Wikipedia defines Security Management as “… the identification of an organization’s assets (including information assets), followed by the development, documentation, and implementation of policies and procedures for protecting these assets.” The problem is, this sounds a lot like Information Risk Management.
I would suggest that the difference between the two is that Security Management implies a coherent Information Security Management System (ISMS) to ensure that all aspects of security have been considered and appropriately controlled.
Security Management projects that I have been involved with are generally a combination of:
- Assessing security maturity against a framework, such as ISO27001 or Cyber Essentials.
- Producing a gap analysis between current maturity and desired maturity.
- Creating a programme plan or roadmap to reach the desired maturity.
- Managing projects to deliver aspects of the roadmap
- Conducting interim maturity assessments to gain assurance that the programme is on course to reach its goals
- Supporting certification exercises to demonstrate that the maturity goals have been met.
CISM (retired) I was a Certified Information Security Manager and achieved an ISACA geographic excellence award for being the highest scoring candidate EMEA in the December 2015 exams. I allowed this certification to lapse in 2022 when I retired.
CISSP I have been a Certified Information Systems Security Professional for seventeen years, meeting the required Continuing Professional Education requirements for five three year recertification cycles.