What is covered on the CISA exam?
The Certified Information Systems Auditor® (CISA®) exam consists of 150 questions covering 5 job practice domains, all testing your knowledge and ability on real-life job practices leveraged by expert professionals.
- Domain 1: Information System Auditing Process
- Domain 2: Governance & Management of IT
- Domain 3: Information Systems Acquisition, Development & Implementation
- Domain 4: Information Systems Operations and Business Resilience
- Domain 5: Protection of Information Assets
Secondary Classifications – Tasks
- Plan an audit to determine whether information systems are protected, controlled, and provide value to the organization.
- Conduct audits in accordance with IS audit standards and a risk based IS audit strategy.
- Apply project management methodologies to the audit process.
- Communicate and collect feedback on audit progress, findings, results, and recommendations with stakeholders.
- Conduct post-audit follow up to evaluate whether identified risk has been sufficiently addressed.
- Utilize data analytics tools to enhance audit processes.
- Evaluate the role and/or impact of automatization and/or decision-making systems for an organization.
- Evaluate audit processes as part of quality assurance and improvement programs.
- Evaluate the IT strategy for alignment with the organization’s strategies and objectives.
- Evaluate the effectiveness of IT governance structure and IT organizational structure.
- Evaluate the organization’s management of IT policies and practices, including compliance with legal and regulatory requirements.
- Evaluate IT resource and project management for alignment with the organization’s strategies and objectives.
- Evaluate the organization’s enterprise risk management (ERM) program.
- Determine whether the organization has defined ownership of IT risk, controls, and standards.
- Evaluate the monitoring and reporting of IT key performance indicators (KPIs) and IT key risk indicators (KRIs).
- Evaluate the organization’s ability to continue business operations.
- Evaluate the organization’s storage, backup, and restoration policies and processes.
- Evaluate whether the business cases related to information systems meet business objectives.
- Evaluate whether IT vendor selection and contract management processes meet business, legal, and regulatory requirements.
- Evaluate supply chains for IT risk factors and integrity issues.
- Evaluate controls at all stages of the information systems development life cycle.
- Evaluate the readiness of information systems for implementation and migration into production.
- Conduct post-implementation reviews of systems to determine whether project deliverables, controls, and requirements are met.
- Evaluate whether effective processes are in place to support end users.
- Evaluate whether IT service management practices align with organizational requirements.
- Conduct periodic review of information systems and enterprise architecture (EA) to determine alignment with organizational objectives.
- Evaluate whether IT operations and maintenance practices support the organization’s objectives.
- Evaluate the organization’s database management practices.
- Evaluate the organization’s data governance program.
- Evaluate the organization’s privacy program.
- Evaluate data classification practices for alignment with the organization’s data governance program, privacy program, and applicable external requirements.
- Evaluate the organization’s problem and incident management program.
- Evaluate the organization’s change, configuration, release, and patch management programs.
- Evaluate the organization’s log management program.
- Evaluate the organization’s policies and practices related to asset life cycle management.
- Evaluate risk associated with shadow IT and end-user computing (EUC) to determine effectiveness of compensating controls.
- Evaluate the organization’s information security program.
- Evaluate the organization’s threat and vulnerability management program.
- Utilize technical security testing to identify potential vulnerabilities.
- Evaluate logical, physical, and environmental controls to verify the confidentiality, integrity, and availability of information assets.
- Evaluate the organization’s security awareness training program.
- Provide guidance to the organization in order to improve the quality and control of information systems.
- Evaluate potential opportunities and risks associated with emerging technologies, regulations, and industry practices.
