Skip to content

CISA

Different levels of compliance:

  • standard
  • policy
  • recommendation
  • guideline

Standardsย are mandatory and must be followed to ensure compliance and consistency in audit practices. They provide specific requirements that must be met.ย  Guidelines are suggestions that provide additional advice and best practices but are not compulsory.

Standards

  • Definition: Mandatory requirements and practices codified into specifications that organizations must follow.
  • Purpose: Ensure consistency and compliance across the organization.

Policies

  • Definition: High-level statements of management intent, outlining what should and shouldn't be done.
  • Components:
    • Management Review: Policies should be periodically reviewed by management.
    • Information Security Policy (ISP): Must be approved by senior management, documented, and communicated throughout the organization.

Procedures

  • Definition: Documented steps to achieve policy objectives.
  • Purpose: Provide detailed actions to ensure policies are implemented effectively.

Guidelines

  • Definition: Recommendations for positive results, not mandatory.
  • Purpose: Help make wise decisions and support best practices.

Comprehensive security control processes help in identifying and mitigating risks, ensuring compliance with regulations, and maintaining the integrity of financial and operational data.

When operating internationally, especially in regions like India and China, policy controls are critical. These regions have specific regulatory requirements and compliance standards that companies must adhere to.

Crossing the risk threshold means that the company is exposed to risks beyond its capacity to manage effectively. This can lead to operational disruptions, financial losses, and an inability to achieve strategic objectives

Governance strategy is the key component that ensures stakeholder needs, conditions, and options are evaluated to determine balanced enterprise objectives. It involves setting priorities, making decisions, and monitoring performance to align with governance direction

Audit Charter: Ask for a clear declaration about IS Auditor authority. - Which documentation should be available, - which IT processes should be verified or triggered: tests run, deployments, production logs...

IS Audit plan 1. Understand the organizationโ€™s mission, objective and purpose 2. Understand the organizationโ€™s governance structure 3. Review prior audit work papers 4. Perform a risk analysis 1. ISO27001 2. NIST80053 5. Set the audit scope and audit objectives 6. Develop the audit approach and strategy 7. Assign personnel to the audit 8. Address engagement logistics 1. Can they enter the datacentre? 2. How is data access guaranteed? It could be a new account made for the audit, a present person...

E-commerce requirements

  • persisted customer data is never exposed to the internet

Electronic Data Interchange (EDI)ย is a standardized method for exchanging business documents and data between organizations electronically, replacing traditional paper-based methods. EDI is widely used in various industries. Security Measures: To protect the integrity, confidentiality, and availability of the data exchanged, EDI systems implement various security measures, including: - Encryption: Ensures that data is encrypted during transmission to prevent unauthorized access. - Authentication: Verifies the identity of the parties involved in the transaction to ensure that data is exchanged with trusted entities. - Access Control: Restricts access to EDI systems and data to authorized personnel only.

Collecting evidence

  • IS organization structure review
  • IS policies review
  • interviewing appropriate personnel
  • Observation of processes
  • Reperformance
  • walk-through

Computer assisted audit technologies (CAATs)

Data analytics tools to evaluate effectiveness of control environment and process improvements. It should contain independent unbiased data to conduct automated tests and fraud detections.

Exit interviews

  • resolution recommendations with suggested implementation dates
  • auditor reservation about policies and procedures not effective to fix controls

What is Governance?

  • Definition: Governance is the way an organization directs and controls its operations to meet strategic objectives.
  • Components: Includes policies, procedures, controls, practices, and guidelines.
  • Ethical Issues and Decision-Making: Governance ensures ethical practices and guides decision-making processes.

Enterprise Governance of IT (EGIT)

  • Responsibility: Managed by the board of directors and executive management.
  • Frameworks: Commonly uses frameworks like COBIT 2019 to establish governance structures.
  • Key Elements:
    • IT Resource Management: Efficient use of IT resources.
    • Performance Measurement: Evaluating how well IT functions perform.
    • Compliance Management: Ensuring adherence to regulatory requirements.

Governance vs. Management

  • Governance: Focuses on setting objectives, evaluating stakeholder needs, and aligning IT with business goals.
  • Management: Involves planning, building, running, and monitoring activities in alignment with governance directions.

Purpose of EGIT

  • Value Delivery: Ensures IT delivers value to the business.
  • Risk Management: Helps manage risks associated with IT and information systems.

Information Security Governance (ISG)

  • Responsibility: Board of directors and CEO are accountable for ISG.
  • Alignment: ISG must align with business objectives and comply with applicable laws and regulations.
  • Roles and Responsibilities: Clear definition of roles, with senior management creating and approving security policies.
  • NIST: ISG is a process of maintaining a framework that guarantees the security in information systems.

Organizational Structure

  • Decision-Making: The structure of an organization determines who makes decisions and who provides advice. It influences how governance is implemented and how policies are enforced.
  • Types of Structures:
    • Hierarchical: Traditional organizations with many layers of management. Often found in older companies.
    • Flat: Modern organizations, especially in tech, with fewer layers and more peer-based control.

IT Governance Committees

  • IT Strategy Committee:

    • Role: Provides insight, advice, and guidance on IT development and alignment with business objectives.
    • Responsibilities:
      • Assessing the relevance of new IT developments.
      • Ensuring IT aligns with business direction.
      • Evaluating the availability of IT resources.
      • Considering the risks and competitive aspects of IT investments.

  • IT Steering Committee:

    • Role: Makes decisions on IT spending and project approvals.
    • Responsibilities:
      • Deciding the level of IT spending.
      • Approving project plans and budgets.
      • Monitoring project progress and value delivery.
      • Communicating strategic goals to project teams.
      • Assisting executive management in delivering IT strategy.

Organizational structures play a crucial role in how effectively an organization can govern its IT operations. In hierarchical structures, decision-making is often slower due to multiple layers of approval, but it can provide clear lines of authority and accountability. In contrast, flat structures promote faster decision-making and greater flexibility, which is beneficial for innovation and rapid response to market changes.

Enterprise Architecture and Risk Management

  • Enterprise Architecture: Structured documentation of an organization's assets and their interactions.
  • Risk Appetite: The maximum amount of risk an organization is willing to accept to maintain its capabilities.
  • Risk Threshold: Occasional higher risk levels allowed for specific opportunities. Risk threshold refers to the point at which the level of risk becomes unacceptable, prompting the organization to take action to mitigate or manage the risk.
  • Risk Capacity: The absolute limit of risk an organization can handle without severe consequences.

Risk Management Process

  • Identification: Recognizing potential risks to organizational assets.
  • Analysis: Evaluating the probability and impact of risks using qualitative, semi-quantitative, and quantitative methods.
  • Planning: Developing strategies to respond to identified risks.
  • Response: Implementing and monitoring risk responses.

Levels of Risk Management

  • Operational Level: Day-to-day risks affecting routine operations.
  • Project Level: Risks associated with specific projects or initiatives.
  • Strategic Level: High-level risks impacting the overall direction and long-term goals of the organization.

Cost-Effective Balance

  • Control Implementations vs. Risk Acceptance: Ensuring that the cost of risk mitigation measures is justified by the potential impact of the risks.

Information Systems Maturity Models

Purpose of Maturity Models

  • Assessment: Maturity models help assess the quality and effectiveness of an organization's information security processes.
  • Improvement: They provide a framework for continuous improvement by identifying areas that need enhancement.

Types of Maturity Models

Maturity models like CMMI and IDEAL provide a structured approach to evaluating and improving organizational processes, helping identify areas for enhancement and promoting continuous improvement.

  • Capability Maturity Model Integration (CMMI): Developed by Carnegie Mellon and managed by ISACA, CMMI is widely used to evaluate and improve processes.
  • IDEAL Model: Stands for Initiating, Diagnosing, Establishing, Acting, and Learning. It provides a structured approach to process improvement.

CMMI Levels

Also said: Initial, Repeatable, Defined, Managed, Optimizing 1. Level 1 - Initial: Processes are unpredictable and poorly controlled. 2. Level 2 - Managed: Basic project management processes are established. 3. Level 3 - Defined: Processes are well-documented and standardized. 4. Level 4 - Quantitatively Managed: Processes are measured and controlled. 5. Level 5 - Optimizing: Focus on continuous process improvement.

Information Systems Governance, Risk, and Compliance (GRC)

Governance

  • Definition: Governance involves setting policies, procedures, and controls to guide organizational operations.
  • Responsibility: Senior management, board of directors, and executives are accountable for governance.
  • Components: Includes internal audits, compliance programs, and operational risk management.

Risk

  • Definition: Risk management identifies, analyzes, and responds to potential threats to organizational assets.
  • Process: Involves risk identification, analysis, planning, and response.
  • Levels: Operational, project, and strategic levels of risk management.

Compliance

  • Definition: Compliance ensures adherence to laws, regulations, and standards.
  • Activities: Includes monitoring, auditing, and enforcing policies and procedures.
  • Importance: Compliance is crucial for maintaining legal and regulatory standards.

Governance, Risk, and Compliance (GRC)ย are three interconnected and overlapping activities essential for effective information systems management.

Governanceย sets the direction and control mechanisms for the organization, ensuring that policies and procedures are in place and followed. This includes internal audits to verify compliance and operational risk management to address potential threats.

Risk managementย is the process of identifying, analyzing, and responding to risks that could impact the organization's assets and operations. It operates at different levels, from day-to-day operational risks to strategic risks that affect long-term goals.

Complianceย ensures that the organization adheres to relevant laws, regulations, and standards. This involves continuous monitoring and auditing to enforce policies and procedures, ensuring that the organization remains within legal and regulatory boundaries.

Quality Assurance (QA) is concerned with the processes and methodologies used to prevent defects in the development of information systems. Quality Control (QC), on the other hand, involves the identification and correction of defects in the final product.

Effective cloud governance involves ensuring compliance with regulatory requirements, establishing clear policies for cloud usage, and implementing robust access control mechanisms to protect data and resources.

Managing third-party services requires clear contractual obligations to define expectations and responsibilities, governance to oversee the relationship and ensure alignment with organizational goals, and internal audit reports to monitor performance and compliance.

Financial auditing in information systems involves ensuring compliance with accounting standards and implementing chargeback models to allocate costs appropriately within the organization.

Effective human resource management in information systems auditing includes policies and procedures for recruiting qualified personnel, providing ongoing training, managing hiring processes, and handling termination when necessary.

Which of the following are key components of executing and monitoring in project management? - Information radiators, - Work performance data, - Scope management, These components are essential for tracking progress, managing scope, and ensuring that the project stays on schedule. Information radiators provide visual updates, work performance data tracks progress, scope management ensures the project stays within defined boundaries, the work breakdown structure organizes tasks, and the critical path method identifies the sequence of crucial tasks.

A feasibility study assesses the viability of a project by analyzing potential risks, ensuring compliance with regulatory requirements, and managing stakeholder expectations. These components help determine whether the project is practical and worth pursuing.

Fourth Generation Languages (4GL) are designed to be more user-friendly and efficient for system development. Workbench concepts enhance their utility by providing integrated development environments that streamline coding, testing, and deployment processes. EG: SAS, SQL, ABAP, MATLAB

Decision support system

  1. Efficiency and Speed: By automating data collection and analysis, DSS increase the speed and efficiency of decision-making processes
  2. Risk Management: DSS help in identifying, assessing, and mitigating risks by providing comprehensive data analysis and predictive modeling
  3. Resource Optimization: They assist in optimizing the use of resources by analyzing various scenarios and their potential outcomes
  4. Strategic Planning: DSS support long-term strategic planning by providing insights into trends, patterns, and future projections

Well-Known Examples of DSS 1. IBM Watson: An AI-powered DSS that helps in various fields, including healthcare, finance, and customer service. Watson analyzes vast amounts of data to provide insights and recommendations, enhancing decision-making processes. 2. SAP BusinessObjects: A suite of business intelligence tools that provide comprehensive data analysis, reporting, and visualization capabilities. It helps organizations make data-driven decisions by offering insights into business operations and performance.

Proper organizational change management is crucial to address DSS implementation challenges. Ensuring data consistency is important but not the most significant challenge in implementing DSS.

Organization structures

Projectized Organization

  • Structure: Organized entirely around projects. Teams are formed specifically for projects and disbanded after completion.
  • Authority: Project managers have full authority over the project and its resources.

Functional Organization

  • Structure: Divided into departments based on functions such as IT, finance, marketing, etc.
  • Authority: Functional managers have the highest authority. Project managers have limited or no authority.

Matrix Organization

  • Structure: A blend of functional and projectized structures. Employees report to both functional and project managers.
  • Authority: Shared between functional and project managers. The balance of power can vary:
    • Strong Matrix: Project manager has more authority.
    • Weak Matrix: Functional manager has more authority.
    • Balanced Matrix: Authority is shared equally.

Testing Methodologies

1. Importance of Testing

Role of Auditors: Verify that appropriate testing is conducted as part of control measures.

2. Types of Testing

  • Unit Testing: Tests individual pieces of code during development (e.g., during sprints in a Scrum environment).
  • Integration Testing: Ensures that combined code from different developers works together without issues.
  • System Testing: Tests the entire system as a whole to ensure it functions correctly.
  • Quality Assurance Testing (QAT): Verifies that all requirements are met before final acceptance.
  • User Acceptance Testing (UAT): Ensures that the system meets user expectations and requirements.

3. Testing Classifications

  • White Box Testing: Involves understanding the internal logic of the software and testing its procedural accuracy.
  • Black Box Testing: Focuses on the functional effectiveness of the system without considering its internal structure.
  • Regression Testing: Re-runs tests to ensure that changes or corrections have not introduced new errors.
  • Alpha and Beta Testing:
    • Alpha: Conducted by internal users to identify initial issues.
    • Beta: Conducted by a limited number of external users to identify any remaining issues before final release.
  • Parallel Testing: Compares the performance of a new system with the original system to ensure consistency and meet user requirements.

4. Testing Approaches

  • Bottom-Up Testing: Starts with small unit tests and progresses to larger system tests.
  • Top-Down Testing: Begins with large system tests and works down to smaller unit tests.

5. Post-Testing Activities

  • Reporting: Test results should be reported to relevant stakeholders (e.g., project managers).
  • Issue Resolution: Address any issues identified during testing to ensure the final product meets quality standards.

Changeover Techniques

1. Importance of Changeover

  • Purpose: Transitioning users from one system or application to another, ensuring minimal disruption and maintaining data integrity.
  • Planning: Changeover must be planned and monitored to avoid loss of productivity and data compliance issues (e.g., GDPR, HIPAA).

2. Types of Changeover Techniques

  • Parallel Changeover:
    • Description: Both old and new systems run simultaneously. Users can access both until they are comfortable with the new system.
    • Advantages: Reduces risk by allowing fallback to the old system if issues arise.
    • Disadvantages: Resource-intensive, requiring support and payment for both systems.
  • Phased Changeover:
    • Description: The old system is replaced module by module. Each module is tested and users are transitioned gradually.
    • Advantages: Reduces risk by allowing gradual transition and testing of each module.
    • Disadvantages: Extends project duration and can disrupt change management due to overlapping old and new modules.
  • Abrupt Changeover:
    • Description: The new system is brought online and all users are migrated at once, often within a short period (e.g., 24-48 hours).
    • Advantages: Quick transition, useful when immediate change is necessary (e.g., ending licensing agreements).
    • Disadvantages: High risk of data integrity issues, missing records, and asset safeguarding concerns.

IT Asset Management

An asset is anything tangible or intangible the company uses to create a product or a service. - Capability - Resource Assets have to be identified in an inventory first in order to be protected.

Main backend devices:

  • Supercomputers
  • mainframes
  • high range servers
  • desktop/laptop endpoint devices
  • thin clients

USB/RFID

Risks - theft of data / badge skimmers - malware injection - data corruptions Controls - data encryption - locked desktop - Personnel training

Data Governance

  • Data Quality and Lifecycle
  • Operating systems
  • Source code management
  • Incident management

Data Quality

  • Intrinsic
    • Accuracy (reliable)
    • Objectivity
    • Believability
    • Reputation
  • Contextual
    • Currency
    • Interpretability
    • Relevancy
    • Completeness
    • Amount
  • Security/accessibility
    • availability
    • restricted access (confidentiality)

๐Ÿ“ Data Lifecycle

The data lifecycle encompasses the stages through which data progresses within an organization:โ€‹

  1. Plan: Establish data governance policies, define data requirements, and plan for data acquisition.โ€‹

  2. Design: Develop data models, structures, and storage solutions aligning with business objectives.โ€‹

  3. Build: Implement data systems, ensuring integration with existing infrastructure and adherence to security protocols.โ€‹

  4. Use: Access and utilize data for operational and analytical purposes, maintaining data quality and integrity.

  5. Monitor: Continuously oversee data usage, performance, and compliance with policies.โ€‹CISA

  6. Dispose: Securely delete or archive data that is no longer needed, in accordance with retention policies.โ€‹

โ€‹ISACA+17ExamTopics+17Learning Tree International | Home+17

๐Ÿšจ Incident Management

Effective incident management involves a structured approach:

  1. Identification: Detect and acknowledge potential security incidents through monitoring and reporting mechanisms.โ€‹

  2. Categorization: Classify incidents based on severity, impact, and type to prioritize response efforts.โ€‹

  3. Resolution: Implement appropriate measures to contain, eradicate, and recover from the incident, followed by post-incident analysis.

CISA professionals must evaluate an organization's incident management processes, ensuring they are robust, well-documented, and capable of effectively handling security events.โ€‹

๐Ÿ“ฆ Release and Patch Management

This area focuses on the systematic deployment of software updates:โ€‹

  • Release Management: Oversee the planning, scheduling, and control of software builds through different stages and environments.โ€‹

  • Patch Management: Identify, acquire, test, and install patches to fix vulnerabilities and improve system functionality.โ€‹

For CISA certification, auditors must assess whether organizations have effective release and patch management policies that minimize risks associated with software vulnerabilities.โ€‹

๐Ÿ“Š Business Impact Analysis (BIA)

BIA is a process that helps organizations:โ€‹ - Identify critical business functions and the resources that support them.โ€‹Infosec Institute - Evaluate the potential impact of disruptions on these functions.โ€‹
- Determine recovery priorities and strategies.โ€‹ISACA+8CISA+8proctor2.psionline.com+8

CISA candidates should understand how to assess the adequacy of BIA processes, ensuring they effectively inform disaster recovery and business continuity planning.โ€‹ CISA+3CISA+3ISACA+3

๐Ÿ”„ System Resiliency

System resiliency refers to the ability of an information system to withstand and recover from disruptions. Key concepts include:โ€‹

  • Recovery Point Objective (RPO): The maximum tolerable period in which data might be lost due to a major incident.โ€‹

  • Recovery Time Objective (RTO): The targeted duration of time within which a business process must be restored after a disruption.โ€‹

  • Active-Passive Configuration: A setup where the secondary system remains idle until the primary system fails.โ€‹

  • Active-Active Configuration: Both systems run concurrently, providing load balancing and high availability.โ€‹

๐Ÿงฉ 'Information Systems Operations and Business Resiliency'

General Overview: Information Systems Operations and Business Resiliency encompass the strategies and practices that ensure IT systems support business objectives and can withstand disruptions. This includes robust infrastructure, effective incident response, and continuous improvement processes.โ€‹

CISA Relevance: CISA professionals evaluate the alignment of IT operations with business resiliency goals, ensuring that systems are reliable, secure, and capable of supporting critical functions during adverse events.โ€‹

Resource: Information Systems Operations and Business Resiliency - ACI Learningโ€‹acilearning.com

๐Ÿ”„ Backups, Storage, and Restoration

General Overview: Effective backup strategies are crucial for data integrity and business continuity. Implementing the 3-2-1 backup ruleโ€”maintaining three copies of data, on two different media, with one off-siteโ€”ensures resilience against data loss. Regular testing of backups is essential to confirm data can be restored when needed.โ€‹

  • Full
  • Incremental
  • Differential
  • Rotation of media

Resource: Backup & Recovery Trends 2025 - Unitrendsโ€‹Unitrends+1Unitrends+1

๐Ÿ›ก๏ธ Business Continuity Management (BCM)

General Overview: Business Continuity Management (BCM) involves preparing for potential disruptions to maintain critical business functions. It encompasses risk assessments, business impact analyses, and the development of strategies to ensure operational resilience.โ€‹

Resource: 2025 Trends in Continuity and Resilience - Fusion Risk Managementโ€‹fusionrm.com

๐Ÿ“‹ The Business Continuity Plan (BCP)

General Overview: A Business Continuity Plan (BCP) outlines procedures and resources required to maintain business operations during unforeseen events. It includes identifying critical functions, assigning responsibilities, and establishing communication protocols.โ€‹

  • BCP starts with risk assessment
  • Needs Inventory of Critical operations, human and material resources needed

Resource: 20 Essential Elements Of A Robust Business Continuity Plan - Forbesโ€‹Forbes

๐Ÿงช Testing the BCP

General Overview: Regular testing of the BCP is vital to validate its effectiveness. Testing methods include tabletop exercises, simulations, and full-scale drills, which help identify gaps and areas for improvement.โ€‹

Resource: 6 Business Continuity Plan Testing Best Practices - Nogginโ€‹noggin.io

๐ŸŒช๏ธ Disaster Recovery Plans (DRP)

General Overview: Disaster Recovery Plans (DRPs) focus on restoring IT systems and data after a disruption. Key components include defining Recovery Time Objectives (RTOs), Recovery Point Objectives (RPOs), and establishing recovery procedures.โ€‹

Resource: How to Write a Disaster Recovery Plan in 2025: Template + Examples - Secureframeโ€‹Secureframe

๐Ÿงช Testing the DRP

General Overview: Testing the DRP involves simulating disaster scenarios to evaluate the effectiveness of recovery procedures. Regular testing helps identify weaknesses and ensures that recovery objectives can be met.โ€‹

โ€‹libertycenterone.com+2LinkedIn+2Duplicacy Forum+2

Resource: Disaster Recovery Testing: What It Is, How It Works and Where To Start - Warren Averettโ€‹