Supply life cycle
    6.2. Application of cost-benefit analysis (CBA) during the procurement process
    6.3. Vendor management policies
    6.4. Contract administration policies
    6.4.1. Service and contract delivery indicators
    6.4.2. Contract delivery report
    6.4.3. Requests for change
    6.4.4. Contract renewal
    6.4.5. Closure of contracts
    6.5. Delivery insurance
    6.5.1. Validation of compliance with contractual requirements
    6.5.2. Formal delivery audits
    6.5.3. Periodic and random delivery audits
    6.5.4. Third Party Certification Services (TPRM)

  7. Executive summary

Minimum requirements

In order to be able to take the CCISO examination without having completed any training, candidates must have five years of experience in each of the five CCISO areas, verified through the application for eligibility for the examination.

Candidates must have five years of experience in three of the five CCISO areas, verified through the application for eligibility for the examination, to take the examination.

Exemptions for CCISO are available for self-learning applicants.

AreaEducational allowances
1. Governance and Risk ManagementPhD in Information Security – 3 years, MS in Information Security Management, MS in Information Security Engineering – 2 years, BS in Information Security – 2 years
2. Information Security, Compliance and Audit Management ControlsPhD in Information Security – 3 years, MS in Information Security Management, MS in Information Security Engineering – 2 years, BS in Information Security – 2 years.
3. Management and Operations of Security ProgramsPhD in Information Security – 3 years, MS in Information Security or MS in Project Management – 2 years, BS in Information Security – 2 years.
4. Basic Information Security SkillsPhD in Information Security – 3 years, MS in Information Security – 2 years, BS in Information Security – 2 years.
5. Strategic Planning, Finance, Procurement and Supplier ManagementCPA, MBA, Mr. Fin. – 3 years
On the examination

There are three cognitive levels tested during the CCISO examination.

Level 1 – Knowledge : This cognitive level of questions serves to recall memorized facts. This is the most basic cognitive level, rarely accepted in certifications, because it only recognizes the candidate's ability to memorize information. It can be used effectively to request basic definitions, standards or any concrete facts.

Level 2 – Implementation : This cognitive level of questions makes it possible to assess the candidate's ability to understand the application of a given concept. It differs from knowledge questions in that it requires understanding and correct application of a concept, not just knowledge of the concept itself. This type of question often requires additional context before the actual question is asked.

Level 3 – Analysis : This cognitive level of questions allows to identify the candidate's ability to identify and solve a given problem a series of variables and context. The questions of analysis differ greatly from questions based on application in that they require not only the applicability of a concept, but also how a concept, under certain constraints, can be used to solve a problem.

Passing note

To maintain the high integrity of our certification exams, EC-Council exams are provided in several forms (i.e. different question banks). Each form is carefully analysed through beta tests with an appropriate sampling group, under the auspices of a committee of experts on the subject, which ensures that each of our examinations has not only academic rigour but also applicability. « in the real world ». We also have a process to determine the level of difficulty of each issue. The individual grade then contributes to a « cutting note » for each form of examination. To ensure that each form has equal standards of assessment, the cutting notes are established on a basis « by form of examination ». Depending on the form of examination, cutting notes may vary from 60% to 78%.

Details of the examination
  • Number of questions : 150
  • Duration of examination 2.5 hours
  • Format of examination : Multiple choices
  • Examination platform : ECC Examination Portal
  • Director, Director of Information Security (CISO), Google Cloud
  • Deputy ISO
  • VP and Director of Information Security
  • Director of Information Security (VP)
  • Director of Systems, Information Systems Security – CISO
  • Responsible for Privacy
  • VICE-PRESIDENT ASSOCIATED AND DIRECTOR OF INFORMATION SECURITY
  • Security Officer
  • IOC COO
  • Deputy Executive Director – Director of Information Security
  • CISO, Threat Information
  • Technical Director (CTO)
  • Data Director
  • VP, Information Security
  • Information Security Officer
  • Responsible for Compliance
  • Senior Cybersecurity Expert, IOC SME
  • Regional Information Officer
About OhPhish

OhPhish is a great way for CCISOs to kick-start safety awareness programs in their businesses at no cost. OhPhish is a simple and user-friendly solution for phishing simulations and online training. Launching phishing simulations is facilitated by pre-existing phishing models and connectors for authorized identity repositories (such as Active Directory). The solution not only sends e-mails and personalized campaigns, but also tracks responses and actions (such as clicks on links or opening attachments) in real time, providing trends and detailed reports per user, department or other key demography.

Brochure
This website uses cookies to improve your web experience.
EnglishenEnglishEnglish
FrenchfrFrenchFrançaisEnglishenEnglishEnglish
0