CISA Syllabus consists of 5 domains:-

 Domain 1: The process of auditing information systems (21%)

 Domain 2: Governance and management of IT (16%)
 Domain 3: Information systems acquisition, development, and implementation (18%)
 Domain 4: Information systems operations, maintenance and support (20%)
 Domain 5: Protection of information assets (25%)

CISA Syllabus- Domain 1

The title for Domain 1 is The Process of Auditing Information Systems. There are 7 areas that you need to understand in Domain 1:-

 Management of the IS Audit Function

 ISACA IT Audit and Assurance Standards and Guidelines
 Risk Analysis
 Internal Controls
 Performing an IS Audit
 Control Self-Assessment
 The Evolving IS Audit Process

CISA Syllabus- Domain 2

The title for Domain 2 is Governance and Management of IT. There are 12 areas that you need to understand in Domain 2:-

 Corporate Governance
 IT Governance (ITG)
 Information Technology Monitoring and Assurance Practices for Board and Senior Management
 Information Systems Strategy
 Maturity and Process Improvement Models
 IT Investment and Allocation Practices
 Policies and Procedures
 Risk Management
 Human Resources Management (before, during and after)
 IS Organizational Structure and Responsibilities
 Auditing IT Governance Structure and Implementation
 Auditing Business Continuity

CISA Syllabus- Domain 3

The title for Domain 3 is Information Systems Acquisition, Development and Implementation. There are 12 areas that you need to understand in
Domain 3:-

 Business realization
 Project Management Structure
 Project Management Practices
 Business Application Development
 Business Application Systems
 Alternative Development Methods
 Infrastructure Development/Acquisition Practices
 Information Systems Maintenance Practices
 System Development Tools and Productivity Aids
 Process Improvement Practices
 Application Controls
 Auditing Systems Development, Acquisition and Maintenance

CISA Syllabus- Domain 4

The title for Domain 4 is Information Systems Operations, Maintenance and Support. There are 6 areas that you need to understand in Domain 4:-
  Information Systems Operations
 Information Systems Hardware
 IS Architecture and Software
 IS Network Infrastructure
 Auditing Infrastructure and Operations
 Disaster Recovery Planning

CISA Syllabus- Domain 5

The title for Domain 5 is Protection of Information Assets. There are 7 areas that you need to understand in Domain 5:-

 Importance of Information Security Management

 Logical Access
 Network Infrastructure Security
 Auditing Information Security Management Framework
 Auditing Network Infrastructure Security
 Physical Access Exposures and Controls
 Mobile Computing

CISA Syllabus – Domain 1 – The Process of Auditing Information Systems

1) Management of the IS Audit Function

 Need to know about the audit charter and what it contains

 Need to know the steps to perform audit planning. In the CISA review manual on page 34, look at Exhibit 1.2 and commit those steps to
memory
 Take an ink pen and write on your hand “Gain an understanding of the business’s mission, objectives, purpose and
processes.” IMPORTANT this shows up in about 3-4 questions on the exam.
 Read through the section on “Effect of Laws and Regulations on IS Audit Planning, paying particular attention to the Basel II Accord on
page 35.

2) ISACA IT Audit and Assurance Standards and Guidelines

 Memorize S1, S2, S4, S9, and S10. Standards S12 thru S16 are recent additions to CISA and you should have a close intimate
acquaintance with S12, S13 & S14.

 Memorize G5, G10, G18, and G19. Guidelines G41 and G42 are recent additions to CISA and ROSI is receiving a lot of press. So be
familiar with the concept of Return on Security Investment and how to calculate it.

 Memorize P2, P5, P7, and P10

 You should have an understanding of ITAF (Information Technology Assurance Framework) particularly section 3000 on IT Assurance
Guidelines
3) Risk Analysis

 Know the definition of risk

 Know the remediation methods (Accept, Mitigate, Transfer, Avoid)

4) Internal Controls

 Know the difference between Preventive, Detective, and Corrective controls

 Understand how CobiT fits into ISACA’s idea of supporting IT governance and management

 Understand the difference between IT control objectives and Internal control objectives
5) Performing an IS Audit
  Know the definitions of Auditing and IS Auditing – they’re different

 Know the different types of audits, read closely integrated audits and forensic audits

 Know the different phases of an audit, in other words memorize Exhibit 1.5 on page 53

 Understand the concept of risk based auditing including inherent, control, and detection risks.

 Be able to give examples of both compliance testing and substantive testing

 Sampling is a section in the Review Manual that you just have to memorize, that’s it, memorize page 60 of the CISA manual
6) Control Self-Assessment

 Your role is as a facilitator

7) The Evolving IS Audit Process

 Integrated auditing means you work with the financial auditor on an audit which is based on RISK

 Understand the difference between continuous monitoring and continuous auditing

The first domain is a basis for understanding the whole area of Certified Information Systems Auditor, and without a grasp of the basic fundamentals
you cannot be successful in the other domains.

CISA Syllabus– Domain 2 – Governance and Management of IT

1) Corporate Governance

 Know the definition for corporate governance

 Know what ISO 26000 is (30,000 foot view)

 Familiarize yourself with OECD 2004, OECD Principles of Corporate Governance

2) IT Governance (ITG)

 ITG is concerned with two issues; What are they and what drives them?
3) Information Technology Monitoring and Assurance Practices for Board and Senior Management

 Who is responsible for ITG

 Name the five focus areas for ITG

 Familiarize yourself with the different IT Governance frameworks (COBIT, ISO27001, ITIL, IBPC, ISM3, AS8015 and ISO38500)

 Know audit’s role in ITG

 Know what the responsibilities are for the IT Strategy Committee and the IT Steering Committee (this is another one of those charts that
you’ve just got to memorize)
4) Information Systems Strategy

 Understand the importance of IT strategic planning and the primary function performed by the Steering Committee
5) Maturity and Process Improvement Models

 Know the definitions for CMMI, TSP and PSP

 The IDEAL model from SEI is getting a lot of attention from ISACA
6) IT Investment and Allocation Practices
  Go to the ISACA website and download the ValIT document and read it, enough said.

 What does IT Portfolio Management allow organizations to do that the Balanced Scorecard doesn’t
7) Policies and Procedures

 The highest policy is the organization’s information security policy

 Other security policies might include 1)data classification, 2)acceptable use, 3) End-user computing, and 4) Access control

 Know the different things to look for when you review the information security policy

 Procedures are required and they are “step by step instructions” <– that’s a hint!!!!!
8) Risk Management

 What are management’s options? Avoid, Mitigate, Transfer, Accept

 Know the different levels that IT Risk Management needs to operate at: Operational, Project, and Strategic

 Understand the difference between Qualitative Analysis, Semiquantitative analysis and Quantitative analysis

 Know how to calculate Annual Loss Expectancy (ALE)

9) IS Management Practices (Five sub areas you will need to understand)

 Human Resources Management (before, during and after)

 Sourcing Practices (Insourced, Outsourced, Hybrid as well as the concepts and defintions for Onsite, Offsite and Offshore)

 Organizational change management – nothing gets changed without management approval

 Financial Management Practices – you need to understand the concept of Chargeback

 Quality Management – You need to be aware of QM and ISO9000 but ISACA does not test specifics on any ISO standard
10) IS Organizational Structure and Responsibilities

 Roles and responsibilities – there’s a chart in the CISA manual entitled Segregation of Duties Control Matrix, this is another one of those
things to MEMORIZE

 There are also some definitions specific to DBA and the QA personnel that you will need to read about
11) Auditing IT Governance Structure and Implementation

 In this area you need to know that the first thing you do is “Gain an Understanding of the Business” means reading the Information Security
Policy

 After that, go get the organization charts, job descriptions and your Memorized Segregation of Duties Control Matrix and see if you can find
discrepancies
12) Auditing Business Continuity

 Review the BCP

 Review the test results, we’re assuming they tested the BCP of course and they should have documented “Lessons Learned” <– Another
hint, ISACA likes this term

CISA Syllabus– Domain 3 – Information Systems Acquisition, Development and Implementation

1) Business realization
  Know the difference between portfolio management and program management
 Know the seven steps of benefit realization or benefits management (question might refer to either)
2) Project Management Structure

 Know the three major forms of organizational alignment

 Know three different ways to communicate during project initiation

 Project objectives are aligned with what? Business objectives,of course
 Know the roles and responsibilities for project steering committee, project sponsor, and quality assurance
3) Project Management Practices

 Know the three elements of a project and the effect of increasing or decreasing one of the elements

 Of the nine ways of project planning, concentrate on LOSC, FPA, CPM, GANTT, PERT and TBM
4) Business Application Development

 What is the major risk of any software development project – final outcome does not meet all requirements.

 Understand the eight phases of the traditional SDLC approach

 In which phase does testing start

 In which phase does security start (control specs)

 In which phase does UAT occur

 What should be in an RFP

 What is software baselining and when does it occur

 What is the auditor’s focus in SDLC

 What’s an IDE

 Know the difference between Unit Testing, Interface/Integration Testing, System Testing and Final Acceptance Testing
5) Business Application Systems

 Be able to define authentication and nonrepudiation

 Know the difference between an RA and a CA

 If you are your own CA, who does the CRL and what is the biggest issue?

 In EDI what does the comm handler do? The appl interface do?

 What is the biggest risk in EDI?

6) Alternative Development Methods

 What’s the major advantage of OOSD

 What’s the advantage of component based development

  What’s the difference between reengineering and reverse reengineering
7) Infrastructure Development/Acquisition Practices

 What are the phases of Physical architecture analysis and what happens during the functional requirement phase

 What are the phases of “Planning the Implementation of Infrastructure” and know the details of each of the four phases.

 Understand why change control procedures are critical in the acquisition process.
8) Information Systems Maintenance Practices

 Why is change management important?

 How should emergency changes be handled?

 How do you audit for unauthorized changes?

9) System Development Tools and Productivity Aids

 Care should be taken when using fourth-generation languages since some of them lack the lower level detail commands necessary to
perform some of the more intense data operations.
10) Process Improvement Practices

 Document the current existing baseline processes

 Major concern of BPR is that key controls may be reengineered out of a process.

 What does ISO 9126 define?

 Why was CMM by SEI developed?

 Need SPICE?
11) Application Controls

 What are the objectives of Application Controls?

 Batch header forms are what type of control? Who uses batch anyway?

 There are two charts in this section. The first one is on Data Validation Edits and Controls and the second is on Data File Controls. You
need to memorise both.
12) Auditing Systems Development, Acquisition and Maintenance

 What do you do if the development group is fast-tracking IV&V? Let the project steering committee know what the risks are, of course.

CISA Syllabus– Domain 4 – Information systems operations, maintenance and support

1) Information Systems Operations

 One of the management control functions is to ensure that IS processing can recover in a timely manner from minor or major disruptions of
operations.

 Know what console logs are and why they are important.

 Why is documentation important? See note #1 above.

2) Information Systems Hardware

 Multitasking, multiprocessing, multiusing, multithreading, grid computing, know the difference.

  Know the different computer roles and pay particular attention to “Load Balancer” role.

 How do you as an auditor know that an organization is doing capacity management?

3) IS Architecture and Software

 Why do you review the software control features or parameters? To determine how it is functioning.

 Know the difference between the supervisory/administrator state and the general user state.

 What does a PC need for communication with bisync data comm on a mainframe?
4) IS Network Infrastructure

 Name five network services.

 Now name the eight network services listed in the review manual.

 Why is fiber optic better than copper?

 ISACA likes microware radio systems as a testing question. So read about it.

 STAR, BUS, RING, MESH. Need I say more?

 What do bridges do besides get you from one side to the other and what OSI layer do they operate at?

 What do modems do?

 What are VPNs and why are they considered a good thing?
5) Auditing Infrastructure and Operations

 Why do you review documentation? Because it describes the “desired state.”

 Name four things you as an auditor should identify when doing a network audit.

 Now compare your list of four things with ISACA’s list in the section on auditing network infrastructure.
6) Disaster Recovery Planning

 RPO (Recovery Point Objective) or what is the acceptable data loss – the question might be, “If you have an RPO of 1 hour what is your
backup strategy?” In which case you would look for Mirroring or Real-time replication in the answer set.

 RTO (Recovery Time Objective) or what is the acceptable downtime – the question might be, “If your RTO is 1 hour what clustering
capability would you recommend?” And for this one, look for “Active-Active” in the answer set.

 Know the difference between cold site, warm site, hot site, mobile site, mirrored site and reciprocal agreements.

 Also know why reciprocal agreements really aren’t the solution for DRP.

 Know the difference between “active-active” and “active-passive” clustering and which one would be used in DRP.

 Know the difference between alternative routing and diverse routing when talking about network recovery and also be able to define last-
mile circuit protection.

CISA Syllabus- Domain 5- Protection of Information Assets

1. CISA Details- Importance of Information Security Management
  Information Security Management is important to ensure the continued availability of information systems.

 Information Security Management is important to ensure the integrity of the stored information and the information in motion (in transit).

 Information Security Management is important to ensure the confidentiality of sensitive data.

 There’s the old CIA triad again (Confidentiality, Integrity, Availability)

 Key Elements in Information Security Management

2. CISA Details- Logical Access

 This is the primary means used to manage and protect information assets. Note the emphasis on PRIMARY!

 There are really only two points of entry – local and remote, and how do you identify local users and rights; and how do you identify and
authenticate remote users?

 Authentication is typically categorized as something you know (password), something you have (token) and something you are (biometrics).
And yes I know RSA has been breached, but there are other token vendors out there.
3. CISA Details- Network Infrastructure Security

 You should know some of the advantages and disadvantages of virtualization.

 You need to know some of the security threats and risk mitigation techniques for wireless networking, including WEP, WPA WPA2,
Authenticity, nonrepudiation, accountability and network availability

 You need to know the different types of firewall types (router packet filtering, application firewall systems, stateful inspection)
4. CISA Details- Auditing Information Security Management Framework

 Review the written policies, procedures and standards

 Pay particular attention to the logical access security policies

 Make sure everyone has received current security awareness training

 Why are you interested in data ownership? Because the data owner is the person who defines who can access and use their data.
5. CISA Details- Auditing Network Infrastructure Security

 Who has remote access and has it been approved? Why do vendors have unrestricted access into your network to fix a network device?
Has that unrestricted access been approved by management

 Now here’s the fun part, because as auditors you should be able to do Pen Testing, just make sure you’ve got approval before you start this
part of the audit. HINT: PRIOR APPROVAL

 Make sure all network changes are going through change control, even emergency changes.

 Forensics comes into play here as well, so make sure you know the four major considerations in the chain of events regarding evidence
(Identify, Preserve, Analyze, Present)
6. CISA Details- Physical Access Exposures and Controls

 Unauthorized entry, principle of least privilege, only if your job requires it, and no visitor shall enter unescorted. That it’s PERIOD.

 Key focus for this area is mantraps, deadman doors, and visitor escorts.
7. CISA Details- Mobile Computing

 Hard drive encryption

 Back-ups on a regular basis

 Theft response team