Candidates who complete a comprehensive written test and have at least five years of related work experience are awarded the CISA certification.
ISACA has defined five CISA domains that you will be evaluated on:
There are seven areas that you need to understand in Domain 1.
1) IS Audit Function Management
2) ISACA IT Audit and Assurance Guidelines and Standards
3) Risk Analysis
4) Internal Controls
5) Conducting an IS Audit
6) Control Self-Assessment
7) The Evolving IS Audit Process
The first domain serves as a foundation for recognising the whole field of Certified Information Systems Auditor, and without a firm grasp of the basics, you will struggle to succeed in the subsequent domains.
Become a CISA Certified professional by learning this HKR CISA Certification Training !
The CISA materials have been updated by ISACA, and this domain now includes the Business Continuity portion that was previously included in Domain 6. Domain 2 is divided into 13 sections that you must master.
1) Corporate Governance
2) IT Governance (ITG)
3) Practices for Board and Senior Management of Information Technology Monitoring and Assurance
4) Strategy for Information Systems
5) Models for Process Improvement and Maturity
6) IT Allocation and Investment Practices
7) Policies and Procedures
8) Risk Management
9) Management Practices in IS (You'll need to know about five sub-areas.)
10) IS Responsibilities and Organizational Structure
11) Examining the Structure and Implementation of IT Governance
12) Planning for Business Continuity (It is a new division that replaced the former Disaster Recovery and Business Continuity Planning Domain 6.)
13) Business Continuity Auditing
The aim of this CISA component is to ensure that candidates can ensure the smooth operation of the IS acquisition, production, and implementation processes.
Developing the business case
The organisation should ensure that it is cost-effective and follows the IS Strategy. It should also determine what services it would have, such as cost savings or increased system efficiency. This data is compiled in a business case, which is accepted by senior management and reviewed during the process.
The project may be requested by the portfolio, and a feasibility report will be undertaken to test the solution, with the findings being used in the business case. The candidate must be familiar with the method of designing a business case and investment assessment strategies such as return on investment (ROI).
IT supplier selection
Candidates must understand how vendors are selected and handled. A Request for Proposal (RFP) is the first step in engaging a provider. It includes market and IS specifications, as well as details about the supplier and contractual terms. The RFP is a crucial document, and when evaluating it, the auditor should make the following
observations:
Project management
Candidates must be able to demonstrate how project management methods and strategies are used to handle the risks involved with the procurement, development, deployment of information technology and be able to assess whether programs are on target to meet their objectives and achieve the incentives outlined in the business case.
Many organisations customise project management methodologies to suit their own requirements, so auditors can become acquainted with them before beginning a study. Governance is an integral part of the project management process, and the inspector should look for proof that risks, problems, and dependencies are being actively handled, and that the project is under the supervision of a steering committee or project board.
System development
In response to the need for speed, mobility, versatility, and cost savings, various device architecture methodologies have arisen over time. Auditors must be able to define the various types of measures used by the SDLC, determine their efficiency, and ensure that they have been adequately tested. There are various kinds of controls:
Implementation readiness
Testing must be done before adoption, and an implementation plan must be settled upon. Until implementation begins, auditors can report that an implementation plan comprising the following has been approved:
Post-implementation review
The PIR is a useful method for recording lessons learned and other input from the project team, both of which can be used to develop the next implementation. It should also state whether or not the project's goals were achieved, as well as a plan for closing any open actions, reducing funding, and closing the finances.
It will require a review and final statement on benefits realisation, depending on the timing for implementation of the benefits; otherwise, it would be reported as an open intervention.
This domain is structured to ensure that the applicant has a comprehensive knowledge of information systems operations, service management, and disaster recovery processes.
Operations
IS Operations is at the core of the IS wheel, ensuring that processes, software, and technology perform as planned and meeting the specifications on which they were designed. Services may be delivered by internal or external teams.
Based on the scale of the company and the corporate sense, the breadth of IS operations can vary. However, hardware and device maintenance, power management, work scheduling, data management, device performance control, and customer service are usually supported. Any auditor should begin by obtaining a detailed understanding of the scope and services in use.
Hardware and software management
Asset management
Companies may save money by redeploying or withdrawing non-essential information assets if they have an accurate inventory. Auditors can ensure that a robust procedure is in place to recognize all assets, as well as their last identified location, recovery priority, security/risk classification, and owner.
Maintenance and release management
Auditors can ensure that a formal, authorised planned maintenance is in place, which includes pre-deployment testing, backup and restore plans, priority processing arrangements, and user interaction.
Software releases, whether as part of routine maintenance or as part of a market improvement programme, must be deliberately designed to mitigate risk and effects on the business. Each release demands careful deployment preparation. Since they aren't given enough attention, 'simple' releases have brought some companies to a halt.
Capacity management
Both computing and infrastructure services must be designed to ensure optimum usage, with allocation increases or decreases if required. Auditors should ensure that a capacity management strategy is in effect, and that it is updated at least once a year, unless major internal reform necessitates a more regular update.
Data management
The auditor should be familiar with database architecture, database administration, potential transaction processing issues, and database management system security concerns.
The auditor must ensure that data retention measures, such as data integrity confirmation, data backup and restore processes, user access, and administration rights, are in place based on the type and value of data.
Service Management
The compilation of processes, procedures, and tasks used to control IS operations is known as service management. The majority of companies will follow industry-wide service management systems like ISO20000-1:2011 and ITIL. Candidates should have a clear understanding of the material and implementation of both systems due to their widespread adoption. They should also know how to create and track Service Level Agreements (SLAs), particularly where third-party vendors are involved.
Problem and incident management
Any event that disrupts or degrades the level of service is referred to as an incident. Auditors should be familiar with event and problem response best practises to ensure that the company has procedures in place to track, report, handle, and address incidents as efficiently as possible. Processes for incident handling can also be checked and trained on on a frequent basis.
The opportunity to easily determine the incident's urgency and effect, and therefore the focus for resolution, is an important aspect of the IM process. Auditors should review previous incidents in addition to the IM procedure to ensure that the process was implemented and incidents were properly resolved.
Disaster Recovery
Disaster recovery plan includes roles and responsibilities, management policy, recovery point and recovery period priorities, coping plans, and the communication process. The recovery point objective (RPO) is the maximum time a computer, system, network, or application can be down after an event happens, and the recovery time objective (RTO) is the maximum time a computer, system, network, or application can be down after an incident.
Auditors must be able to assess the completeness and accuracy of the DR plan's contents, as well as ensuring that the conditions and process for invoking DR are clearly specified.
This is the final and most relevant domain in the CISA certification field. According to ISACA, this domain accounts for 30% of the CISA exam, which consists of roughly 60 questions. This segment contains eight topics that you must master in order to clear the CISA exam.
1) Significance of Information Security Management
To ensure the continued availability of information services, information security management is critical.
Information Security Management is crucial for ensuring the confidentiality of all stored and moving data (in transit) also the sensitive data.
There’s the old CIA triad again (Confidentiality, Integrity, Availability).
Key Elements in Information Security Management are:
Senior Management Commitment and support
Policies and Procedures
Organization
Security Awareness and Training
Monitoring and compliance, and
Incident handling and response
Each of these key elements should be known.
Information Security Management roles and responsibilities, you must know the IS Security Steering Committee's duties in this area like the back of your hand.
Comprehend the distinction between mandatory access controls (MACs) and discretionary access controls (DACs).
Data crime challenges and exposures are discussed in one of the last sections of Information Security Management. The CISA manual's Exhibit 5.8 lists over 30 different Traditional Attack Methods and Techniques. ISACA has preferred a variety of topics for their exam, ranging from botnets to war chalking.
2) Logical Access
This is the most common approach for handling and safeguarding information properties. Take note of the stress on the word PRIMARY!
There are only two points of access – central and remote – and how do you identify local users and their privileges, as well as identify and authenticate remote users?
Something you know (password), something you have (token), and what you are are the three types of authentication (biometrics).
Palm, hand geometry, Iris, retina, fingerprint, face, and speech recognition are all biometrics. Which one has the highest user rejection rate and costs the most? HINT: It involves the eye.
3) Network Infrastructure Security
You should be aware of some of the benefits and pitfalls of virtualization.
Wireless networking protection threats and risk control mechanisms, such as WEP, WPA, WPA2, authentication, nonrepudiation, transparency, and network availability, must be understood.
You must be aware of the various types of firewalls (router packet filtering, application firewall systems, stateful inspection)
You'll need to be familiar with firewall configurations (Screened-host, dual-homed, DMZ or screened-subnet)
Is there a distinction between NIDS and HIDS, and will they replace firewalls? NO is the answer.
To encrypt records, you'll need to learn how a digital signature works.
You'll need a good understanding of viruses as well as a working knowledge of some of the management protocols that should be in operation.
4) Framework for Information Security Management Auditing
Examine the policies, practises, and standards in writing.
Pay close attention to the security policies for logical entry.
Ascertain that everybody has undergone current security training.
Why are you so concerned with data ownership? Because the data owner is the person who decides who has access to and uses their data.
Then you'll need to check the logical access to ensure that the guidelines are being enforced. Pay special attention to "JOB TRANSFERS," since there is a tendency to implement access but not delete it.
Examine the access records to make sure that someone else is looking at them and taking action if there are any unsuccessful authentication attempts.
5) Network Infrastructure Security Auditing
Is there someone with remote access, and has it been approved?Why do vendors have full access to the network in order to fix a network device? Has management provided their approval to the unrestricted access?
Now comes the exciting part: as auditors, you should be allowed to do Pen Testing; just make sure you have permission before beginning this part of the audit. HINT: PRIOR APPROVAL
Ensure that all network modifications, including emergency changes, go into change control.
This is where forensics comes into action, so make sure you understand the four main factors in the sequence of events when it comes to facts (Identify, Preserve, Analyze, Present)
6) Environmental Exposures and Controls
7) Physical Access Exposures and Controls
8) Mobile Computing
CISAs that stick to the continuing professional education would be best prepared to analyse information systems and technologies, as well as offer leadership and value to their organisations. The CISA Certification Board is responsible for establishing continuing technical education standards and overseeing the processes and requirements to ensure their applicability.
Related Blog:
Batch starts on 7th Jun 2023, Weekday batch
Batch starts on 11th Jun 2023, Weekend batch
Batch starts on 15th Jun 2023, Weekday batch