Secured View: Security Certification
A career as Information Systems Auditor
roles of IS Auditor and Information Security Auditor are becoming very significant.
So CISA certification definitely opens up doors to many opportunities. by Avinash
We are familiar with the term auditing, which is usually associated with financial
auditing. We also come across terms like quality audit, management audit, environment
audit and now, Information Systems Audit. So, who can be an IS Auditor? To quote
from the famous book, Information Systems Control and Audit by Ron Weber: "To
be a good auditor, you have to be better at business than your client."
Further, the purpose of information systems audit is to evaluate whether computer-based
information systems fulfill the following aims:
- Safeguard assets
- Maintain data integrity
- Achieve organizational objectives effectively
- Consume resources efficiently
So, the expectations from an information systems auditor are rather high. The
IS auditor should know what the business expects from information systems, what
are the best IT practices, and whether the information systems of an organization
realize these expectations and best practices. Since all businesses are now
heavily dependent on information systems, management wants assurance from independent
experts. A Certified Information Systems Auditor or CISA is an independent expert
who is qualified to perform information systems audit. This has uplifted the
status of the CISA designation, which is often a mandatory qualification for
an information systems auditor.
Information Systems Audit and Control Association (ISACA) is a world recognized
body, that was founded in 1969. The CISA examination and certification was initiated
in 1978, to address industry requirements. Today, there are more than 30,000
The examination is conducted in
- 1 languages at 200 locations. The 2003 CISA examination had more than
- 1,900 candidates.
ISACA has ensured that the CISA syllabus meets the industry expectations. The
syllabus is periodically enhanced to reflect the current trends in information
technology. The current syllabus expects one to know the following domains.
(Figures in brackets are the weightage given to each domain in the examination
1. Management, Planning, and Organization of IS (11%)
This domain describes the best IS management practices. Unlike CISSP, this domain
does not restrict itself to only Information Security, but covers all aspects
of information systems. To begin with, it defines the entire organizational
structure of the Information Systems department, from Chief Information Officer
to tape librarian, or data-entry operator. In the current scenario of downsizing
and outsourcing, we may not find all the classical job definitions and practices
in the organization, but we need to understand the best practices for managing
the IS department, planning its activities and having an appropriate management
structure in place.
2. Technical Infrastructure and Operational Practices (13%)
This domain covers all the technologies pertaining to hardware, software and
networking. So, you have to study the types of databases, the TCP/IP protocols,
telecommunications, the LAN and also various operational practices and how to
audit these, along with the infrastructure. Understanding the technology is
important to evaluate whether the implementation has been done appropriately.
3. Protection of Information Assets (25%)
This domain focuses on information security management. You have to study various
vulnerabilities of the infrastructure as well as the security technologies that
would protect these. These include logical access controls, networking access
controls like firewalls, intrusion detection, encryption and environmental and
physical exposure and controls.
4. Disaster Recovery and Business Continuity (10%)
Business continuity has become a major focus area as the availability of information
systems has become critical to business. This domain requires a good understanding
of the business continuity/disaster recovery planning process, which includes
business impact analysis, recovery strategies, developing, implementing, testing
and updating the plans, and how the plan should be audited.
5. Business Application System Development, Acquisition, Implementation, and
This domain focuses on the core area of information systems development. You
have to learn the traditional system development lifecycle, also the modern
development strategies like object-oriented system development, component-based
and Web-based system development; understand the information system management
practices, project management practices, tools, process improvement models,
and the auditing of the entire system development process.
6. Business Process Evaluation and Risk Management (15%)
This module links the business expectations and the risks, to the development
and deployment of information systems. Areas like Business Process Reengineering,
Risk Management, IT governance, application controls, various business application
systems like e-Commerce, EDI, Artificial Intelligence, data warehouse, Decision
Support Systems are covered here.
7. The IS Audit Process (10%)
This module familiarizes us with ISACA's code of ethics, auditing standards,
guidelines, as well as audit methodology, Computer Assisted Audit techniques
and Control Self-Assessment.
In the last article on CISSP, I compared the CISSP domains with BS7799 domains.
I have done a similar exercise of comparing the CISA domains with BS7799 domains
in the table.
So you will find that there is a good amount of overlap in the knowledge areas.
CISA is focused on overall information systems, and so, security is one of the
components handled in domains 2, 3 and 4which is about 48% of the total
syllabus. Domain 1 of CISA indirectly covers the requirements for Domain 1 of
BS7799. The remaining 52% of CISA is devoted to areas like IS Management, IS
Audit, Business Process Evaluation & Risk Management; Business Application
Development; Acquisition & Maintenancewhich do not directly relate
to security, but are focused on effectiveness and efficiency of information
system implementation in business, and indirectly refer to security implications.
This is one reason why many professionals acquire both certifications: CISA
as well as CISSP. After all, if you have completed CISA successfully, you have
covered a lot of material for CISSP. It may not be to the same depth of technical
knowledge as expected for CISSP, but you would be able to easily build on this
base. Similarly, if you have done CISSP first, you would have already covered
half the CISA material, and need to concentrate on the new areas of Business
Application, Management and IS Audit.
I would personally recommend both certifications to get an all round exposure
of Information Management as well as Information Security Management.
How to become a CISA
ISACA has stipulated the following guidelines for getting the CISA designation.
Remember, passing the examination is just the first step.
1. Successful completion of the CISA examination.
The examination is conducted once a year on the second Saturday of June. So
the next examination is scheduled for 12th June 2004. The examination consists
of 200 multiple choice questions to be answered within four hours. The passing
score is 75 percent, which means that if you pass the exam, you have scored
marks, which put you in the top 25%.
2. Information systems auditing, control or security experience.
You need to have five years of IS audit experience, with waivers of up to two
years given, based on auditing experience, graduate degree or teaching experience
in a related field. This experience could even be gained after passing the examination.
3. Adherence to the Code of Professional Ethics.
ISACA has formulated the Code of Professional Ethics. You must read and abide
by the same.
4. Adherence to the continuing professional education program.
You have to ensure that you are keeping your knowledge up-to-date by clocking
120 hours in three years in acquiring the knowledge by means of attending lectures,
giving lectures or doing work for the ISACA local chapter.
5. Compliance with the Information Systems Auditing Standards.
You have to adhere to the IS Audit Standards as promulgated by ISACA.
Apart from these, you have also to pay various fees like membership fees, certification
fees, local chapter fees and the examination fees. All these details are available
on the website, www.isaca.org.
How to prepare for the examination
Each year ISACA publishes a CISA Review Manual. This is a must buy as it reflects
the complete syllabus for the CISA examination. This is not a textbook but a
review manual, as such it helps you to review all the topics. If you are not
familiar with some areas, good textbooks like Information Systems Control and
Audit by Ron Webercan really help. Another good book is Computer Networks by
Tannenbaum. ISACA has a number of white papers and articles available for its
members on the website.
CISA Study Circle
ISACA has nine local chapters in India. Each chapter conducts a CISA study circle.
Volunteers of the local chapters, who like to share knowledge with aspiring
CISAs, conduct these study circles. You will be able to get the chapter contact
details from the ISACA website. One of the greatest advantages of these study
circles is meeting other aspirants and forming smaller study groups. Candidates
from different backgrounds appear for the examination. The study group members
compliment each other's strength. This model has worked very well.
The study circle's classes usually start in November and continue till the
end of April, and are conducted either in the evenings or weekends, depending
on the convenience of most of the participants. The local chapters also conduct
short duration crash courses for those who cannot attend a full duration study
Unlike CISSP, there are not many books with question banks. Joining the study
circle gives you access to some question banks compiled by past students. Also,
the study circles conduct mock tests based on previous questions banks from
the old review manuals. These could be used for practice, but the difficulty
level of the actual examination will be higher than these questions.
If you start serious studies from November and regularly assess your preparation
by solving various question banks or taking up the mock tests at the study circle,
you should be well prepared to appear for the June examination. You have to
make a decision by 4th February to get an early bird discount.
The fact that a requisite CISA qualification is mentioned in advertisements
for IS Auditors is proof enough of its acceptability in the industry. With increasing
emphasis by Government to have periodic IS audits, and the industry opting for
security certifications like BS7799, the roles of IS auditor, as well as Information
Security Auditor are becoming very important.
CISA certification definitely opens up doors to many opportunities.