CISA Certified Information Systems Auditor Study Guide
Description
Prepare for success on the 2024 CISA exam and further your career in security and audit with this effective study guide
The CISA Certified Information Systems Auditor Study Guide: Covers 2024-2029 Exam Objectives provides comprehensive and accessible test preparation material for the updated CISA exam, which now consists of 150 questions testing knowledge and ability on real-life job practices leveraged by expert professionals.
You'll efficiently and effectively prepare for the exam with online practice tests and flashcards as well as a digital glossary. The concise and easy-to-follow instruction contained in the 2024-2029 CISA Study Guide covers every aspect of the exam. This study guide helps readers prepare for questions across the five domains on the test: Information System Auditing Process; Governance and Management of IT; Information Systems Acquisition, Development, and Implementation; Information Systems Operation and Business Resilience; and Protection of Information Assets.
This study guide shows readers how to:
- Understand principles, best practices, and pitfalls of cybersecurity, which is now prevalent in virtually every information systems role
- Protect and control information systems and offer conclusions on the state of an organization's IS/IT security, risk, and control solutions
- Identify critical issues and recommend enterprise-specific practices to support and safeguard the governance of information and related technologies
- Prove not only competency in IT controls, but also an understanding of how IT relates to business
- Includes 1 year free access to the Sybex online learning center, with chapter review questions, full-length practice exams, hundreds of electronic flashcards, and a glossary of key terms, all supported by Wiley's support agents who are available 24x7 via email or live chat to assist with access and login questions
The CISA Certified Systems Auditor Study Guide: Covers 2024-2029 Exam Objectives is an essential learning resource for all students and professionals preparing for the 2024 version of the CISA exam from ISACA.
More details
Other editions
Additional editions
Persons
ABOUT THE AUTHORS
PETER H. GREGORY, CISA, CISSP, is a career technologist and cybersecurity leader. He is the Senior Director of GRC at GCI Communications, where he leads security policy, control frameworks, business continuity, third-party risk management, privacy, information and AI governance, and law enforcement wiretaps.
MIKE CHAPPLE, PhD, CISA, CISSP, is a teaching professor of IT, analytics, and operations at the University of Notre Dame. He is a cybersecurity professional and educator with over 25 years experience including as chief information officer of Brand Institute and an information security researcher with the National Security Agency and the U.S. Air Force. Mike is the author of more than 200 books and video courses and provides cybersecurity certification resources at CertMike.com.
Content
Introduction xxiii
Assessment Test xxxv
Chapter 1 IT Governance and Management 1
IT Governance Practices for Executives and Boards of Directors 3
IT Strategic Planning 10
Policies, Processes, Procedures, and Standards 12
Risk Management 23
IT Management Practices 39
Organization Structure and Responsibilities 62
Maintaining an Existing Program 72
Auditing IT Governance 75
Summary 80
Exam Essentials 81
Review Questions 83
Chapter 2 The Audit Process 87
Audit Management 89
ISACA Auditing Standards 99
Risk Analysis 108
Controls 115
Performing an Audit 121
Control Self-Assessment 144
Implementation of Audit Recommendations 147
Audit Quality Assurance 148
Summary 148
Exam Essentials 150
Review Questions 152
Chapter 3 IT Life Cycle Management 157
Benefits Realization 159
Project Management 165
Systems Development Methodologies 191
Infrastructure Development and Deployment 230
Maintaining Information Systems 234
Business Processes 237
Managing Third Parties 244
Application Controls 247
Auditing the Systems Development Life Cycle 253
Auditing Business Controls 258
Auditing Application Controls 258
Auditing Third-Party Risk Management 261
Summary 262
Exam Essentials 264
Review Questions 266
Chapter 4 IT Service Management 271
Information Systems Operations 273
Systems Performance Management 274
Problem and Incident Management 277
Change, Configuration, Release, and Patch Management 279
Operational Log Management 286
IT Service Level Management 288
Database Management Systems 290
Data Management and Governance 294
Other IT Service Management Topics 295
Auditing IT Service Management and Operations 297
Summary 301
Exam Essentials 302
Review Questions 304
Chapter 5 IT Infrastructure 309
Information Systems Hardware 310
Information Systems Architecture and Software 324
Network Infrastructure 330
Asset Inventory and Classification 386
Job Scheduling and Production Process Automation 390
System Interfaces 391
End-User Computing 392
Auditing IT Infrastructure 393
Summary 398
Exam Essentials 399
Review Questions 401
Chapter 6 Business Continuity and Disaster Recovery 405
Business Resilience 406
Incident Response Communications 473
Auditing Business Continuity Planning 475
Auditing Disaster Recovery Planning 479
Summary 484
Exam Essentials 485
Review Questions 487
Chapter 7 Information Security Management 491
Information Security 493
Role of the Information Security Manager 494
Information Security Risks 497
Building an Information Security Strategy 501
Implementing Security Controls 505
Endpoint Security 507
Network Security Controls 511
Cloud Computing Security 519
Cryptography 528
Exploring Cybersecurity Threats 539
Privacy 545
Security Awareness and Training 548
Security Incident Response 550
Auditing Information Security Controls 554
Summary 559
Exam Essentials 560
Review Questions 563
Chapter 8 Identity and Access Management 567
Logical Access Controls 568
Third-party Access Management 587
Environmental Controls 592
Physical Security Controls 599
Human Resources Security 602
Auditing Access Controls 606
Summary 616
Exam Essentials 617
Review Questions 619
Chapter 9 Conducting a Professional Audit 623
Understanding the Audit Cycle 624
How the IS Audit Cycle Is Discussed 625
Overview of the IS Audit Cycle 627
Summary 699
Appendix A Popular Methodologies, Frameworks, and Guidance 701
Common Terms and Concepts 702
Frameworks, Methodologies, and Guidance 710
Notes 738
References 738
Appendix B Answers to Review Questions 741
Chapter 1: IT Governance and Management 742
Chapter 2: The Audit Process 744
Chapter 3: IT Life Cycle Management 746
Chapter 4: IT Service Management 748
Chapter 5: IT Infrastructure 749
Chapter 6: Business Continuity and Disaster Recovery 750
Chapter 7: Information Security Management 752
Chapter 8: Identity and Access Management 754
Index 759
Introduction
Congratulations on choosing to become a Certified Information Systems Auditor (CISA). Whether you have worked for several years in the field of information systems auditing or have just recently been introduced to the world of controls, assurance, and security, don't underestimate the hard work and dedication required to obtain and maintain CISA certification. Although ambition and motivation are essential, the rewards of being CISA certified can far exceed the effort.
You probably never imagined you would find yourself working in the world of auditing or looking to obtain a professional auditing certification. Perhaps the increase in legislative or regulatory requirements for information system security led to your introduction to this field. Or possibly you noticed that CISA-related career options are increasing exponentially and you have decided to get ahead of the curve. You aren't alone; since the inception of CISA certification in 1978, more than 200,000 professionals worldwide reached the same conclusion and have earned this well-respected certification. Welcome to the journey and the amazing opportunities that await you.
We have put together this information to help you understand the commitment needed, prepare for the exam, and maintain your certification. Not only is it our wish that you prepare for and pass the exam with flying colors, but we also provide you with the information and resources to maintain your certification and to represent yourself and the professional world of information system (IS) auditing proudly with your new credentials.
ISACA (formerly known as the Information Systems Audit and Control Association) is a recognized leader in the areas of control, assurance, and IT governance. Formed in 1967, this nonprofit organization represents more than 180,000 professionals in more than 188 countries. ISACA administers several exam certifications, including:
- Certified Information Systems Auditor (CISA)
- Certified Information Security Manager (CISM)
- Certified in Risk and Information Systems Control (CRISC)
- Certified Data Privacy Solutions Engineer (CDPSE)
- Certified in Governance of Enterprise IT (CGEIT)
- Certified Cybersecurity Operations Analyst (CCOA)
The certification program has been accredited under ISO/IEC 17024:2012, which means that ISACA's procedures for accreditation meet international requirements for quality, continuous improvement, and accountability.
If you're new to ISACA, we recommend that you tour the organization's website (www.isaca.org) and become familiar with the guides and resources available. In addition, if you're near one of the 225 local ISACA chapters in 99 countries worldwide, consider reaching out to the chapter board for information on local meetings, training days, conferences, or study sessions. You may be able to meet other IS auditors who can give you additional insight into the CISA certification and the audit profession.
Established in 1978, the CISA certification primarily focuses on audit, controls, assurance, and security. It certifies the individual's knowledge of testing and documenting IS controls and their ability to conduct formal IS audits. Organizations seek qualified personnel for assistance with developing and maintaining strong control environments. A CISA-certified individual is a great candidate for these positions.
If you're preparing to take the CISA exam, you'll undoubtedly want to find as much information as you can about information systems and auditing. The more information you have at your disposal, the better off you'll be when attempting the exam. This study guide was written with that in mind. The goal was to provide enough information to prepare you for the test, but not so much that you'll be overloaded with information that's outside the scope of the exam.
This book presents the material at an intermediate technical level. Experience with and knowledge of security and auditing concepts will help you get a full understanding of the challenges you'll face as an information systems auditor.
We've included review questions at the end of each chapter to give you a taste of what it's like to take the exam. We recommend that you check out these questions first to gauge your level of expertise. You can then use the book mainly to fill in the gaps in your current knowledge. This study guide will help you round out your knowledge base before tackling the exam.
If you can answer 80 percent or more of the review questions correctly for a given chapter, you can feel safe moving on to the next chapter. If you're unable to answer that many correctly, reread the chapter and try the questions again. Your score should improve.
Don't just study the questions and answers! The questions on the actual exam will be different from the practice questions included in this book. The exam is designed to test your knowledge of a concept or objective, so use this book to learn the objectives behind the questions.
The CISA Exam
The CISA exam is designed to be a vendor-neutral certification for information systems auditors. ISACA recommends this certification for those who already have experience in auditing and want to demonstrate that experience to current and future employers.
The exam covers five major domains:
- Information Systems Auditing Process
- Governance and Management of IT
- Information Systems Acquisition, Development and Implementation
- Information Systems Operations and Business Resilience
- Protection of Information Assets
These five areas include a range of topics, from enterprise risk management to evaluating cybersecurity controls. They focus heavily on scenario-based learning and the role of the information systems auditor in various scenarios. There's a lot of information that you'll need to learn, but you'll be well rewarded for possessing this credential. ISACA reports that the average salary of CISA credential holders is over $145,000.
The CISA exam includes only standard multiple-choice questions. Each question has four possible answer choices and only one of those answer choices is the correct answer. When you're taking the test, you'll likely find some questions where you think multiple answers might be correct. In those cases, remember that you're looking for the best possible answer to the question!
The exam costs $575 for ISACA members and $760 for non-members. More details about the CISA exam and how to take it can be found at:
www.isaca.org/credentialing/cisa
You'll have four hours to take the exam and will be asked to answer 150 questions during that time period. Your exam will be scored on a scale ranging from 200 to 800, with a passing score of 450.
ISACA frequently does what is called item seeding, which is the practice of including unscored questions on exams. It does so to gather psychometric data, which is then used when developing new versions of the exam. Before you take the exam, you will be told that your exam may include these unscored questions. So, if you come across a question that does not appear to map to any of the exam objectives-or for that matter, does not appear to belong in the exam-it is likely a seeded question. You never really know whether or not a question is seeded, however, so always make your best effort to answer every question.
Taking the Exam
Once you are fully prepared to take the exam, you can visit the ISACA website to register. Currently, ISACA offers two options for taking the exam: an in-person exam at a testing center and an at-home exam that you take on your own computer through a remote proctoring service.
In-Person Exams
ISACA partners with PSI Exams testing centers, so your next step will be to locate a testing center near you. In the United States, you can do this based on your address or your zip code, while non-U.S. test takers may find it easier to enter their city and country. You can search for a test center near you at the PSI Exams website:
https://home.psiexams.com/#/test-center?p=Z97SE74H
Now that you know where you'd like to take the exam, simply set up a PSI testing account and schedule an exam on their site.
On the day of the test, bring a government-issued identification card or passport that contains your full name (exactly matching the name on your exam registration), your signature, and your photograph. Make sure to show up with plenty of time before the exam starts. Remember that you will not be able to take your notes, electronic devices (including smartphones and watches), or other materials in with you.
At-Home Exams
ISACA also offers online exam proctoring. Candidates using this approach will take the exam at their home or office and be proctored over a webcam by a remote proctor.
Due to the rapidly changing nature of the at-home testing experience, candidates wishing to pursue this option should check the ISACA website for the latest details.
After the CISA Exam
Once you have taken the exam, you will be notified of your score immediately, so you'll know if you passed the test right away. You should keep track of your score report with your exam registration records and the email address you used to register for the exam.
