Certified Information Systems Auditor | (CISA)


The CISA is a globally reputed certification for
security professionals who audit, monitor, and
assess organizations’ information systems and
business operations. The certification showcases
the candidate’s auditing experience, knowledge,
and skills to evaluate vulnerabilities, report on
compliance, and institute controls within the
enterprise. Organizations require audit
professionals who possess the knowledge and
expertise to identify critical issues and security
challenges. The skills and practices that CISA
promotes and evaluates are the building blocks
of success in the field. Possessing the CISA
demonstrates proficiency and is the basis for
measurement in the profession.

Target Audience
• Individuals who are willing to learn in Information Systems Auditing
• Professionals who are Auditors or working in an Audit environment
• The professionals who are willing to make a Career in Information Systems

• IT managers
• Security Managers
• System Analysts
• Consultants
• A maximum of 1 year of information systems experience OR 1 year of non-IS
auditing experience can be substituted for 1 year of experience.
• 60 to 120 completed university semester credit hours (the equivalent of a 2-year
or 4-year degree) not limited by the 10-year preceding restriction can be
substituted for 1 or 2 years, respectively, of experience.
• A master’s degree in information security or information technology from an accredited university can be substituted for 1 year of experience.

Exam Information
Duration 4 hours
Number of Questions 150
Question format Multiple Choice
Passing grade 450 out of 800
Languages available English, French, German, Hebrew, Italian, Japanese, Korean, Spanish.

Domain 1: Information System Auditing Process

• IS Audit Standards, Guidelines, and Codes of Ethics
• Business Processes
• Types of Controls
• Risk-based Audit Planning
• Types of Audits and Assessments

1.1 Planning
• Audit Project Management
• Sampling Methodology
• Audit Evidence Collection Techniques
• Data Analytics
• Reporting and Communication Techniques
• Quality Assurance and Improvement of the Audit Process

Domain 2: Governance and Management of IT

• IT-related Frameworks
• IT Standards, Policies, and Procedures
• Organizational Structure
• Enterprise Architecture
• Enterprise Risk Management
• Maturity Models
• Laws, Regulations and Industry Standards Affecting the Organi zation
2.1 IT Governance and IT Strategy
• IT Resource Management
• IT Service Provider Acquisition and Management
• IT Performance Monitoring and Reporting
• Quality Assurance and Quality Management of IT

Domain 3: Information Systems Acquisition, Development
and Implementation

• Project Governance and Management
• Business Case and Feasibility Analysis
• System Development Methodologies
• Control Identification and Design

3.1 Information Systems Acquisition and Development
• Testing Methodologies
• Configuration and Release Management
• System Migration, Infrastructure Deployment and Data Conversion
• Post-implementation Review

Domain 4: IS Operations and Business Resilience
• Common Technology Components
• IT Asset Management
• Job Scheduling and Production Process Automation
• System Interfaces
• End-user Computing
• Data Governance
• Systems Performance Management
• Problem and Incident Management
• Change, Configuration, Release and Patch Management
• IT Service Level Management

4.1 Information Systems Operations
• Business Impact Analysis
• System Resiliency
• Data Backup, Storage and Restoration
• Business Continuity Plan
• Disaster Recovery Plans

Domain 5: Information Asset Security and Control
• Privacy Principles
• Physical Access and Environmental Controls
• Identity and Access Management
• Network and End-point Security
• Data Classification
• Data Encryption and Encryption-related Techniques
• Public Key Infrastructure
• Web-based Communication Technologies
• Virtualized Environments
• Mobile, Wireless and Internet-of-things Devices

5.1 Information Asset Security Frameworks, Standards, and Guidelines
• Security Awareness Training and Programs
• Information System Attack Methods and Techniques
• Security Testing Tools and Techniques
• Security Monitoring Tools and Techniques
• Incident Response Management
• Evidence Collection and Forensics