My personal view of the CISA examination (Certified Information System Auditor)

CISA stands for Certified Information System Auditor. As it's name, it is for Information System Auditor, so call IS Auditor (or IT Auditor). This certificate is for all types of IS Audit, such as security audit, compliance audit, system operation audit, system process audit, etc. CISA does not focus on any of them, but in general.

CISA is awarded by ISACA to a candidate who meet the following requirements:

1. Successful completion of the CISA examination
2. Submit an Application for CISA Certification
3. Adherence to the Code of Professional Ethics
4. Adherence to the Continuing Professional Education Program
5. Compliance with the Information Systems Auditing Standards

CISA's examination topics are the following domains:

1. IS Audit Process - 10%
2. IT Governance - 15 %
3. Systems and Infrastructure Lifecycle Management – 16%
4. IT Service Delivery and Support – 14%
5. Protection of Information Assets – 31%
6. Business Continuity and Disaster Recovery – 14%

(note: to become a certified CISA, beside passing the exam, it is required the working experience in appropriate fields; please refer to http://www.isaca.org/cisa)

The follows are my overall view on CISA knowledge domains:

• The first domain - IS audit process, this is a domain focusing on the auditor's ethic, approach and behaviour. This domain is the specific to CISA.
• The fifth domain - 31% of security. Since there is 31% of security questions in CISA exam, so actually some Information Security personnel and employers consider CISA is one of the certification proven employee's security knowledge and experience. Of course, CISA is one of the security certification but not the best one.
• From the second to sixth domain - It combines almost all IT activities within an IT organisation, so when you study and acquire CISA, you obtain the knowledge on overall the management of an IT organisation.

As you seen that IS Audit Process is only 10% and other are the IT processes and governace in CISA exam. So actually CISA requires the candidate have the knowledge on IT security and IT management in practice. When a candidate archives this CISA, he/she is certified the knowledge and experience not only on IS Audit but also the IT management and governance.

Note: if you are interest in this certification, please refer to the ISACA webpage http://www.isaca.org/CISA for detailed information regarding to the certification's benefit, examination timing, fee and location, requirement of candidate's experience, etc.

---------------------
@Written by Mr. Quan, Chan Dieu - CISA, CGEIT, C|CISO, CCNP
This article is written by his personal view and is not represented by any organisation and company that he has been working for.

Reference: http://www.isaca.org/CISA

[If you re-post or copy this article to another blog, please keep the author name of the article in your post]
[If you copy this article to an online or printed journal, please obtain the agreement of the author]
[If you copy the idea or extract a section from this article to your online or paper article, please keep author name and this web URL in your references section]