ISACA 1969

ISACA 160 86,000 CISA ,

Certified Information Systems Auditor CISA

ISACA CISA 200 200 800

450
CISA Franco Tsang

ISACA 6 12 CISA 200 200

800 450 :
ISACA

ISACA

$415

$545

$465

$595

(CPE)

CISA

1 General Information in CISA Study and

Examination
1.1 Become a CISA
1.2 CISA Examination
1.2.1 The best answer
1.2.2 Domains
2 The Process of Auditing Information
Systems
2.1 Roles involved in an IS audit
2.2 Purpose of an audit
2.3 Independence
2.4 Types of audits
2.5 Classifications of audits
2.6 Audit stages
2.7 Audit Charter
2.8 Preplan the Audit
2.9 Control Self-Assessment (CSA)
2.10 Role of management
2.11 Human resource management
2.12 Communication between auditors and
auditees
2.13 Data Collection Methodologies
2.14 Controls / Internal Controls
2.15 Audit Evidence
2.16 Computer Assisted Audit Techniques
(CAAT)
2.17 Evidence
2.17.1 Evidence lifecycle
2.17.2 Evidence gathering techniques
2.18 Audit Sampling
2.19 Compliance and Substantive Testing
2.20 Risk Management and risk-based audit
approach
2.21 Responding to Irregular or Illegal Activities
2.22 Audit information beyond the audit scope
2.23 Report the Audit Findings
2.24 IS Audit and Assurance Standards
2.24.1 General standards
2.24.2 Performance standards
2.24.3 Reporting Standards
2.25 IS Audit and Assurance Guidelines
2.26 IS Audit and Assurance Tools and
Techniques
3 Governance and Management of IT
3.1 Introduction of IT Governance
3.2 IT Strategy Committee
3.3 The IT Steering Committee
3.4 The Balanced Scorecard (BSC)
3.5 IT Balanced Scorecard
3.6 Enterprise Architecture
3.7 Information Security Governance
3.8 Roles and responsibilities of different parties
3.9 Maturity and process improvement models
3.9.1 Capability Maturity Model Integration
3.10 Val IT
3.11 Policy, Standard, Procedure and Guideline
3.11.1 Policy
3.11.2 Standard
3.11.3 Procedure
3.12 Risk Management
3.12.1 Risk Management Program
3.12.2 Risk Management Process Overview
3.12.3 Asset identification
3.12.4 Risk assessment / risk analysis
3.12.4.1 Threats

3.12.4.2 Vulnerabilities
3.12.4.3 Probability and impact
3.12.4.4 Qualitative Risk Analysis and SemiQuantitative Risk Analysis
3.12.4.5 Quantitative Risk Analysis
3.12.5 Risk Handing / Risk Treatment
3.12.6 Residual Risk
3.13 IT Management Practices
3.13.1 Personnel Management
3.13.2 Outsourcing
3.13.2.1 Outsourcing Governance
3.13.2.2 Cloud computing, SaaS, PaaS and IaaS
3.13.3 Financial management
3.13.4 Information security management
3.13.5 Performance optimization
3.14 Audit IT Governance
3.15 Business Continuity and Disaster Recovery
3.15.1 Disasters
3.15.2 Relationship between disaster / business
disruptions and organization
3.15.3 Business continuity management
3.15.3.1 Project Initiation
3.15.3.2 Business Impact Analysis (BIA)
3.15.3.3 Develop continuity and recovery
strategies
3.15.3.4 Develop strategy - Business Process
Recovery
3.15.3.5 Develop Strategy Facility and Supply
Recovery
3.15.3.6 Develop Strategy Supply and
Technology Recovery
3.15.3.7 Develop Strategy User Recovery
3.15.3.8 Develop Strategy Data Recovery
3.15.3.9 BCP development
3.15.3.10 BCP Testing
3.15.3.11 Continual Maintenance
4 Information Systems Acquisition,
Development and Implementation
4.1 Business Realization
4.1.1 Portfolio, program and project
4.1.2 Business Case
4.1.3 Measuring Business Benefits
4.1.4 Roles and responsibility
4.2 Project Management
4.2.1 Process groups
4.2.2 Project Management Practices
4.2.3 Functional, Matrix, and Projectized
Organizational Structures
4.2.3.1 Functional Organization Structure
4.2.3.2 Matrix Organization Structure
4.2.3.3 Projectized Organization Structure
4.3 The Software Development Life Cycle
(SDLC)
4.3.1 Risks in Software Development
4.3.2 SDLC Phases
4.3.2.1 Feasibility study
4.3.2.2 Requirement definition
4.3.2.3 The Request For Proposal (RFP) process
4.3.2.4 Design
4.3.2.5 Development
4.3.2.6 Programming Languages
4.3.2.7 Debug
4.3.2.8 SQL injection
4.3.2.9 Source Code Management
4.3.2.10 QAT and UAT
4.3.2.11 Implementation / Configuration

4.3.2.12 Maintenance and Post-implementation

review
4.4 Other application development techniques
4.5 OO (Object-Oriented) Concepts
4.6 Application Controls
4.6.1 Input Control
4.6.2 Process Control
4.6.3 Output Control
4.7 Change Management
4.8 Configuration Management
4.9 BPLC
4.10 Audit in PM and SDLC
5 Information Systems Operations,
Maintenance and Support
5.1 IT Service Management
5.1.1 IT help desk
5.1.2 Incident Management
5.1.3 Problem Management
5.1.4 Change Management
5.1.5 Release Management
5.1.5.1 Gate Process
5.2 Application Library Management
5.3 Quality Assurance
5.4 System Hardware
5.4.1 System Hardware Monitoring
5.5 Database Management Systems
5.5.1 Relational DBMS
5.5.2 Normalization
5.5.3 Referential Integrity
5.5.4 ACID
5.5.5 View
5.6 Network Infrastructure
5.6.1 OSI Reference Model
5.6.2 IPv4 addresses
5.6.3 IPv6 addresses
5.6.4 Address Resolution Protocol (ARP)
5.6.5 Domain Name System (DNS)
5.6.6 DHCP
5.6.7 IPsec VPN
5.6.8 Virtualization
5.6.8.1 Components in Virtualization
5.6.8.2 Risks in Virtualization
5.6.8.3 Best practices in managing virtualized
environment

5.6.8.4 Audit virtualization infrastructure

5.6.9 Social Networking
5.6.9.1 Risks in social networking
5.6.9.2 Mitigating risks in social networking
5.7 Auditing IS Infrastructure and Operations
5.8 Auditing File Systems
5.9 Auditing DBMS
6 Protection of Information Assets
6.1 Different kinds of attacks
6.1.1 Passive Attacks
6.1.2 Active Attacks
6.2 Information Classification
6.3 Data Authority Roles
6.4 Data Retention
6.5 Administrative Protection
6.5.1 Policy
6.5.2 Personal Management
6.5.3 Terminating Access
6.5.4 Incident Handing
6.6 Physical Protection
6.6.1 Access Path
6.6.2 Environmental Control (Electricity)
6.6.3 Environmental Control (HVAC)
6.6.4 Environmental Control (Fire)
6.6.5 Disposal Procedures
6.7 Technical Protection
6.7.1 Mandatory Access Control
6.7.2 Discretionary Access Control
6.7.3 Role-Based Access Control
6.7.4 Constrained User Interface
6.7.5 Authentication
6.7.6 Kerberos
6.7.7 Firewall
6.7.7.1 Firewall Architecture
6.7.8 Wireless Architecture and Security
6.8 Public Key Infrastructure
6.8.1 Encryption
6.8.2 Digital certificates
6.8.3 Diffie-Hellman
6.9 Voice Infrastructure
6.9.1 Components in voice infrastructure
6.9.2 Risks in the voice infrastructure
6.9.3 Mitigating risks in the voice infrastructure
6.10 Capability Maturity Model (CMM)