Established in 1978, the CISA certification primarily focuses on audit, controls, assurance, and security. It certifies the individual’s knowledge of testing and documenting IS controls and his or her ability to conduct formal IS audits. Organizations seek out qualified personnel for assistance with developing and maintaining robust control environments. A CISA-certified individual is a great candidate for this.
Benefits of CISA Certification Obtaining the CISA certification offers several significant benefits:
- Expands knowledge and skills, builds confidence: Developing knowledge and skills in the areas of audit, controls, assurance, and security can prepare you for advancement or expand your scope of responsibilities. The personal and professional achievement can boost confidence, which encourages you to move forward and seek new career opportunities. - Increases marketability and career options: Because of various legal and regulatory requirements, such as the Health Insurance Portability and Accountability Act (HIPAA), the Payment Card Industry Data Security Standard (PCI-DSS), Sarbanes-Oxley (SOX), the Gramm-Leach-Bliley Act (GLBA), the Food and Drug Administration (FDA), the Federal Energy Regulatory Commission/North American Electric Reliability Corporation (FERC/NERC), the European General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA), along with the growing need for information systems and automation, controls, assurance, and audit experience, demand is growing for individuals with experience in developing, documenting, and testing controls. Further, obtaining your CISA certification demonstrates to current and potential employers your willingness and commitment to improve your knowledge and skills in information systems auditing. Having a CISA can provide a competitive advantage and open up many doors of opportunity in various industries and countries. - Helps you meet other certification requirements: The Payment Card Industry Qualified Security Assessor (PCI-QSA) certification requires that all certificate holders have a current security audit certification, either CISA or ISO 27001 Lead Auditor. - Helps you meet employment requirements: Many government agencies and organizations, such as the United States Department of Defense (DoD), require CISA certifications for positions involving IS audit activities. DoD Directive 8140.01 (formerly DoD Directive 8570.01-M) mandates that those personnel performing information assurance activities within the agency are certified with a commercial accreditation approved by the DoD. The DoD has approved the ANSI-accredited CISA certificate program because it meets ISO/IEC 17024:2012 requirements. All Information Assurance Technical (IAT) Level III personnel are mandated to obtain CISA certification, as are those who are contracted to perform similar activities. - Builds customer confidence and international credibility: Prospective customers needing control or audit work will have faith that the quality of the audits and controls documented or tested are in line with internationally recognized standards.
Whatever your current position, demonstrating knowledge and experience in the areas of IT controls, audit, assurance, and security can expand your career options. The CISA certification does not limit you to auditing; it can provide additional value and insight to those in or seeking the following positions: - Executives such as chief executive officers (CEOs), chief financial officers (CFOs), and chief information officers (CIOs) - Chief audit executives, audit partners, and audit directors - Security and IT operations executives (chief technology officers [CTOs], chief information security officers [CISOs], chief information risk officers [CIROs], chief security officers [CSOs]), directors, managers, and staff - Compliance executives and management - Security and audit consultants - Audit committee members
Experience Requirements To qualify for CISA certification, you must have completed the equivalent of five years’ total work experience. These five years can take many forms, with several substitutions available.
Direct Work Experience: You are required to have a minimum of five years’ work experience in the field of IS audit, controls, or security. This is equivalent to approximately 10,000 actual work hours, which must be related to one or more of the five following CISA job practice areas: - Information Systems Auditing Process: Planning and conducting information systems audits in accordance with IS standards and best practices, communicating results, and advising on risk management and control practices. - Governance and Management of IT: Ensuring that adequate organizational structures and processes are in place to align and support the organization’s strategies and objectives. - Information Systems Acquisition, Development, and Implementation: Ensuring that appropriate processes and controls are in place for the acquisition, development, testing, and implementation of information systems in order to provide reasonable assurance that the organization’s strategies and objectives will be met. - Information Systems Operations and Business Resilience: Ensuring that systems and infrastructure have appropriate operations, maintenance, and service management processes and controls in place to support meeting the organization’s strategies and objectives. - Protection of Information Assets: Ensuring that the organization’s security policies, standards, procedures, and controls protect the confidentiality, integrity, and availability of information assets. All work experience must be completed within the ten-year period before completing the certification application or within five years from the date of initially passing the CISA exam. You will need to complete a separate Verification of Work Experience form for each segment of experience. There is only one exception to this minimum two-year direct work experience requirement: if you are a full-time instructor.
The Certification Exam The certification exam is offered almost continuously throughout the year in periods known as testing windows that are generally several months in length. The ISACA web site will have information about current testing windows and sometimes about future testing windows. When you begin planning for your CISA examination, you’ll want to consult the ISACA web site to see what scheduling options are available in your testing window. Other terms and conditions change from time to time, from one testing window to the next. Here is the schedule of exam fees in U.S. dollars for 2019: - CISA application fee: $50 - Regular registration: $575 member/$760 nonmember The exam is administered by an ISACA-approved testing vendor, PSI Services, at numerous locations. For additional details on the locations nearest you, go to www.isaca.org/examlocations.
CISA Exam Syllabus: The 5 Domains
Information System Auditing Process (21 percent) Governance and Management of IT (17 percent) Information Systems, Acquisition, Development and Implementation (12 percent) Information Systems Operations and Business Resilience (23 percent) Protection of Information Assets (27 percent)
There used to be six domains but this was changed in an update back in 2011 and the material that was in that sixth domain was put into the other domains (mainly 4 and 5)
1. The Process of Auditing Information Systems This section talks about the audit charter and what it contains, and steps for audit planning.
After that, the tasks include developing and implementing a risk-based IT audit strategy, planning and conducting the audit, and reporting findings. You will need to know more than just how to answer basic questions. Moreover, you will need to show that you know how to apply these regulations and standards in an actual work setting.
In addition, candidates are expected to know the ISACA IT Audit and Assurance Standards, Guidelines and Tools and Techniques, Code of Professional Ethics and other applicable standards. You should memorize S1, S2, S4, S9, and S10. Standards S12 thru S16 were added to CISA back in 2011, and you should know S12, S13 & S14.
There are seven areas that you need to understand about Domain 1: Management of the IS Audit Function ISACA IT Audi and Assurance Standards and Guidelines Risk Analysis Internal Controls Performing an IS Audit Control Self-Assessment The Evolving IS Audit Process
2. Governance and Management of IT The second domain covers how IT auditors provide assurance that necessary organizational structure and processes are in place. It also contains sections from the Business Continuity section that used to be in the old Domain 6 before they got rid of it.
For example, they need to evaluate the effectiveness of the IT governance structure, organizational structure, HR management, and policies and standards, in order to determine whether they support the organization’s strategies and objectives.
You’re going to need to know the definition for corporate governance, what ISO 26000 is, what the OECD Principals of Corporate Governance are, and what IT Governance is about. In short, ITG is concerned with two issues: What are they and what drives them?
In addition, you will need to know the five focus areas for ITG, be familiar with the different frameworks, and to also know audit’s role in ITG, to name a few things. If this sounds like a lot, that’s because it is. We highly recommend breaking it down by domain and domain subsections when you study. Only once you are confident you know one domain completely should you move forward to the next.
There are 13 areas, or subdomains, under Domain 2: Corporate Governance IT Governance (ITG) Information Technology Monitoring and Assurance Practices for Board and Senior Management Information Systems Strategy Maturity and Process Improvement Models IT Investment and Allocation Practices Policies and Procedures Risk Management IS management Practices (and 5 sub-areas under this as well) IS Organizational Structure and Responsibilities Auditing IT Governance Structure and Implementation Business Continuity Planning Auditing Business Continuity
3. IS Acquisition, Development, and Implementation The third domain covers how IT auditors provide assurance that the practices for the acquisition, development, testing, and implementation of IS meet the organization’s strategies and objectives. There are going to be a lot of topics surrounding project management and business management/realization in this section.
For example, you’ll need to know the difference between portfolio management and program management. You’ll need to know the three major forms of organizational alignment, and you will want to know the roles and responsibilities for project steering, among other things. There is also an entire section on business application development, as stated below, and you need to know what the major risks of any software development project, and at which phase testing begins, for example.
Tasks include evaluating proposed investments in IS acquisition, development, maintenance, and subsequent retirement, evaluating project management practices and controls and conducting reviews. Above all, you want to study the areas listed below until you feel confident in your ability to answer practical questions regarding these topics in a potential work setting.
There are 14 subdomain areas of Domain 3: Business Realization Project Management Structure Project Management Practices Business Application Development Business Application Systems Alternative Forms of Software Project Organization Alternative Development Methods Infrastructure Development/ Acquisition Practices Information Systems Maintenance Practices System Development Tools and Productivity Aids Process Improvement Practices Application Controls Auditing Application Controls Auditing Systems Development, Acquisition and Maintenance
4. IS Operations, Maintenance, and Support You need to provide assurance that the processes for information systems operations, maintenance, and support meet the organization’s strategies and objectives. There are sections on disaster recovery and it’s important to know what to do in the event of data loss, what is acceptable data loss, and how to manage these issues, among other things.
Specifically, it includes conducting periodic reviews of IS, and evaluation such as service level management practices, operations, and end-user procedures, and process of information systems maintenance. Domain 4 (along with Domain 5) is the most important in all of the CISA syllabus.
Back in 2011, ISACA reduced the domains from 6 to 5. So, part of the material in the old Domain 6 is now in Domain 4. This is also the section about disaster recovery.
There are 6 areas or subdomains of Domain 4: Information Systems Operations Information Systems Hardware IS Architecture and Software IS Network Infrastructure Auditing Infrastructure and Operations Disaster Recovery Planning
5. Protection of Information Assets The last domain covers how IT auditors provide assurance that the organization’s security policies, standards, procedures, and controls ensure the confidentiality, integrity, and availability of information assets. This is a very important Domain in the CISA syllabus.
Moreover, this includes evaluating the information security policies, standards and procedures; the design, implementation, and monitoring of various controls, such as system and logical security controls, data classification processes, and physical access and environmental controls.
Domain 5 has eight subdomain areas: Importance of Information Security Management Logical Access Network Infrastructure Security Auditing Information Security Management Framework Auditing Network Infrastructure Security Environmental Exposures and Controls Physical Access Exposures and Controls Mobile Computing
Note: The CISA syllabus is changed every few years to reflect the constantly changing business environment of IT auditors.
Changes to the CISA Domains in 2019 While the five domains that comprise the CISA exam will remain similar in 2019, the exam weighting will change slightly, including a greater emphasis on the protection of information assets – a growing industry challenge.
The breakdown of percentages for the five domains: Information System Auditing Process (21 percent) Governance and Management of IT (17 percent) Information Systems, Acquisition, Development and Implementation (12 percent) Information Systems Operations and Business Resilience (23 percent) Protection of Information Assets (27 percent)
Join 4M+ learners. Unlock unlimited quizzes, wrong-answer tracking, flashcards + reminders, study guides, and 1-on-1 challenges.