CISA 2010 Overview

8/8/2019 CISA 2010 Overview

http://slidepdf.com/reader/full/cisa-2010-overview 1/32

ISACA ISACA®®

Trust in, and value from, information systemsTrust in, and value from, information systems

www.isaca.orgwww.isaca.org



2010 CISA2010 CISA® Review CourseReview Course

IntroductionIntroductionwww.isaca.org/cisawww.isaca.org/cisa



ISACA Facts

• Founded in 1969 as the EDP Auditors

Association

• Since 1978, CISA has been a globally

accepted standard of competency

among IS audit, control, assurance andsecurity professionals.

• More than 86,000 members in over

160 countries

• More than 185 chapters in over 75

countries worldwide



ANSI Accreditation

• The American National Standards Institute (ANSI) hasawarded accreditation under ISO/IEC 17024 to the

Certified Information Systems Auditor (CISA) andCertified Information Security Manager (CISM)certification programs. ANSI reaccredited these

programs in 2008, and ISACA is currently under reviewfor recertification.

• Accreditation by ANSI signifies that ISACA’s

procedures meet ANSI’s essential requirements foropenness, balance, consensus and due process.



CISA Certification DetailsCISA Certification Details

www.isaca.org/cisawww.isaca.org/cisa



Why Become a CISA?

Enhanced Knowledge and Skills

• To demonstrate your willingness to improve your technical

knowledge and skills• To demonstrate to management your proficiency toward

organizational excellence

Career Advancement• To obtain credentials that employers seek

• To enhance your professional image

Worldwide Recognition• To be included with over 73,000 other professionals who havegained the CISA designation worldwide



CISA in the Workplace

• More than 2,400 are now employed in organizations as theCEO, CFO or equivalent executive position

• Over 2,000 serve as chief audit executives (CAEs), auditpartners or audit heads

• More than 6,000 serve as CIOs/CTOs, CISO/CSO, security

directors, security managers or consultants• More than 11,000 serve as audit directors, security staff,

managers or consultants

• Over 15,500 are employed in managerial or consultingpositions in IT operations or compliance

• More than 15,400 auditors (IS/IT and non-IS/IT)

R CISA P



Recent CISA ProgramRecognitions

• SC Magazine has named CISA the winner of the Best Professional CertificationProgram. With almost 700 entries submitted in 30 categories, the 2009 SC

Awards were the most competitive yet in the program’s 12-year history.• The CISA certification program was awarded the “Best Professional

Development Grand Award” and the “Best Professional Development (Scheme)Award” in the ‘Hong Kong ICT Awards 2009’ presentation ceremony. The

Hong Kong ICT Awards were established in 2006 under a collaborative effortamongst the industry, the academia and the Government.

• In a January 2010 study by Mile High Research, ISACA’s CISA and CISMcertifications made the top 10 in-demand IT certifications for new jobs postedover the last 14 days. The job descriptions specified one or more certifications

as minimum or preferred credentials for the job posting. ISACA and otherorganizations whose credentials made the top 10 “obviously make a connectionbetween their certifications and employers – that connection is value," saidDenny Schall, CLO of Mile High Research.



Other CISA ProgramRecognitions

• According to bankinfosecurity.com, industry recruitment experts andinformation security professionals noted CISA and CISM as two of thetop five certifications for 2009 as they provide assurance that the holder

has extensive experience in their fields above and beyond passing a test.• CISAs qualify for the Disaster Recovery Institute International’s (DRII)

CBLA (Certified Business Continuity Lead Auditor) certification and geta bypass for the corresponding reference (experience) requirement. In

addition, all CISAs are offered a 10% discount on DRII courses.• The Securities Exchange Board of India requires biannual system audits

of all mutual funds to be conducted by an independent auditor who isCISA/CISM-certified or equivalent.

• CISAs are provided an exemption from the CEH (Certified EthicalHacker) exam and allowed to automatically take the EC-CouncilCertified Security Analyst (ECSA) exam which leads to the (LPT)Licensed Penetration Tester Certification.




(continued)

• The US Dept. of Defense includes CISA in its list of approvedcertifications for its information assurance professionals

• The US Department of Veteran Affairs reimburses exam fees for theCISA exam

• The Department of Information Technology has issued an empanelmentof vendors for auditing the Reserve Bank's internal network and IT

systems. CISA was listed as one of the pre-qualification criteria forbidding vendors. It was stipulated that the vendor should have aminimum of three CISA/CISSP certified professionals participating inthe audit.

• The Payment Card Industry (PCI) data Security Standard (DSS) hasnamed CISA and CISM certifications as validation requirements forqualified security assessors (OSA’s); organizations that validate anentity’s adherence to PCI DSS requirements.

Oth CISA P




(continued)

• All assistant examiners employed by the US Federal Reserve Banksmust pass the CISA exam before they are eligible for commissioning

• The Department of Information Technology of the Government of N.C.T. of Delhi sent out an RFP for Website Security Audits of DelhiGovernment departments. This is the first large scale audit RFP issuedby any state government in India. CISA was named as one of the pre-qualification criteria for bidders.

• The National Stock Exchange of India has recognized CISA as arequirement to conduct system audits

• CERT-IN, the Indian Computer Emergency Response Team, hasrecognized CISA as one of the requirements to be empanelled toconduct security audits

Oth CISA P




(continued)

• An information security law in Korea requires that highly skilledprofessionals, such as CISAs perform information system audits and

security services.• In Romania, banks desiring to implement distance or electronic payment

instruments, such as Internet and home banking, are required by law tobe certified by CISA certification-holding auditors.

• Article 58 of the Public Finance act in the Republic of Poland (passed inlate 2006) acknowledges the CISA certification as one of threedesignations recognized by the act as an entitlement to be a public-sectorauditor.

• The Peruvian government recognizes CISAs for their expertise andspecialization which is required for practitioners in internal auditing.

Other CISA Program




(continued)

• In Malaysia, the Multimedia Development Corporation (MDEC)provides partial reimbursement for certain CISA and CISM certificationand training fees.

• The Canadian Institute of Chartered Accountants (CICA) accreditsISACA as the only body whose designation leads to recognition as aCA-designated specialist in information systems audit, control andsecurity.

• In Hong Kong, ISACA members who have held a CISA certification forat least four years have the right to vote for the city’s legislativecounselors, as representatives of the IT category among the functionalconstituencies.

• India’s National Information Security Assurance Program, theDepartment of Information Technology recognizes the CISAdesignation to assess the information security risks in public sectororganizations.



CISAs by Area

Europe/Africa22%

Central/South

America

3%

Asia/Mid-East

27%

Oceania

2%

North America

46%

CISA J b P i A



Note: A CISA job practice analysis is underway to reflect the vital and evolvingresponsibilities of IT auditors and stay current with the market. Results of this analysiswill be incorporated into the June 2011 exam. www.isaca.org/cisajpa

• IS Audit Process – 10%

Provide IS audit services in accordance with IS audit standards, guidelines, andbest practices to assist the organization in ensuring that its informationtechnology and business systems are protected and controlled.

2. IT Governance – 15

Provide assurance that the organization has the structure, policies,accountability, mechanisms, and monitoring practices in place to achieve therequirements of corporate governance of IT.

3. Systems and Infrastructure Lifecycle Management – 16%

Provide assurance that the management practices for thedevelopment/acquisition, testing, implementation, maintenance, and disposal of systems and infrastructure will meet the organization’s objectives.

CISA Job Practice Areas(Effective 2006)

http://www.isaca.org/cisajpa





4. IT Service Delivery and Support – 14%

Provide assurance that the IT service management practices will ensure the delivery of

the level of services required to meet the organization’s objectives.

5. Protection of Information Assets – 31%

Provide assurance that the security architecture (policies, standards, procedures, andcontrols) ensures the confidentiality, integrity, and availability of information assets.

6. Business Continuity and Disaster Recovery – 14%

Provide assurance that in the event of a disruption the business continuity and disasterrecovery processes will ensure the timely resumption of IT services while minimizing thebusiness impact.

For complete details visit: www.isaca.org/cisajobpractice

CISA Job Practice Areas(Effective 2006) (continued)

CISA Certification



CISA CertificationRequirements

• Earn a passing score on the CISA Exam

• Submit verified evidence of a minimum of five years of verifiable IS audit, control or security experience(substitutions available)

• Submit the CISA application and receive approval• Adhere to the ISACA Code of Professional Ethics

• Abide by IS Auditing Standards as adopted by ISACA

• Comply with continuing professional education policy

Administration of



Administration of

the CISA Exam

2010 Exam Dates:Saturday 12 June 2010

Saturday 11 December 2010

– The CISA exam is offered in 12 languages and at over 240

locations

– Offered in every city where there is an ISACA chapter or a

large interest in individuals sitting for the exam

– Passing mark of 450 on a common scale of 200 to 800

2010 Registration Fees



Early Registration - On or before 10 February 2010:• ISACA Member: US $415.00

• Non-Member: US $545.00

Final Registration - After 10 February, but on or before 7 April 2010:• ISACA Member: US $465.00


Register Online at www.isaca.org/examreg• Online registration via the ISACA web site is encouraged, as candidates

will save US $50. Non-members can join ISACA at the same time,which maximizes their savings.

2010 Registration FeesExam: 12 June 2010

Exam registration fees must be paid in full to sit for the exams. Those whose examregistration fees are not paid will not be sent an exam admission ticket and theirregistration will be cancelled.

2010 Registration Fees



2010 Registration FeesExam: 11 December 2010

Early Registration - On or before 18 August 2010:• ISACA Member: US $415.00


Final Registration - After 18 August, but on or before 6 October 2010:• ISACA Member: US $465.00


Register Online at www.isaca.org/examreg• Online registration via the ISACA web site is encouraged, as candidates

will save US $50. Non-members can join ISACA at the same time,which maximizes their savings.

Exam registration fees must be paid in full to sit for the exams. Those whose examregistration fees are not paid will not be sent an exam admission ticket and theirregistration will be cancelled.

Bulletin of Information



• There is a Bulletin of Information for each examadministration for each exam.

• The CISA Bulletin of In formation can be downloaded fromthe ISACA web site at: www.isaca.org/cisaboi

• Is available in 12 languages.

• Bulletin includes:– Requirements for certification

– Exam description

– Registration instructions

– Test date procedures

– Score reporting

– Test center locations

– Registration forms

Bulletin of Informationand Registration Form

Types of Questions on

http://www.isaca.org/cisaboi






• Exam consists of 200 multiple choice questions

administered over a four-hour period• Questions are designed to test practical

knowledge and experience

• Questions require the candidate to choose one

best answer

• Every question or statement has four options(answer choices)

Types of Questions onthe CISA Exam

Quality of the Exam



Quality of the ExamEnsured by:

• Job Practice Analysis Study: Determines content

• Test Development Standards: Ensures high standards for thedevelopment and review of questions

• Review Process: Provides two reviews of questions byindependent committees before acceptance into pool

• Periodic Pool Cleaning: Ensures that questions in the pool areup-to-date by continuously reviewing questions

• Statistical Analysis of Questions: Ensures quality questionsand grading by analyzing exam statistics for each language

2010 St d M t i l



ISACA Members Non-Members

Candidate’s Guide to the CISA Exam……………. free to each paid registrant

CISA Review Manual 2010…………………..(US) $105.00……..(US) $135.00

CISA Review Questions, Answers &………...(US) $100.00……..(US) $130.00Explanations Manual 2010

CISA Review Questions, Answers &………....(US) $40.00…….(US) $60.00Explanations Manual 2010 Supplement

CISA Practice Question Database V10………..(US) $185.00…….(US) $225.00

2010 Study Materials

How to Develop a



A proper study plan consists of several steps:

Self-appraisal

Determination of the type of study program

Having an adequate amount of time to prepareMaintaining momentum

Readiness review

Become involved in your local chapter and explore

networking opportunities and study groups.

How to Develop aCISA Study Plan

How to Study for



• Read the Candidate’s Guide thoroughly

• Study the CISA Review Manual

• Work through the CISA Review Questions, Answers &Explanations Manual, Supplement and CD

• Participate in an ISACA Chapter Review Course

• Read literature in areas where you need to strengthen skills• Spend time studying the complement of your field: If external

auditor, study IS audit from the internal audit perspective andvice-versa

• Join or organize study groups

• Take the ISACA online review course, available atwww.isaca.org/elearningcampus.

ythe CISA Exam

Application for

http://www.isaca.org/elearningcampus





• Is available at www.isaca.org/cisaapp

• Is available in hard copy upon request to ISACA’s

certification department• Contains:

– Requirements for certification

– Code of Professional Ethics

– Instructions for completion of form. Translated instructionsare also available at www.isaca.org/cisaapp.

– Verification of work experience for applicant form

– CISA application form

Application for

Certification

http://www.isaca.org/cisaapp

http://www.isaca.org/cisaapp



CISA Continuing ProfessionalEducation (CPE) Policy Details

www.isaca.org/cisacpepolicywww.isaca.org/cisacpepolicy

Continuing Professional



Certification is renewed for those who:

• Report an annual minimum of 20 hours of continuingprofessional education

• Report a minimum of 120 hours of continuing education foreach fixed three-year period

• Pay the annual certification maintenance fee

• Respond and submit required documentation of continuingeducation activities if selected for an annual audit

• Comply with the ISACA Code of Professional Ethics

Co t u g o ess o a

Education (CPE) Requirements

ISACA Code of



Members and ISACA certification holders shall:

• Support the implementation of, and encourage compliance with,

appropriate standards, procedures and controls for informationsystems.

• Perform their duties with objectivity, due diligence and

professional care, in accordance with professional standards andbest practices.

• Serve in the interest of stakeholders in a lawful and honest

manner, while maintaining high standards of conduct and

character, and not engage in acts discreditable to the profession.

Professional Ethics

ISACA Code of



Members and ISACA certification holders shall:

• Maintain the privacy and confidentiality of information obtained

in the course of their duties unless disclosure is required by legalauthority. Such information shall not be used for personal benefitor released to inappropriate parties.

• Maintain competency in their respective fields and agree to

undertake only those activities, which they can reasonably expectto complete with professional competence.

• Inform appropriate parties of the results of work performed;

revealing all significant facts known to them.• Support the professional education of stakeholders in enhancing

their understanding of information systems security and control.

Professional Ethics(continued)



Want to know more?

Please contact us at:

ISACA

3701 Algonquin Road

Suite 1010Rolling Meadows, IL 60008 USA

• Phone: +1.847.660.5660

• Fax: +1.847.253.1443

• E-mail: [email protected]

• Web site: www.isaca.org

CISA 2010 Overview

Documents

Transcript of CISA 2010 Overview