The CISA or Certified Information Systems Auditor certification offered by ISACA is among the most popular worldwide. It is designed for those individuals who are responsible for ensuring seamless functionality of an organizations’ information technology and business systems.

This major certification solidifies that your professional experience, skills and knowledge in instituting technology controls, ensuring compliance, and measuring vulnerabilities in an enterprise landscape.

The globally recognized CISA certification is ideal for IT auditors, consultants, audit managers and security professionals.  To attain this certification, candidates must fulfill a series of stringent requirements.

Exam Details

To attain CISA certification, candidates must complete the CISA exam with a minimum score of 450 (the scale ranges between 200 and 800) and hold professional experience as described in the ‘Certification’ segment.  The CISA exam duration is 4 hours and is comprised of 150 multiple-choice questions encompassing 5 job practice domains as listed below.

• Management and governance of IT
• The method of information systems auditing
• Security of information assets
• Acquisition, development and implementation of information systems
• Information systems operations, service management and maintenance

Certification

Candidates who have successfully cleared the CISA exam must apply for CISA certification within 5 years of passing the exam.  Only those candidates who fulfill the following experience requirements will be granted certification.

The certification requires that a candidate has a minimum of 5 years’ experience in the disciplines of information systems auditing, assurance, control or security.  Substitutes to professional experience may be submitted to hold the place of 3 of the 5 required years.

The following qualifying substitutes are allowed by ISACA.

• Information systems experience with a maximum of 1 year or non-IS auditing experience of 1 year.
• 60-120 hours of fulfilled university semester credit, not limited by preceding restriction of 10 years.
• A university’s bachelors’ or master’s degree that fulfills the ISACA-sponsored Model Curricula, which can stand for the experience of 1 year.
• A master’s degree in information technology or information security from an authorized university can may replace experience of 1 year.
• 2 years full-time professional experience as a university instructor in any of the related fields can be substituted for an experience of 1 year.

Maintaining CISA

In order to ensure that each certified CISA maintains a sufficient level of up-to-date knowledge and expertise in the disciplines of information systems security, audit and control, they are required to complete regular CPE (continuing professional education).

The CISA CPE needs to complete a set amount of CPE hours over a yearly and 3-year certification period.  CISAs have to comply with these requirements to retain their certification.

Here is a look into what is required to maintain CISA certification.

• Accomplish and report a minimum of 20 CPE hours annually. These hours have to be appropriate with advancement or currency of the CISA’s ability or knowledge to perform tasks related to CISA.
• Deposit yearly CPE maintenance fees in full to the ISACA international headquarters.
• Accomplish and report a minimum of 120 CPE hours for a 3-year reporting period.
• If chosen for an annual audit, respond and submit documentation required for CPE activities.
• Comply with the Code of Professional Ethics of ISACA.
• Adhere to the IT auditing standards of ISACA.

Failure to comply with the above requirements will lead to revocation of the CISA designation.

Syllabus

The job practice acts as the foundation of the exam as well as the requirements to attain the certification.  It includes tasks and knowledge statements that represent the duties performed in information systems assurance, audit, and control.  There are five domains that comprise knowledge and task statements as described below.

The Process of Auditing Information Systems

Task Statements:

• Implement a risk-based information systems audit strategy while adhering to the IS audit standards to make sure that the key hazardous areas are audited.
• Plan certain audits to identify whether information systems are safeguarded, controlled and contribute value to the company.
• Organize audits in accordance with the IS audit parameters to attain planned audit objectives.
• Communicate audit outcomes and make suggestions to the key stakeholders via audit reports and meetings.
• Organize audit follow-ups to identify whether proper and timely measures have been taken by the proper parties.

Knowledge Statements:

• Knowledge of the ISACA IT Audit as well as Assurance Standards, guidelines, techniques, tools, Code of Professional Ethics and other standards applicable.
• Knowledge of the risk evaluation concepts and techniques and tools utilized in planning, analysis, reporting and follow-up.
• Knowledge of basic business processes and the contribution of IS in these processes.
• Knowledge of control principles that relate with the controls in IS.
• Knowledge of the risk-based audit project management techniques and audit planning, including relevant follow-up.
• Knowledge of the pertinent laws and regulation that impact scope as well as evidence accumulation and preservation, and frequency of the audits.
• Knowledge of the techniques used to collect evidence.
• Knowledge of various sampling methodologies as well as other data/substantive analytical methods.
• Knowledge of communication and reporting techniques.
• Knowledge of audit QA (quality assurance) procedures and frameworks.
• Knowledge of different kinds of audits and methods for evaluating and placing reliance on the duties of other control entities or auditors.

Governance and Management of IT

Task Statements:

Assess the IT policy including IT direction and the procedures for the policy’s approval, development, implementation as well as maintenance to be aligned with the company’s objectives and strategies.

• Assess the efficacy of the IT governance pattern to identify whether the decisions, directions and effectiveness of IT support the company’s objectives and strategies.
• Assess the IT organizational pattern and HR (personal) management to identify whether they support the company’s objectives and strategies.
• Assess the company’s IT policies, standards and processes and the procedures for their approval, development to identify compliance with legal and regulatory requirements and whether they embrace the IT strategy.
• Assess IT resource and IT portfolio management to be aligned with the company’s objectives and strategies.
• Assess risk management practices to identify whether the company’s IT-related risks are properly addressed.
• Assess IT management and controls monitoring to be adhered to the company’s policies, procedures and standards.
• Assess monitoring and reporting of IT KPIs to ensure that management obtains adequate and timely information.
• Assess the company’s BCP including alignment of IT DRP with BCP to identify the company’s ability to continue with crucial business operations in the case of an IT disruption.

Knowledge Statements:

• Complete knowledge of the goal of IT policies, strategies, procedures and standards for an organization.
• Complete knowledge of IT governance, security, management and control frameworks.
• Knowledge of the company’s IT related structure, responsibilities and roles including SoD.
• Knowledge of industry standards and applicable laws and regulations.
• Complete knowledge of the company’s IT architecture and technology direction.
• Knowledge of the procedures for advancement, deployment and maintenance of IT policies, strategies, procedures and standards.
• Knowledge of the utilization of maturity and capability models, and process optimization techniques.
• Knowledge of allocation and investment practices of IT resources.
• Complete knowledge of IT contract management, vendor selection, relationship management as well as performance monitoring procedures.
• Knowledge of ERM and procedures used for monitoring and reporting of the controls performance.
• Knowledge of QA and quality management systems along with procedures for monitoring and reporting of various IT performances.
• Knowledge of BIA and procedures and standards for BCP development, testing and maintenance.
• Knowledge of the processes to execute and invoke BCP and return to normalcy.
  

Information Systems Acquisition, Development, and Implementation

Task Statements:

• Assess business cases for proposed investments in IS acquisition, advancement and maintenance, and succeeding retirements to meet business objectives.
• Assess IT contract management and vendor selection.
• Assess project management framework together with controls to identify cost-effectiveness while managing risks.
• Organize reviews to assess projects’ progression in accordance with their plans.
• Assess control for the information systems during various phases for compliance with the company’s policies, procedures, standards and other requirements.
• Assess the preparedness of information systems for migration and implementation into production.
• Organize post-implementation reviews.

Knowledge Statements:

• Knowledge of various benefits realization practices and IT acquisition as well as vendor management practices including external IT service providers and suppliers.
• Knowledge of various project management mechanisms, control frameworks, tools and practices.
• Knowledge of risk management practice applicable for projects and requirements analysis as well as management practices.
• Knowledge of the EA related to technology, data and applications.
• Comprehensive knowledge of system development tools and methodologies.
• Knowledge of control techniques and objectives.
• Knowledge of the practices and methodologies related to SDLC.
• Knowledge of configuration as well as release management.
• Knowledge of infrastructure deployment practices, system migration and data conversion procedures, tools and techniques.
• Knowledge of project risk and project success criteria combined with post-implementation review practices and objectives.

 Information Systems Operations, Maintenance and Service Management

Task Statements:

• Assess the IT service management practices and framework to identify whether the service levels and controls, as well as strategic objective, are fulfilled.
• Organize periodical reviews of IS to identify whether they fulfill the company’s objectives within the EA.
• Assess IT operations to determine their effective controlling in accordance with the company’s objectives.
• Assess IT maintenance needs.
• Assess database management practices together with data quality as well as lifecycle management.
• Assess incident and problem management practices and management practices related to change and release.
• Assess end-user computing together with IT continuity and its resilience.

Knowledge Statements:

• Knowledge of service management practices, frameworks together with service level management.
• Knowledge of techniques used for monitoring third-party compliance and performance.
• Knowledge of EA and functionality of the fundamental technology.
• Knowledge of the resiliency techniques and tools and IT asset management, source code management, software licensing and inventory practices.
• Knowledge of control techniques and job scheduling practices.
• Command over capacity planning and associated monitoring techniques and tools.
• Command over systems performance monitoring procedures, techniques, and tools.
• Knowledge of the database management as well as optimization practices along with data backup, maintenance, storage and restoration practices.
• Knowledge of incident and problem management practices combined with data quality.
• Knowledge of configuration management, change management, patch management and release management practices.
• Knowledge of operational risk and controls associated with end-user computing.
• Knowledge of the legal, regulatory, insurance and contractual issues and BIA associated with disaster recovery.
• Knowledge of development and maintenance of DRPs.
• Knowledge of advantages and drawbacks of substitute processing sites.
• Knowledge of the disaster recovery testing processes and procedures utilized to invoke the DRPs.

Protection of Information Assets

Task Statements:

• Assess the information security as well as privacy policies, procedures and standards for completeness, alignment with commonly accepted and compliance with appropriate third-party requirements.
• Assess the design, implementation, monitoring, maintenance and reporting of physical as well as environmental controls together with logical and security controls.
• Assess the design, execution and monitoring of data classification procedures to be aligned with the company’s policies, procedures, standards and appropriate external requirements.
• Assess the procedures utilized to retrieve, store, transfer and dispose of the assets to identify whether information assets are sufficiently protected.
• Assess the information security program to be aligned with the company’s strategies and objectives.

Knowledge Statements:

• Knowledge of the commonly recognized practices and applicable third-party requirements and command over privacy principles.
• Knowledge of the techniques used for design, execution, maintenance, monitoring as well as reporting of the security controls.
• Knowledge of physical and environmental controls and their associated practices.
• Understanding of physical access controls required for identification, authentication as well as regulation of users to restricted facilities and hardware.
• Understanding of logical access controls required for identification, authentication as well as restriction of users to restricted functions and data.
• Knowledge of security controls associated with system software, hardware and database management systems.
• Knowledge of risk and controls related to virtualization of systems and use of mobile as well as wireless devices.
• Command over voice communication security as well as network and internet security gadgets, techniques and protocols.
• Complete understanding of network security controls.
• Understanding of encryption-related skills and their uses.
• Knowledge of PKI components together with digital signature techniques.
• Knowledge of risk and control related to peer-to-peer computing, web-based technologies and instant messaging.
• Understanding of data classification standards associated with security of information assets.
• Knowledge of procedures and processes utilized to store, retrieve, move and dispose of confidential information assets.
• Knowledge of risk and controls related to data leakage and security risk and controls associated with end-user computing.
• Knowledge of procedures for executing security awareness programs.
• Understanding of information system attack techniques and methods.
• Understanding of various prevention and detection equipments and control techniques.
• Command over security testing techniques.
• Understanding of processes associated with monitoring and reacting to security incidents.
• Understanding of forensic investigation processes and procedures in accumulation and preservation of data and evidence.
• Knowledge of fraud risk factors associated with security of information assets.

Benefits of CISA Certification

Possessing CISA certification shows that the candidate is efficient in IS audits, and validates a high level of control and security skills.  Here are some key benefits of this certification:

• Demonstrates your robust knowledge of information security as well as the IT auditing process.
• Markets and quantifies your expertise.
• Solidifies your place as IS audit professional, specifically the globally recognized mark of excellence.
• Helps you stand out of the crowd when looking for job growth.
• Provides access to different valuable resources including idea exchange and peer networking.

Conclusion

CISA certified professionals meet global standards of IT security and auditing management. Apart from being recognized by employers across the globe, these professionals are often required for IT audits, as well as security management positions.

There is a fast-growing need for valuable guidance, tools, credentials and trained professionals in this field, and by attaining CISA, you can rest assured that you will stand out in the crowd.

CISA certification is in high demand in the global job market because these certified professionals possess unique capabilities, and can seamlessly work in extremely complex environments.