CISA Certified Information Systems Auditor Study Guide E-Book

Table of Contents

Cover

Table of Contents

Title Page

Copyright

Dedication

Acknowledgments

About the Authors

About the Technical Editors

Introduction

The CISA Exam

CISA Exam Objectives

CISA Certification Exam Objective Map

Assessment Test

Answers to Assessment Test

Chapter 1: IT Governance and Management

IT Governance Practices for Executives and Boards of Directors

IT Strategic Planning

Policies, Processes, Procedures, and Standards

Risk Management

IT Management Practices

Organization Structure and Responsibilities

Maintaining an Existing Program

Auditing IT Governance

Summary

Exam Essentials

Review Questions

Chapter 2: The Audit Process

Audit Management

ISACA Auditing Standards

Risk Analysis

Controls

Performing an Audit

Control Self-Assessment

Implementation of Audit Recommendations

Audit Quality Assurance

Summary

Exam Essentials

Review Questions

Chapter 3: IT Life Cycle Management

Benefits Realization

Project Management

Systems Development Methodologies

Infrastructure Development and Deployment

Maintaining Information Systems

Business Processes

Managing Third Parties

Application Controls

Auditing the Systems Development Life Cycle

Auditing Business Controls

Auditing Application Controls

Auditing Third-Party Risk Management

Summary

Exam Essentials

Review Questions

Chapter 4: IT Service Management

Information Systems Operations

Systems Performance Management

Problem and Incident Management

Change, Configuration, Release, and Patch Management

Operational Log Management

IT Service Level Management

Database Management Systems

Data Management and Governance

Other IT Service Management Topics

Auditing IT Service Management and Operations

Summary

Exam Essentials

Review Questions

Chapter 5: IT Infrastructure

Information Systems Hardware

Information Systems Architecture and Software

Network Infrastructure

Asset Inventory and Classification

Job Scheduling and Production Process Automation

System Interfaces

End-User Computing

Auditing IT Infrastructure

Summary

Exam Essentials

Review Questions

Chapter 6: Business Continuity and Disaster Recovery

Business Resilience

Incident Response Communications

Auditing Business Continuity Planning

Auditing Disaster Recovery Planning

Summary

Exam Essentials

Review Questions

Chapter 7: Information Security Management

Information Security

Role of the Information Security Manager

Information Security Risks

Building an Information Security Strategy

Implementing Security Controls

Endpoint Security

Network Security Controls

Cloud Computing Security

Cryptography

Exploring Cybersecurity Threats

Privacy

Security Awareness and Training

Security Incident Response

Auditing Information Security Controls

Summary

Exam Essentials

Review Questions

Chapter 8: Identity and Access Management

Logical Access Controls

Third-party Access Management

Environmental Controls

Physical Security Controls

Human Resources Security

Auditing Access Controls

Summary

Exam Essentials

Review Questions

Chapter 9: Conducting a Professional Audit

Understanding the Audit Cycle

How the IS Audit Cycle Is Discussed

Overview of the IS Audit Cycle

Summary

Appendix A: Popular Methodologies, Frameworks, and Guidance

Common Terms and Concepts

Frameworks, Methodologies, and Guidance

Notes

References

Appendix B: Answers to Review Questions

Chapter 1: IT Governance and Management

Chapter 2: The Audit Process

Chapter 3: IT Life Cycle Management

Chapter 4: IT Service Management

Chapter 5: IT Infrastructure

Chapter 6: Business Continuity and Disaster Recovery

Chapter 7: Information Security Management

Chapter 8: Identity and Access Management

Index

End User License Agreement

List of Tables

Chapter 1

TABLE 1.1 Zachman framework showing IT systems in increasing levels of detai...

TABLE 1.2 Example segregation of duties matrix identifying forbidden combina...

Chapter 2

TABLE 2.1 Comparison of IS audit and IS management risk analysis

Chapter 3

TABLE 3.1 COCOMO weighting factors

TABLE 3.2 Using FPA to Estimate Effort Required to Develop Complex Applicati...

TABLE 3.3 Third-party risk tiers

TABLE 3.4 Assessment techniques for each level of risk

Chapter 4

TABLE 4.1 Example service level agreement measurements

Chapter 5

TABLE 5.1 Old and new twisted-pair cabling abbreviations and meaning

TABLE 5.2 USB data rates

TABLE 5.3 SONET OC levels

TABLE 5.4 T-carrier data rates and channels in North America

TABLE 5.5 E-carrier services

TABLE 5.6 Comparison of Wi-Fi standards

TABLE 5.7 ICMP message types

TABLE 5.8 Classes of networks

TABLE 5.9 Classless network subnet masks

TABLE 5.10 Internet IP address allocation

TABLE 5.11 Private address ranges

TABLE 5.12 Example of information handling guidelines

Chapter 6

TABLE 6.1 Example threat analysis, which identifies threats and controls for...

TABLE 6.2 Preparation activities required for each type of BC/DR test

TABLE 6.3 Disaster response teams’ roles and responsibilities

TABLE 6.4 The lower the RTO, the higher the cost to achieve it

TABLE 6.5 Relative costs of recovery sites

TABLE 6.6 Detailed comparison of cold, warm, and hot sites

TABLE 6.7 Hardware acquisition pros and cons for hot, cold, and cloud recove...

Chapter 9

TABLE 9.1 Control objectives and their supporting controls

TABLE 9.2 Project planning to audit project planning

TABLE 9.3 Different kinds of exceptions and how residual risk is evaluated

Appendix A

TABLE A.1 Examples of objectives

TABLE A.2 Example process maturity model

TABLE A.3 PCI DSS Principles and Requirements

TABLE A.4 Summary of frameworks

List of Illustrations

Chapter 1

FIGURE 1.1 The IT steering committee synthesizes a future strategy using sev...

FIGURE 1.2 Policies, processes, procedures, and standards

FIGURE 1.3 A typical DFD shows the relationship between IT applications.

FIGURE 1.4 The risk management life cycle

FIGURE 1.5 Typical IT organization chart

FIGURE 1.6 Communication and control flow upward and downward in an organiza...

Chapter 2

FIGURE 2.1 The organization’s goals and objectives translate into audit acti...

FIGURE 2.2 Relationship between ISACA audit standards, audit guidelines, and...

FIGURE 2.3 The ISACA Risk IT Framework high-level components

FIGURE 2.4 Control classification shows types, classes, and categories of co...

FIGURE 2.5 The control self-assessment life cycle

Chapter 3

FIGURE 3.1 Benefits realization

FIGURE 3.2 A program manager oversees several projects.

FIGURE 3.3 An object breakdown structure helps participants understand proje...

FIGURE 3.4 A work breakdown structure depicts a project’s tasks.

FIGURE 3.5 A Gantt chart illustrates task duration, schedule dependencies, a...

FIGURE 3.6 A PERT chart helps to visualize time sequence and dependencies in...

FIGURE 3.7 The PRINCE2 method integrates principles, themes, and processes....

FIGURE 3.8 The Scrum process consists of one or more sprints that produce pr...

FIGURE 3.9 Example Kanban board

FIGURE 3.10 Extreme programming process flow

FIGURE 3.11 The potential consequences of failing to agree on design

FIGURE 3.12 Requirements and design characteristics must all be verified thr...

FIGURE 3.13 Implementation involves preparing the production environment pri...

FIGURE 3.14 DevOps is the integration of development, software QA (testing),...

FIGURE 3.15 Typical cloud responsibility model

FIGURE 3.16 The business process management life cycle

FIGURE 3.17 NIST Cybersecurity Framework Core Structure

FIGURE 3.18 Asset Management Cybersecurity Framework

Chapter 4

FIGURE 4.1 The different perspectives on the delivery of IT services

FIGURE 4.2 Fields in a sales order table point to records in other tables.

FIGURE 4.3 Hierarchical and network databases

Chapter 5

FIGURE 5.1 A CPU that is plugged into a computer circuit board

FIGURE 5.2 Typical RAM module for a laptop, workstation, or server

FIGURE 5.3 Typical computer hard disk drive

FIGURE 5.4 Blade computer architecture

FIGURE 5.5 Virtualization

FIGURE 5.6 A comparison of network sizes

FIGURE 5.7 Encapsulation of packets in the OSI network model

FIGURE 5.8 Encapsulation in the TCP/IP network model

FIGURE 5.9 Hosts and routers at the Internet layer

FIGURE 5.10 The TCP/IP and OSI network models side by side

FIGURE 5.11 Network physical topologies: star, ring, and bus

FIGURE 5.12 Category 5 twisted-pair cable

FIGURE 5.13 Fiber-optic cable with its connector removed to reveal its inter...

FIGURE 5.14 Connectors link fiber-optic cable to network equipment.

FIGURE 5.15 Coaxial cable

FIGURE 5.16 An Ethernet frame consists of a header, data, and checksum

FIGURE 5.17 Token Ring network topologies

FIGURE 5.18 A typical terminating node for a fiber to the home (FTTH) connec...

FIGURE 5.19 IPsec tunnel mode protects all traffic between two remote networ...

FIGURE 5.20 A subnet mask denotes which part of an IP address signifies a ne...

Chapter 6

FIGURE 6.1 Mount Etna volcano in Sicily

FIGURE 6.2 Damage to structures caused by the 2011 Japan tsunami

FIGURE 6.3 An auditorium was used as a temporary hospital during the 1918 fl...

FIGURE 6.4 Baby formula shortages hit the United States in 2021.

FIGURE 6.5 The BCP process life cycle

FIGURE 6.6 BIA sample intake form for gathering data about key processes

FIGURE 6.7 Stress is compounded by the pressure of disaster recovery and the...

FIGURE 6.8 Example laminated wallet card for core team participants with eme...

FIGURE 6.9 Example call tree structure

FIGURE 6.10 Aim for the sweet spot and balance the costs of downtime and rec...

FIGURE 6.11 Recovery objective development flowchart

FIGURE 6.12 Application and database server clusters

FIGURE 6.13 Geographic cluster with data replication

FIGURE 6.14 Towers of Hanoi backup media rotation scheme

FIGURE 6.15 Top-down approach to an audit of business continuity

Chapter 7

FIGURE 7.1 The three key objectives of cybersecurity programs are confidenti...

FIGURE 7.2 RACI matrix for information security

FIGURE 7.3 The three key threats to cybersecurity programs are disclosure, a...

FIGURE 7.4 Cybersecurity SWOT analysis example

FIGURE 7.5 Network firewalls divide networks into three zones.

FIGURE 7.6 (a) Vertical scaling vs. (b) horizontal scaling

FIGURE 7.7 Shared responsibility model for cloud computing

FIGURE 7.8 Challenge-response authentication protocol

FIGURE 7.9 Symmetric key cryptography

FIGURE 7.10 Asymmetric key cryptography

FIGURE 7.11 Security awareness poster

FIGURE 7.12 Incident response process

Chapter 8

FIGURE 8.1 VPN architecture

FIGURE 8.2 Biometric authentication with a (a) retinal scanner (b) fingerpri...

FIGURE 8.3 Authentication token

FIGURE 8.4 False acceptance rate (FAR), false rejection rate (FRR), and cros...

FIGURE 8.5 Components in a facility power system

Chapter 9

FIGURE 9.1 Different considerations in a risk assessment

FIGURE 9.2 Audit objectives are developed using information from several sou...

FIGURE 9.3 Audit objective and risk assessment help to determine audit scope...

FIGURE 9.4 Different methods of diagramming can support IS auditing.

FIGURE 9.5 Diagrammatic process mappings can visually overlay controls and t...

FIGURE 9.6 A test plan helps to organize the details of an IS audit.

FIGURE 9.7 A testing lead sheet contains comprehensive information on the co...

Appendix A

FIGURE A.1 Rating scale for process maturity

FIGURE A.2 The Business Model for Information Security

FIGURE A.3 The COSO cube

FIGURE A.4 The Risk IT Framework

Guide

Cover

Table of Contents

Title Page

Copyright

Dedication

Acknowledgments

About the Author

About the Technical Editors

Introduction

Assessment Test

Begin Reading

Appendix A: Popular Methodologies, Frameworks, and Guidance

Appendix B: Answers to Review Questions

Index

End User License Agreement

Pages

i

iii

iv

v

vi

vii

viii

xxiii

xxiv

xxv

xxvi

xxvii

xxviii

xxix

xxx

xxxi

xxxii

xxxiii

xxxiv

xxxv

xxxvi

xxxvii

xxxviii

xxxix

xl

xli

xlii

xliii

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

306

307

309

310

311

312

313

314

315

316

317

318

319

320

321

322

323

324

325

326

327

328

329

330

331

332

333

334

335

336

337

338

339

340

341

342

343

344

345

346

347

348

349

350

351

352

353

354

355

356

357

358

359

360

361

362

363

364

365

366

367

368

369

370

371

372

373

374

375

376

377

378

379

380

381

382

383

384

385

386

387

388

389

390

391

392

393

394

395

396

397

398

399

400

401

402

403

404

405

406

407

408

409

410

411

412

413

414

415

416

417

418

419

420

421

422

423

424

425

426

427

428

429

430

431

432

433

434

435

436

437

438

439

440

441

442

443

444

445

446

447

448

449

450

451

452

453

454

455

456

457

458

459

460

461

462

463

464

465

466

467

468

469

470

471

472

473

474

475

476

477

478

479

480

481

482

483

484

485

486

487

488

489

490

491

492

493

494

495

496

497

498

499

500

501

502

503

504

505

506

507

508

509

510

511

512

513

514

515

516

517

518

519

520

521

522

523

524

525

526

527

528

529

530

531

532

533

534

535

536

537

538

539

540

541

542

543

544

545

546

547

548

549

550

551

552

553

554

555

556

557

558

559

560

561

562

563

564

565

566

567

568

569

570

571

572

573

574

575

576

577

578

579

580

581

582

583

584

585

586

587

588

589

590

591

592

593

594

595

596

597

598

599

600

601

602

603

604

605

606

607

608

609

610

611

612

613

614

615

616

617

618

619

620

621

622

623

624

625

626

627

628

629

630

631

632

633

634

635

636

637

638

639

640

641

642

643

644

645

646

647

648

649

650

651

652

653

654

655

656

657

658

659

660

661

662

663

664

665

666

667

668

669

670

671

672

673

674

675

676

677

678

679

680

681

682

683

684

685

686

687

688

689

690

691

692

693

694

695

696

697

698

699

700

701

702

703

704

705

706

707

708

709

710

711

712

713

714

715

716

717

718

719

720

721

722

723

724

725

726

727

728

729

730

731

732

733

734

735

736

737

738

739

740

741

742

743

744

745

746

747

748

749

750

751

752

753

754

755

756

757

758

759

760

761

762

763

764

765

766

767

768

769

770

771

772

773

774

775

776

777

778

779

780

781

782

783

784

785

787

788

789

Other Information Security Study Guides from Sybex

IAPP CIPP / US Certified Information Privacy Professional Study Guide, 2nd Edition — ISBN 978-1-394-28490-0, January 2025

IAPP CIPM Certified Information Privacy Manager Study Guide — ISBN 978-1-394-15380-0, January 2023

ISC2 CISSP Certified Information Systems Security Professional Official Study Guide, 10th Edition — ISBN 978-1-394-25469-9, June 2024

CISM Certified Information Security Manager Study Guide — ISBN 978-1-119-80193-1, May 2022

ISC2 CCSP Certified Cloud Security Professional Official Study Guide, 3rd Edition — ISBN 978-1-119-90937-8, October 2022

CISA®Certified Information Systems AuditorStudy Guide

Covers 2024–2029 Exam Objectives

Copyright © 2025 by John Wiley & Sons, Inc. All rights, including for text and data mining, AI training, and similar technologies, are reserved.

Some content was previously published in CISA Certified Information Systems Auditor All-in-One Exam Guide, Fourth Edition by Peter H. Gregory (© 2020 McGraw-Hill).

Published by John Wiley & Sons, Inc., Hoboken, New Jersey.Published simultaneously in Canada and the United Kingdom.

ISBNs: 9781394288380 (paperback), 9781394288403 (ePDF), 9781394288397 (ePub)

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 750-4470, or on the web at www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at www.wiley.com/go/permission.

Trademarks: WILEY, the Wiley logo, and the Sybex logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be used without written permission. CISA is a trademark or registered trademark of Information Systems Audit and Control Association, Inc. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book.

Limit of Liability/Disclaimer of Warranty: While the publisher and authors have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Further, readers should be aware that websites listed in this work may have changed or disappeared between when this work was written and when it is read. Neither the publisher nor authors shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages.

For general information on our other products and services, please contact our Customer Care Department within the United States at (800) 762-2974, outside the United States at (317) 572-3993. For product technical support, you can find answers to frequently asked questions or reach us via live chat at https://sybexsupport.wiley.com.

Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic formats. For more information about Wiley products, visit our website at www.wiley.com.

Library of Congress Control Number: 2024942279

Cover image: © Jeremy Woodhouse/Getty ImagesCover design: Wiley

To my grandchildren – may they grow up in a safer world.

—Peter

To my wife, Renee. We are a quarter century into this adventure together and yet we still find ourselves standing on the precipice of change. Here’s to what’s next!

—Mike

Acknowledgments

Books like this involve work from many people, and as authors, we truly appreciate the hard work and dedication that the team at Wiley shows. We would especially like to thank our acquisitions editor, Jim Minatel, who jumped through some incredible hoops to make this project possible.

We also greatly appreciated the editing and production team for the book, including Christine O’Connor, the managing editor, who brought years of experience and great talent to the project; Archana Pragash, the production editor who kept the train on the tracks, guided us through layouts, formatting, and final cleanup to produce a great book; Bobby Rogers and Jessica Chang, the technical editors, who provided insightful advice and gave wonderful feedback throughout the book. We would also like to thank the many behind-the-scenes contributors, including the graphics, production, and technical teams who make the book and companion materials into a finished product.

Shahla Pirnia, Mike’s technical editor at CertMike.com, was instrumental in helping us get all of the details straightened out as we prepared the manuscript.

Our agent, Carole Jelen of Waterside Productions, continues to provide us with wonderful opportunities, advice, and assistance throughout us writing career.

Finally, we would like to thank our families, who supported us through the late evenings, busy weekends, and long hours that a book like this requires to write, edit, and get to press.

About the Authors

Peter H. Gregory, CISSP, CISM, CISA, CRISC, CIPM, CDPSE, CCSK, DRCE, A/CCRF, A/CCRP, is the author of more than 60 books on security and technology, including Solaris Security (Prentice Hall, 2000), The Art of Writing Technical Books (Waterside Productions, 2022), CISM Certified Information Security Manager All-In-One Exam Guide (McGraw-Hill, 2022), Chromebook For Dummies (Wiley, 2023), and Elementary Information Security (Jones & Bartlett Learning, 2024).

Peter is a career technologist and a security executive at a regional telecommunications provider. Before this, he held security leadership positions at Optiv Security (www.optiv.com) and Concur Technologies (www.concur.com). Peter is an advisory board member for the University of Washington and Seattle University for education programs in cybersecurity. He is a graduate of the FBI Citizens Academy.

Peter resides in Central Washington State and can be found at www.peterhgregory.com.

Mike Chapple, PhD, CISA, is the author of over 50 books, including the best-selling ISC2 CISSP Certified Information Systems Security Professional Official Study Guide (Sybex, 2024) and the ISC2 CISSP Official Practice Tests (Sybex, 2024). He is a cybersecurity professional with 25 years of experience in higher education, the private sector, and government.

Mike currently serves as Teaching Professor in the IT, Analytics, and Operations department at the University of Notre Dame’s Mendoza College of Business, where he teaches undergraduate and graduate courses on cybersecurity, data management, and business analytics.

Mike previously served as executive vice president and chief information officer of the Brand Institute, a Miami-based marketing consultancy. Mike also spent four years in the information security research group at the National Security Agency and served as an active-duty intelligence officer in the U.S. Air Force.

Mike earned both his BS and PhD degrees from Notre Dame in computer science and engineering. Mike also holds an MS in computer science from the University of Idaho and an MBA from Auburn University. Mike holds the Certified Information Systems Auditor (CISA), Cybersecurity Analyst+ (CySA+), Security+, Certified Information Security Manager (CISM), Certified Cloud Security Professional (CCSP), and Certified Information Systems Security Professional (CISSP) certifications.

Learn more about Mike and his other security certification materials at his website, https://CertMike.com.

About the Technical Editors

Bobby E. Rogers is a senior cybersecurity professional with over 30 years in the field. He serves as a cybersecurity auditor and virtual Chief Information Security Officer (vCISO) for a variety of clients. He works with a major engineering company in Huntsville, Alabama, helping to secure networks and manage cyber risk for its customers. In addition to numerous educational institutions, Bobby’s customers have included the U.S. Army, NASA, the State of Tennessee, and private/commercial companies and organizations. Bobby’s specialties are cybersecurity engineering, security compliance, and cyber risk management, but he has worked in almost every area of cybersecurity, including network defense, computer forensics and incident response, and penetration testing.

He has narrated and produced over 30 computer training videos for several training companies. He is the author of McGraw-Hill Education’s “CompTIA CySA+ Cybersecurity Analyst Certification Passport (Exam CS0-002),” 1st Edition, “CISSP Passport,” 1st Edition, coauthor of “Certified in Risk and Information Systems Control (CRISC) All-in-One Exam Guide,” 1st and 2nd editions, and contributing author/ technical editor for the popular “CISSP All-in-One Exam Guide,” (7th, 8th, and 9th editions).

Jessica Chang is a licensed CPA in the state of Colorado with over 15 years of public accounting and general accounting experience in multiple leadership roles. She has worked in various industries, from telecommunications, hospitality, real estate, and e-commerce and has served as the chief audit executive for multiple companies.

Introduction

Congratulations on choosing to become a Certified Information Systems Auditor (CISA). Whether you have worked for several years in the field of information systems auditing or have just recently been introduced to the world of controls, assurance, and security, don’t underestimate the hard work and dedication required to obtain and maintain CISA certification. Although ambition and motivation are essential, the rewards of being CISA certified can far exceed the effort.

You probably never imagined you would find yourself working in the world of auditing or looking to obtain a professional auditing certification. Perhaps the increase in legislative or regulatory requirements for information system security led to your introduction to this field. Or possibly you noticed that CISA-related career options are increasing exponentially and you have decided to get ahead of the curve. You aren’t alone; since the inception of CISA certification in 1978, more than 200,000 professionals worldwide reached the same conclusion and have earned this well-respected certification. Welcome to the journey and the amazing opportunities that await you.

We have put together this information to help you understand the commitment needed, prepare for the exam, and maintain your certification. Not only is it our wish that you prepare for and pass the exam with flying colors, but we also provide you with the information and resources to maintain your certification and to represent yourself and the professional world of information system (IS) auditing proudly with your new credentials.

ISACA (formerly known as the Information Systems Audit and Control Association) is a recognized leader in the areas of control, assurance, and IT governance. Formed in 1967, this nonprofit organization represents more than 180,000 professionals in more than 188 countries. ISACA administers several exam certifications, including:

Certified Information Systems Auditor (CISA)

Certified Information Security Manager (CISM)

Certified in Risk and Information Systems Control (CRISC)

Certified Data Privacy Solutions Engineer (CDPSE)

Certified in Governance of Enterprise IT (CGEIT)

Certified Cybersecurity Operations Analyst (CCOA)

The certification program has been accredited under ISO/IEC 17024:2012, which means that ISACA’s procedures for accreditation meet international requirements for quality, continuous improvement, and accountability.

If you’re new to ISACA, we recommend that you tour the organization’s website (www.isaca.org) and become familiar with the guides and resources available. In addition, if you’re near one of the 225 local ISACA chapters in 99 countries worldwide, consider reaching out to the chapter board for information on local meetings, training days, conferences, or study sessions. You may be able to meet other IS auditors who can give you additional insight into the CISA certification and the audit profession.

Established in 1978, the CISA certification primarily focuses on audit, controls, assurance, and security. It certifies the individual’s knowledge of testing and documenting IS controls and their ability to conduct formal IS audits. Organizations seek qualified personnel for assistance with developing and maintaining strong control environments. A CISA-certified individual is a great candidate for these positions.

If you’re preparing to take the CISA exam, you’ll undoubtedly want to find as much information as you can about information systems and auditing. The more information you have at your disposal, the better off you’ll be when attempting the exam. This study guide was written with that in mind. The goal was to provide enough information to prepare you for the test, but not so much that you’ll be overloaded with information that’s outside the scope of the exam.

This book presents the material at an intermediate technical level. Experience with and knowledge of security and auditing concepts will help you get a full understanding of the challenges you’ll face as an information systems auditor.

We’ve included review questions at the end of each chapter to give you a taste of what it’s like to take the exam. We recommend that you check out these questions first to gauge your level of expertise. You can then use the book mainly to fill in the gaps in your current knowledge. This study guide will help you round out your knowledge base before tackling the exam.

If you can answer 80 percent or more of the review questions correctly for a given chapter, you can feel safe moving on to the next chapter. If you’re unable to answer that many correctly, reread the chapter and try the questions again. Your score should improve.

Don’t just study the questions and answers! The questions on the actual exam will be different from the practice questions included in this book. The exam is designed to test your knowledge of a concept or objective, so use this book to learn the objectives behind the questions.

The CISA Exam

The CISA exam is designed to be a vendor-neutral certification for information systems auditors. ISACA recommends this certification for those who already have experience in auditing and want to demonstrate that experience to current and future employers.

The exam covers five major domains:

Information Systems Auditing Process

Governance and Management of IT

Information Systems Acquisition, Development and Implementation

Information Systems Operations and Business Resilience

Protection of Information Assets

These five areas include a range of topics, from enterprise risk management to evaluating cybersecurity controls. They focus heavily on scenario-based learning and the role of the information systems auditor in various scenarios. There’s a lot of information that you’ll need to learn, but you’ll be well rewarded for possessing this credential. ISACA reports that the average salary of CISA credential holders is over $145,000.

The CISA exam includes only standard multiple-choice questions. Each question has four possible answer choices and only one of those answer choices is the correct answer. When you’re taking the test, you’ll likely find some questions where you think multiple answers might be correct. In those cases, remember that you’re looking for the best possible answer to the question!

The exam costs $575 for ISACA members and $760 for non-members. More details about the CISA exam and how to take it can be found at:

www.isaca.org/credentialing/cisa

You’ll have four hours to take the exam and will be asked to answer 150 questions during that time period. Your exam will be scored on a scale ranging from 200 to 800, with a passing score of 450.

ISACA frequently does what is called item seeding, which is the practice of including unscored questions on exams. It does so to gather psychometric data, which is then used when developing new versions of the exam. Before you take the exam, you will be told that your exam may include these unscored questions. So, if you come across a question that does not appear to map to any of the exam objectives—or for that matter, does not appear to belong in the exam—it is likely a seeded question. You never really know whether or not a question is seeded, however, so always make your best effort to answer every question.

Taking the Exam

Once you are fully prepared to take the exam, you can visit the ISACA website to register. Currently, ISACA offers two options for taking the exam: an in-person exam at a testing center and an at-home exam that you take on your own computer through a remote proctoring service.

In-Person Exams

ISACA partners with PSI Exams testing centers, so your next step will be to locate a testing center near you. In the United States, you can do this based on your address or your zip code, while non-U.S. test takers may find it easier to enter their city and country. You can search for a test center near you at the PSI Exams website:

https://home.psiexams.com/#/test-center?p=Z97SE74H

Now that you know where you’d like to take the exam, simply set up a PSI testing account and schedule an exam on their site.

On the day of the test, bring a government-issued identification card or passport that contains your full name (exactly matching the name on your exam registration), your signature, and your photograph. Make sure to show up with plenty of time before the exam starts. Remember that you will not be able to take your notes, electronic devices (including smartphones and watches), or other materials in with you.

At-Home Exams

ISACA also offers online exam proctoring. Candidates using this approach will take the exam at their home or office and be proctored over a webcam by a remote proctor.

Due to the rapidly changing nature of the at-home testing experience, candidates wishing to pursue this option should check the ISACA website for the latest details.

After the CISA Exam

Once you have taken the exam, you will be notified of your score immediately, so you’ll know if you passed the test right away. You should keep track of your score report with your exam registration records and the email address you used to register for the exam.

Meeting the Experience Requirement

The CISA program is designed to demonstrate that an individual is a qualified information systems auditor. That requires more than just passing a test—it also requires real hands-on work experience.

The basic CISA work experience requirement is that you must have five years of work experience in information systems auditing, controls, assurance, or security. If the work you do aligns with any of the job practice statements found later in this introduction, that experience likely qualifies.

If you’re a current information systems auditor or cybersecurity professional, you may find it easy to meet these requirements. If you don’t yet meet the experience requirement, you may still take the exam and then you’ll have five years to gain the experience and become fully certified after passing the test.

There are some waivers available that can knock 1, 2, or 3 years off your experience requirement:

If you hold an associate’s degree in any field, you qualify for a 1-year waiver.

If you hold a bachelor’s, master’s, or doctoral degree in any field, you qualify for a 2-year waiver.

If you hold a master’s degree in information systems or a related field, you qualify for a 3-year waiver.

If you hold full certification from the Chartered Institute of Management Accountants (CIMA), you qualify for a 2-year waiver.

If you are a member of the Association of Chartered Certified Accountants (ACCA), you qualify for a 2-year waiver.

These waivers may not be combined. You may only use one of these waiver options against your certification requirements.

You must have earned all of the experience used toward your requirement within the 10 years preceding your application or within 5 years of the date you pass the exam.

Maintaining Your Certification

Information systems auditing is a constantly evolving field with new threats and controls arising regularly. All CISA holders must complete continuing professional education on an annual basis to keep their knowledge current and their skills sharp. The guidelines around continuing professional education are somewhat complicated, but they boil down to two main requirements:

You must complete 120 hours of credit every three years to remain certified.

You must have a minimum of 20 hours of credit every year during that cycle.

You must meet both of these requirements. For example, if you earn 120 credit hours during the first year of your certification cycle, you still must earn 20 additional credits in each of the next 2 years.

Continuing education requirements follow calendar years, and your clock will begin ticking on January 1 of the year after you earn your certification. You are allowed to begin earning credits immediately after you’re certified. They’ll just count for the next year.

There are many acceptable ways to earn CPE credits, many of which do not require travel or attending a training seminar. The important requirement is that you generally do not earn CPEs for work that you perform as part of your regular job. CPEs are intended to cover professional development opportunities outside of your day-to-day work. You can earn CPEs in several ways:

Attending conferences

Attending training programs

Attending professional meetings and activities

Taking self-study courses

Participating in vendor marketing presentations

Teaching, lecturing, or presenting

Publishing articles, monographs, or books

Participating in the exam development process

Volunteering with ISACA

Earning other professional credentials

Contributing to the profession

Mentoring

For more information on the activities that qualify for CPE credits, visit this site:

www.isaca.org/credentialing/how-to-earn-cpe

Study Guide Elements

This study guide uses a number of common elements to help you prepare. These include the following:

Summaries

 The Summary section of each chapter briefly explains the chapter, allowing you to easily understand what it covers.

Exam Essentials

 The Exam Essentials focus on major exam topics and critical knowledge that you should take in to the test. The Exam Essentials focus on the exam objectives provided by ISACA.

Chapter Review Questions

 A set of questions at the end of each chapter will help you assess your knowledge and if you are ready to take the exam based on your knowledge of that chapter’s topics.

Additional Study Tools

This book comes with a number of additional study tools to help you prepare for the exam. They include the following.

Go to www.wiley.com/go/Sybextestprep to register and gain access to this interactive online learning environment and test bank with study tools.

Sybex Test Preparation Software

Sybex’s test preparation software lets you prepare with electronic test versions of the review questions from each chapter, the practice exam, and the bonus exam that are included in this book. You can build and take tests on specific domains, by chapter, or cover the entire set of CISA exam objectives using randomized tests.

Electronic Flashcards

Our electronic flashcards are designed to help you prepare for the exam. Over 100 flashcards will ensure that you know critical terms and concepts.

Glossary of Terms

Sybex provides a full glossary of terms in PDF format, allowing quick searches and easy reference to materials in this book.

Bonus Practice Exams

In addition to the practice questions for each chapter, this book includes two full 150-question practice exams. We recommend that you use them both to test your preparedness for the certification exam.

Like all exams, the Certified Information Systems Auditor from CISA is updated periodically and may eventually be retired or replaced. At some point after CISA is no longer offering this exam, the old editions of our books and online tools will be retired. If you have purchased this book after the exam was retired or are attempting to register in the Sybex online learning environment after the exam was retired, please know that we make no guarantees that this exam’s online Sybex tools will be available once the exam is no longer available.

CISA Exam Objectives

ISACA publishes relative weightings for each of the exam’s objectives. The following lists the five CISA domains and the extent to which they are represented on the exam.

Domain

% of Exam

1. Information Systems Auditing Process

18%

2. Governance and Management of IT

18%

3. Information Systems Acquisition, Development and Implementation

12%

4. Information Systems Operations and Business Resilience

26%

5. Protection of Information Assets

26%

CISA Certification Exam Objective Map

The CISA exam covers two different types of objectives: job practice areas and supporting tasks. We recommend that instead of focusing on these objectives in the order they appear in the exam objectives that you instead learn them in the order they are presented in this book. In our experience preparing students for certification exams, we’ve found that approaching these topics in a more logical order will better prepare you for the exam.

If you’re looking for where we’ve covered a specific objective in the book, use the following two lists to find the appropriate chapter.

Job Practice Areas

Chapter

Domain 1: Information Systems Auditing Process

Planning

IS Audit Standards, Guidelines, and Codes of Ethics

2

Business Processes

2

Types of Controls

2

Risk-Based Audit Planning

2

Types of Audits and Assessments

2

Execution

Audit Project Management

2

Sampling Methodology

2

Audit Evidence Collection Techniques

2

Data Analytics

2

Reporting and Communication Techniques

2

Quality Assurance and Improvement of the Audit Process

2

Domain 2: Governance & Management of IT

IT Governance

IT Governance and IT Strategy

1

IT-Related Frameworks

1

IT Standards, Policies, and Procedures

1

Organizational Structure

1

Enterprise Architecture

1

Enterprise Risk Management

1

Maturity Models

1

Laws, Regulations, and Industry Standards Affecting the Organization

1

IT Management

IT Resource Management

1

IT Service Provider Acquisition and Management

1

IT Performance Monitoring and Reporting

1

Quality Assurance and Quality Management of IT

1

Domain 3: Information Systems Acquisition, Development & Implementation

Information Systems Acquisition and Development

Project Governance and Management

3

Business Case and Feasibility Analysis

3

System Development Methodologies

3

Control Identification and Design

3

Information Systems Implementation

Testing Methodologies

3

Configuration and Release Management

3

System Migration, Infrastructure Deployment, and Data Conversion

3

Post-implementation Review

3

Domain 4: Information Systems Operations & Business Resilience

Information Systems Operations

Common Technology Components

5

IT Asset Management

5

Job Scheduling and Production Process Automation

5

System Interfaces

5

End-User Computing

5

Data Governance

4

Systems Performance Management

4

Problem and Incident Management

4

Change, Configuration, Release, and Patch Management

4

IT Service Level Management

4

Database Management

4

Business Resilience

Business Impact Analysis (BIA)

6

System Resiliency

6

Data Backup, Storage, and Restoration

6

Business Continuity Plan (BCP)

6

Disaster Recovery Plan (DRP)

6

Domain 5: Protection of Information Assets

Information Asset Security and Control

Information Asset Security Frameworks, Standards, and Guidelines

7

Privacy Principles

7

Physical Access and Environmental Controls

8

Identity and Access Management

8

Network and End-Point Security

7

Data Classification

7

Data Encryption and Encryption-Related Techniques

7

Public Key Infrastructure (PKI)

7

Web-Based Communication Techniques

7

Virtualized Environments

7

Mobile, Wireless, and Internet-of-Things (IoT) Devices

7

Security Event Management

Security Awareness Training and Programs

7

Information System Attack Methods and Techniques

7

Security Testing Tools and Techniques

7

Security Monitoring Tools and Techniques

7

Incident Response Management

7

Evidence Collection and Forensics

7

Supporting Tasks

Chapter

Plan audit to determine whether information systems are protected, controlled and provide value to the organization.

2

Conduct audit in accordance with IS audit standards and a risk based IS audit strategy.

2

Communicate audit progress, findings, results and recommendations to stakeholders.

2

Conduct audit follow-up to evaluate whether risks have been sufficiently addressed.

2

Evaluate the IT strategy for alignment with the organization’s strategies and objectives.

1

Evaluate the effectiveness of IT governance structure and IT organizational structure.

1

Evaluate the organization’s management of IT policies and practices.

1

Evaluate the organization’s IT policies and practices for compliance with regulatory and legal requirements.

1

Evaluate IT resource and portfolio management for alignment with the organization’s strategies and objectives.

3

Evaluate the organization’s risk management policies and practices.

1

Evaluate IT management and monitoring of controls.

7

Evaluate the monitoring and reporting of IT key performance indicators (KPIs).

4

Evaluate the organization’s ability to continue business operations.

6

Evaluate whether the business case for proposed changes to information systems meet business objectives.

4

Evaluate whether IT supplier selection and contract management processes align with business requirements.

1

Evaluate the organization’s project management policies and practices.

3

Evaluate controls at all stages of the information systems development lifecycle.

3

Evaluate the readiness of information systems for implementation and migration into production.

3

Conduct post-implementation review of systems to determine whether project deliverables, controls and requirements are met.

3

Evaluate whether IT service management practices align with business requirements.

4

Conduct periodic review of information systems and enterprise architecture.

5

Evaluate IT operations to determine whether they are controlled effectively and continue to support the organization’s objectives.

1

Evaluate IT maintenance practices to determine whether they are controlled effectively and continue to support the organization’s objectives.

5

Evaluate database management practices.

4

Evaluate data governance policies and practices.

4

Evaluate problem and incident management policies and practices.

4

Evaluate change, configuration, release and patch management policies and practices.

4

Evaluate end-user computing to determine whether the processes are effectively controlled.

5

Evaluate the organization’s information security and privacy policies and practices.

7

Evaluate physical and environmental controls to determine whether information assets are adequately safeguarded.

8

Evaluate logical security controls to verify the confidentiality, integrity and availability of information.

8

Evaluate data classification practices for alignment with the organization’s policies and applicable external requirements.

5

Evaluate policies and practices related to asset lifecycle management.

5

Evaluate the information security program to determine its effectiveness and alignment with the organization’s strategies and objectives.

7

Perform technical security testing to identify potential threats and vulnerabilities.

7

Utilize data analytics tools to streamline audit processes.

2

Provide consulting services and guidance to the organization in order to improve the quality and control of information systems.

1

Identify opportunities for process improvement in the organization’s IT policies and practices.

4

Evaluate potential opportunities and threats associated with emerging technologies, regulations and industry practices.

2

How to Contact the PublisherIf you believe you have found a mistake in this book, please bring it to our attention. At John Wiley & Sons, we understand how important it is to provide our customers with accurate content, but even with our best efforts an error may occur.

To submit your possible errata, please email it to our Customer Service Team at [email protected] with the subject line “Possible Book Errata Submission.”

Assessment Test

Seth’s organization recently experienced a security incident where an attacker was able to place offensive content on the home page of his organization’s website. Seth would like to implement a series of security controls to prevent this type of attack from occurring in the future. What goal of information security is Seth most directly addressing?

Integrity

Availability

Nonrepudiation

Confidentiality

Domer Delectables is a U.S. publicly traded company. They are currently undertaking a significant IT project that will redesign their access control systems. What is the best role for Internal Audit in this project?

Develop procedures

Design controls

Provide feedback on control design

Implement controls

Jen is building a series of controls for her organization’s information security program and is categorizing those controls by type. She is updating the organization’s firewall to include next-generation capabilities. What type of control is she working on?

Detective

Preventive

Compensating

Deterrent

Belinda recently assumed the CISO role at a publicly traded company. She is sorting through the corporate governance model and identifying the roles that different people and groups play in the organization. Which one of the following roles has ultimate authority for the corporation?

CEO

CIO

Board

Board chair

Brandon leads the information security team for a large organization and is working with the software development team to provide them with application security testing services. He would like to document roles and responsibilities of the two teams in a written agreement with the leader of the development team. What type of agreement would be most appropriate?

MOU

SLA

BPA

MSA

Monica is conducting a quantitative risk assessment of the risk that a fire poses to her organization’s primary operating facility. She believes that a serious fire would destroy 50 percent of the facility, causing $10 million in damage. She expects that a fire of this nature would only occur once every 50 years, on average. What is the AV in this scenario?

$200,000

$5 million

$10 million

$20 million

After assessing the risk of fire, Monica decides to install new sprinkler systems throughout the facility to reduce the likelihood of a serious fire. What type of risk treatment action is she taking?

Risk avoidance

Risk acceptance

Risk transference

Risk mitigation

Kevin is conducting a SWOT analysis for his organization’s IT program. He is especially proud of the talented and diverse team that exists within his organization. Where would he place this quality on the SWOT matrix?

Upper-left quadrant

Upper-right quadrant

Lower-left quadrant

Lower-right quadrant

Peihua is reviewing the organizing documents for an organization’s IT program as she prepares for an audit. She comes across a document that outlines the parameters under which the organization will function. What type of document is she reviewing?

Charter

Scope statement

Business purpose statement

Statement of authority

Fred is helping his boss develop a set of metrics for the organization’s security program. After consulting the ITIL framework used by his organization, he decides to track the number of major security incidents that occur each year. What type of metric is this?

KGI

KPI

KSI

KRI

Roberta is tasked with detecting whether fraud is occurring in sales commission processing. She selects records looking for cases of fraud. What type of sampling is she using?

Statistical sampling

Stratified sampling

Attribute sampling

Discovery sampling

Michael is leading a software development project and is currently in the testing phase. He has completed the unit testing for various modules and is about to proceed with system testing. Which statement best describes the primary focus of system testing in this context?

System testing is primarily concerned with verifying the individual functions of the application as specified in the functional requirements.

System testing focuses on verifying that different modules or components work together correctly and includes testing interfaces and data migration.

System testing is an informal testing phase where developers manually check the code for errors before deployment.

System testing involves end users performing tests to ensure the application meets their needs and requirements.

What is a primary advantage of using prototyping as a software development methodology?

It ensures that all functional requirements are addressed, even those unknown to users.

It reduces the risk of the application being developed incorrectly by involving users continuously.

It allows the prototype to be used in production environments without further development.

It eliminates the need for formal documentation and user feedback.

Cindy is concerned that users in her organization might take sensitive data and email it to their personal email accounts for access after they leave the organization. Which one of the following security technologies would best protect against this risk?

Firewall

IPS

DLP

Configuration management

Andrea is placing a new server onto her organization’s network. The server is a web server that will be accessible only by internal employees. What network zone would be the most appropriate location for this server?

Internet

Intranet

Extranet

DMZ

Tech Solutions is a growing software development company. Recently, they have implemented a companywide documented software development process that all teams are required to follow. This process includes detailed guidelines for each stage of development, and the teams consistently use this process for all projects. However, the company has not yet started measuring the effectiveness or efficiency of the process, nor are there any formal metrics in place to monitor defects.

Based on the SEI CMM, at which level of maturity is Tech Solutions currently operating?

Repeatable

Defined

Managed

Optimizing

Jen is conducting a financial audit of a large multinational corporation. In reviewing payroll transactions, she notes that a team of five employees was accidentally underpaid by 10 percent on their overtime hours for the past year. What statement best describes the impact of this discovery on the audit?

This is a legal violation and must be immediately reported to governmental authorities.

This error may cause a significant impact on the financial statements and should be reported as an audit finding.

This issue indicates potential fraud and should be investigated further to determine if there are broader implications.

This finding is immaterial.

Norma is evaluating the security of a web-based system. She determines that the system verifies that dates fall within a logical range before accepting them as input to the system. What term best describes this technique?

Input authorization

Input validation

Logical redundancy

Error handling

Wally is assessing the controls used to protect his organization against the risk of data loss. Which one of the following controls would be the best defense against the accidental deletion of data by an authorized user?

RAID 1

RAID 5

Backups

Access controls