This certification is issued by ISACA to people in charge of ensuring an organization’s IT and business systems are monitored, managed, and protected. It is presented after the completion of a comprehensive testing and application process. It is designed for IT auditors, audit managers, consultants, and security professionals.
The primary duties of a CISA include:
- Implementing Risk Management audit strategy
- Planning audits to determine whether or not IT assets are protected, managed and valuable.
- Executing the audits in compliance with the organization’s set standards and objectives.
- Sharing audit results and providing recommendations to management based on the results.
- Performing reexaminations of the audits to ensure the recommended actions have been performed by management.
- IT portfolio and resource management;
- business continuity and disaster recovery strategies;
- IT policies, standards, processes and procedures within the organization;
- the management and monitoring of IT personnel, the IT organizational structure and controls.
It is four hours long and consists of 150 multiple-choice questions set around five job practice domains:
- Information Systems Auditing Process
- Governance and Management of IT
- Information System Acquisition, Development and Implementation
- Information Systems Operations and Business Resilience
- Protection of Information Assets
A score of 450 or higher (scored on a scale of 200 to 800) is required to pass the exam. The exam is offered in English, Chinese Mandarin Simplified, Chinese Traditional, French, German, Italian, Japanese, Korean, Spanish, and Turkish.
Sample Questions (Resources from ISACA Engage Forum)
- Responsibility for the governance of IT should rest with the:
-> IT strategy committee.
-> Chief information officer.
-> Audit committee.
-> Board of directors. - Which of the following attacks is BEST prevented by training and awareness?
-> Phishing
-> Pharming
-> Man-in-the-middle
-> Browser hijacking
- Which of the following environmental controls is appropriate to protect computer equipment against short-term reductions in electrical power?
-> Power line conditioners
-> Surge protective devices
-> Alternative power supplies
-> Interruptible power supplies
- Which of the following information security controls mandates behavior by specifying what is and is not permitted?
-> Managerial
-> Detective
-> Corrective
-> Preventive
- An advantage in using a bottom-up vs. a top-down approach to software testing is that:
-> Interface errors are detected earlier.
-> Confidence in the system is achieved earlier.
-> Errors in critical modules are detected earlier.
-> Major functions and processing are tested earlier. - Reverse proxy technology for web servers should be deployed if:
-> HTTP server addresses must be hidden.
-> Accelerated access to all published pages is required.
-> Caching is needed for fault tolerance.
-> Bandwidth to the user is limited.
- The information security policy that states “each individual must have their badge read at every controlled door” addresses which of the following attack methods?
-> Piggybacking
-> Shoulder surfing
-> Dumpster diving
-> Impersonation
Source: ISACA, techtarget.com