The Certified Information Systems Auditor (CISA) Exam Overview
Is your organization's critical information protected? ...Really? Without comprehensive security plans, policies, and procedures, your organization's information security could be missing something. And that's all it takes for the worst to happen. As a Certified Information Systems Auditor (CISA), you'll perform a business-critical function -- assess your organization's IT and business systems to ensure they are monitored, controlled, and protected. These are valuable skills... and CISA is a valuable certification. There is rapidly growing demand for skilled CISAs. CISA is on the level of CISSP and CCIE in prestige and in the way it distinguishes you from your peers. It's globally recognized within the IT industry and beyond. It's used by the US Department of Defense and others as a minimum requirement for many high-end security positions. And studies have found that just having the CISA credential can increase your salary.
CISA Exam Syllabus: The 5 Domains
- Domain 1: Information System Auditing Process (21 percent)
- Domain 2: Governance and Management of IT (17 percent)
- Domain 3: Information Systems, Acquisition, Development and Implementation (12 percent)
- Domain 4: Information Systems Operations and Business Resilience (23 percent)
- Domain 5: Protection of Information Assets (27 percent)
1. Information System Auditing Process
The first domain covers how IT auditors provide services in accordance with IT audit standards, in order to assist the organization in protecting and controlling information systems.
The tasks include developing and implementing a risk-based IT audit strategy, planning and conducting the audit, and reporting findings.
Candidates are expected to know the ISACA IT Audit and Assurance Standards, Guidelines and Tools and Techniques, Code of Professional Ethics and other applicable standards.
2. Governance and Management of IT
The second domain covers how IT auditors provide assurance that necessary organization structure and processes are in place.
For example, they need to evaluate the effectiveness of the IT governance structure, organizational structure, HR management, and policies and standards, in order to determine whether they support the organization’s strategies and objectives.
3. Information Systems, Acquisition, Development and Implementation
The third domain covers how IT auditors provide assurance that the practices for the acquisition, development, testing, and implementation of IS meet the organization’s strategies and objectives.
Tasks include evaluating proposed investments in IS acquisition, development, maintenance and subsequent retirement, evaluating project management practices and controls and conducting reviews.
4. Information Systems Operations and Business Resilience
Provide assurance that the processes for information systems operations, maintenance and support meet the organization’s strategies and objectives.
Specifically, it includes conducting periodic reviews of IS, and evaluation such as service level management practices, operations and end-user procedures, and process of information systems maintenance.
5. Protection of Information Assets
The last domain covers how IT auditors provide assurance that the organization’s security policies, standards, procedures and controls ensure the confidentiality, integrity and availability of information assets.
This includes evaluating the information security policies, standards and procedures; the design, implementation and monitoring of various controls, such as system and logical security controls, data classification processes, and physical access and environmental controls.