Online Mind Mapping and Brainstorming

Create your own awesome maps

Online Mind Mapping and Brainstorming

Even on the go

with our free apps for iPhone, iPad and Android

Get Started

Already have an account? Log In

ISACA® CISA® study guide mind map by Mind Map: ISACA® CISA® study guide
mind map
5.0 stars - 62 reviews range from 0 to 5

ISACA® CISA® study guide mind map

ISACA® is a registered trademark of Information Systems Audit and Control Association. CISA®, Certified Information Systems Auditor®, CISM®, CGEIT®, Certified in the Governance of Enterprise IT/CGEIT® (and design)®, COBIT® are registered trademarks of ISACA®. CRISC™, Certified in Risk and Information Systems Control™, Certified Information Security Manager™, Risk IT™, Val IT™ are trademarks of ISACA®. Trademarks are properties of the holders, who are not affiliated with mind map author.

CISA Exam Passing Principles

The job profile of the CISA® (Certified Information Systems Auditor) was published in 1977. Ever since, innumerable individuals around the world have passed this demanding examination which has been consistently updated in line with changing requirements; the examination takes place simultaneously in 80 countries, currently in 12 languages. The successful graduates will, on the provision of meeting the requirement of professional practice / experience, obtain the coveted CISA® designation.


It covers 5 domains, 38 tasks and 79 knowledge statements (statements covering the required technical knowledge)., Since the task statements are consistently referenced to the pertaining COBIT® processes, COBIT® has thus become an integral component of the CISA® curriculum and certification.


The CISA® certification / designation reflects a solid achievement record in the area of audit, control and security of information systems.

CISA® is the only globally recognized certification in the are of audit, controls and security of information systems and is – in view of the stringent and globally identical requirements - internationally recognized., Internationally operating corporations and locally operating enterprises appreciate these merits alike.

The CISA® job profile has so far been consistently revised in 4 to 6 year intervals (the last time in 2010).

Official Recommended exam study materials


Development Guides

ISACA® CISA® Item Development Guide,

ISACA® CISA® QAE Item Development Guide,

ISACA® CISA® Review Manual 2015

ISACA® CISA® Review Questions, Answers & Explanations Manual 2015 Supplement

ISACA® CISA® Practice Question Database

CISA® Official website

Basic audit related definitions (from ISACA® CISA® perspective)

Audit Risk

Inherent Risk

Control Risk

Overall Audit Risk

Detection Risk


Systematic process by which a competent, independent person objectively obtains and evaluates evidence regarding assertions about an economic entity or event for the purpose of forming an opinion about and reporting on the degree to which the assertion conforms to an identified set of standards.


It is a requirement that the auditor’s conclusions be based on sufficient, competent evidence:, Independence of the provider of the evidence, Qualification of the individual providing the information or evidence, Objectivity of the evidence, Timing of the evidence

Information Systems Auditing

Any audit that encompasses review and evaluation (wholly or partly) of automated information processing systems, related non-automated processes and the interfaces between them.


Risk is the likelihood of a threat exploiting a vulnerability and the resulting impact on business mission.

Domain 1: The Process of Auditing Information Systems

Domain 1 - CISA® Exam Relevance

The content area for Domain 1 will represent ..., 14% of the CISA® examination, 62 questions

Audit Charter

Audit begins with the acceptance of an Audit Charter

Provides:, Authority for audit, Responsibility, Reporting requirements

Signed by Audit Committee / Senior Management / Steering Committee


Objectives, An audit compares (measures) actual activity against standards and policy

Specific goals of the audit, Confidentiality, Integrity, Reliability, Availability, Compliance with legal and regulatory requirements

Types, Financial audits, relates to financial information integrity and reliability., Operational audits, examples: IS audits of application controls or logical security systems, Integrated audits, combines financial and operational audit steps., Administrative audits, oriented to assess issues related to the efficiency of operational productivity within an organization., IS audits, Specialized audits, examine areas such as services performed by third parties., Forensic audits, Audits specifically related to a crime or serious incident, Determine, Scope of incident, Root cause, Personnel and systems involved, Obtain and examine evidence, Report for further action, auditing specialized in discovering, disclosing and following up on frauds and crimes. The primary purpose of such a review is the development of evidence for review by law enforcement and judicial authorities.

Elements, Audit scope, Audit objectives, Criteria, Audit procedures, Evidence, Conclusions and opinions, Reporting

Audit Planning

Involves short and long term planning (annual basis)

Based on the scope and objective of the particular assignment

Based on concerns of management or areas of higher risk, Process failures, Financial operations, Compliance requirements

New control issues.

Changes / Upgrades to technologies.

Business process / Need/ Goals.

Auditing / Evaluation Techniques.

IS auditor’s concerns:, Security (confidentiality, integrity and availability), Quality (effectiveness, efficiency), Fiduciary (compliance, reliability), Service and capacity

Audit Planning Process, Gain an understanding of the business’s mission, objectives, purpose and processes, Identify stated contents (policies, standards, guidelines, procedures, and organization structure), Evaluate risk assessment and privacy impact analysis, Perform a risk analysis, Conduct an internal control review, Set the audit scope and audit objectives, Develop the audit approach or audit strategy, Assign personnel resources to audit and address engagement logistics

Effect of Laws and Regulations on IS Audit Planning, Adequate controls, Privacy, Responsibilities, Oversight and Governance, Protection of assets, Financial Management, Correlation to financial, operational and IT audit functions

Performing the Audit

ISACA IT Audit and Assurance Tools and Techniques, Procedures developed by the ISACA Standards Board provide examples of possible processes an IS auditor might follow in an audit engagement, The IS auditor should apply their own professional judgment to the specific circumstances

ISACA IT Audit and Assurance Standards Framework, Standards, Must be followed by IS auditors, Guidelines, Provide assistance on how to implement the standards, Procedures, Provide examples for implementing the standards, S1 Audit Charter, S2 Independence, S3 Ethics and Standards, S4 Competence, S5 Planning, S6 Performance of audit work, S7 Reporting, S8 Follow-up activities, S9 Irregularities and illegal acts, S10 IT Governance, S11 Use of risk assessment in audit planning, S12 Audit materiality, S13 Using the Work of Other Experts, S14 Audit Evidence, S15 IT Controls, S16 E-commerce

Gathering Evidence, Techniques, Review IS organization structures, Review IS policies and procedures, Review IS standards, Review IS documentation, Interview appropriate personnel, Observe processes and employee performance, Computer-assisted Audit Techniques (CAAT), CAATs enable IS auditors to gather information independently, CAATs include:, Generalized audit software (GAS), Features, Mathematical computations, Stratification, Statistical analysis, Sequence checking, Functions, File access, File reorganization, Data selection, Statistical functions, Arithmetical functions, Utility software, Debugging and scanning software, Test data, Application software tracing and mapping, Expert systems, CAATs as a continuous online audit approach:, Improves audit efficiency, IS auditors must:, Develop audit techniques for use with advanced computerized systems, Be involved in the design of advanced systems to support audit requirements, Make greater use of automated tools

General approaches to audit sampling, Statistical sampling, Non-statistical sampling

Using the Services of Other Auditors and Experts, Considerations when using services of other auditors and experts:, Audit charter or contractual stipulations, Impact on overall and specific IS audit objectives, Impact on IS audit risk and professional liability, Independence and objectivity of other auditors and experts, Professional competence, qualifications and experience, Scope of work proposed to be outsourced and approach, Supervisory and audit management controls, Method of communicating the results of audit work, Compliance with legal and regulatory stipulations, Compliance with applicable professional standards

IS Audit Resource Management

Audit Program Challenges, Limited number of IS auditors, Maintenance of their technical competence, Assignment of audit staff

Plan for an Audit

1. Gather Information

2. Identify System and Components

3. Assess Risk

4. Perform Risk Analysis

5. Conduct Internal Control Review

6. Set Audit Scope and Objectives

7. Develop Auditing Strategy

8. Assign Resources

Audit Methodology

A set of documented audit procedures designed to achieve planned audit objectives.

Composed of:, Statement of scope, Statement of audit objectives, Statement of audit programs

Set up and approved by the audit management

Communicated to all audit staff

Phases of an Audit

Audit subject

Audit objective

Audit scope

Pre-audit planning

Audit procedures and steps for data gathering

Procedures for evaluating the test or review


Procedures for communication with management

Audit report preparation

Audit Workpapers

Audit plans

Audit programs

Audit activities

Audit tests

Audit findings and incidents

Audit Procedures

Understanding of the audit area/subject

Risk assessment and general audit plan

Detailed audit planning

Preliminary review of audit area/subject

Evaluating audit area/subject

Verifying and evaluating controls

Compliance testing

Substantive testing

Reporting (communicating results)


Types of Tests for IS Controls

Use of audit software to survey the contents of data files

Assess the contents of operating system parameter files

Flow-charting techniques for documenting automated

applications and business process

Use of audit reports available in operation systems

Documentation review


Fraud Detection

Fraud detection is Management’s responsibility

Benefits of a well-designed internal control system, Deterring fraud at the first instance, Detecting fraud in a timely manner

Fraud detection and disclosure

Auditor’s role in fraud prevention and detection

Risk Management (based on ISACA Risk IT)

Risk Assessment, Identify and prioritize risk, Recommend risk-based controls, Assessing security risks, Risk assessments should identify, quantify and prioritize risks against criteria for risk acceptance and objectives relevant to the organization., Performed periodically to address changes in:, The environment, Security requirements and when significant changes occur, Treating security risks, Each risk identified in a risk assessment needs to be treated in a cost-effective manner according to its level of risk, Controls should be selected to ensure that risks are reduced to an acceptable level

Risk Mitigation, Reduce risk, Accept risk, Transfer risk, Avoid risk

Ongoing assessment of risk levels and control effectiveness

Purpose of Risk Analysis, Identity threats and vulnerabilities, Helps auditor evaluate countermeasures /, controls., Helps auditor decide on auditing objectives., Support Risk- Based auditing decision., Leads to implementation of internal controls.

Risk-based Auditing

Why use Risk Based Auditing?, Enables management to effectively allocate limited audit resources, Ensures that relevant information has been obtained from all levels of management, Establishes a basis for effectively managing the audit plans, Provides a summary of how the individual audit subject is related to the overall organization as well as to the business plan

Performing an Audit Risk Assessment to identify, Business risks, Technological risks, Operational risks

Process, 1. Gather Information and Plan for the Audit, Knowledge of business and industry, Prior year’s audit results, Recent financial information, Regulatory statutes, Inherent risk assessments, 2. Obtain Understanding of Internal Control, Control environment, Control procedures, Detection risk assessment, Control risk assessment, Equate total risk, 3. Perform Compliance Tests, Identify key controls to be tested, Perform tests on reliability, risk prevention, and adherence to organizational policies and procedures, 4. Perform Substantive Tests, Analytical procedures, Detailed tests of account balances, Other substantive audit procedures, 5. Conclude the Audit, Create recommendations, Write audit report

General Controls

Apply to all areas of an organization and include policies and practices established by management to provide reasonable assurance that specific objectives will be achieved.

Internal Controls

Policies, procedures, practices and organizational structures implemented to reduce risks

Objectives, Safeguarding of IT assets, Compliance to corporate policies or legal requirements, Input, Authorization, Accuracy and completeness of processing of data input/transactions, Output, Reliability of process, Backup/recovery, Efficiency and economy of operations, Change management process for IT and related systems

Classification, Preventive controls, Detective controls, Corrective controls

Areas, Internal control system, Internal accounting controls, Operational controls, Administrative controls

IS Controls vs Manual Controls, Internal control objectives apply to all areas, whether manual or automated. Therefore, conceptually, control objectives in an IS environment remain unchanged from those of a manual environment.

IS Controls, Strategy and direction, General organization and management, Access to IT resources, including data and programs, Systems development methodologies and change control, Operations procedures, Systems programming and technical support functions, Quality assurance procedures, Physical access controls, Business continuity/disaster recovery planning, Networks and communications, Database administration, Protection and detective mechanisms against internal and external attacks

Audit Documentation

Planning and preparation of the audit scope and objectives

Description on the scoped audit area

Audit program

Audit steps performed and evidence gathered

Other experts used

Audit findings, conclusions and recommendations

Automated Work Papers

Risk analysis

Audit programs


Test evidences


Reports and other complementary information

Minimum controls:, Access to work papers, Audit trails, Automated features to provide and record approvals, Security and integrity controls, Backup and restoration, Encryption techniques

Evaluation of Audit Strengths and Weaknesses

Assess evidence

Evaluate overall control structure

Evaluate control procedures

Assess control strengths and weaknesses

Communicating Audit Results

Exit interview, Implementation dates for agreed recommendations, Correct facts, Realistic recommendations

Presentation techniques, Executive summary, Visual presentation

Audit report structure and contents, Introduction to the report, Audit findings presented in separate sections, The IS auditor’s overall conclusion and opinion, The IS auditor’s reservations with respect to the audit – audit limitations, Detailed audit findings and recommendations

Audit recommendations may not be accepted, Negotiation, Conflict resolution, Explanation of results, findings and best practices or legal requirements

Management Implementation of Audit Recommendations

Ensure that accepted recommendations are implemented as per schedule

Auditing is an ongoing process

Timing a follow-up

Control Self-Assessment (CSA)

Objectives, Leverage the internal audit function by shifting some control monitoring responsibilities to functional areas, Enhancement of audit responsibilities, not a replacement, Educate management about control design and monitoring, Empowerment of workers to assess the control environment

Benefits, Early detection of risks, More effective and improved internal controls, Increased employee awareness of organizational objectives, Highly motivated employees, Improved audit rating process, Reduction in control cost, Assurance provided to stakeholders and customers

Disadvantages, Could be mistaken as an audit function replacement, May be regarded as an additional workload, Failure to act on improvement suggestions could damage employee morale, Lack of motivation may limit effectiveness in the detection of weak controls

A management technique

A methodology

In practice, a series of tools

Can be implemented by various methods

Auditor Role in CSA, Internal control professionals, Assessment facilitators

Traditional vs. CSA, Traditional Approach, Assigns duties/supervises staff, Policy/rule driven, Limited employee participation, Narrow stakeholder focus, CSA Approach, Empowered/accountable employees, Continuous improvement/learning curve, Extensive employee participation and training, Broad stakeholder focus

Continuous Auditing vs Continuous Monitoring

Continuous monitoring, Provided by IS management tools, Based on automated procedures to meet fiduciary responsibilities

Continuous auditing, Audit-driven, Completed using automated audit procedures, Distinctive character, Short time lapse between the facts to be audited and the collection of evidence and audit reporting, Drivers, Better monitoring of financial issues, Allows real-time transactions to benefit from real-time monitoring, Prevents financial fiascoes and audit scandals, Uses software to determine proper financial controls, Application of continuous auditing due to:, New information technology developments, Increased processing capabilities, Standards, Artificial intelligence tools, Advantages, Instant capture of internal control problems, Reduction of intrinsic audit inefficiencies, Disadvantages, Difficulty in implementation, High cost, Elimination of auditors’ personal judgment and evaluation

ISACA Code of Professional Ethics

The Association’s Code of Professional Ethics provides guidance for the professional and personal conduct of members of ISACA and/or holders of ISACA designations.

Domain 2: Governance and Management of IT

Domain 2 - CISA® Exam Relevance

The content area for Domain 1 will represent ..., 14% of the CISA® examination, 62 questions

Corporate Governance

Ethical corporate behaviour

Governance of IT systems and assets towards the preservation of value for all stakeholders

Resource management

Establishment of rules to manage and report on business risks

IT Governance (ITG)

Comprises the body of issues addressed in considering how IT is applied within the enterprise.

Effective enterprise governance focuses on:, Individual and group expertise, Experience in specific areas

Key element: alignment of business and IT

Two issues:, IT delivers value to the business, IT risks are managed

Best Practices for IT Governance, Strategic Alignment, Focuses on ensuring the linkage of business and IT plans; defining, maintaining and validating the IT value proposition; and aligning IT operations with enterprise operations, Value Delivery, Is about executing the value proposition throughout the delivery cycle, ensuring that IT delivers the promised benefits against the strategy, concentrating on optimising costs and improving the intrinsic value of IT., Resource Management, Is about the optimal investment in, and the proper management of, Critical IT resources: applications, information, infrastructure and people, Key issues relate to the optimisation of knowledge and infrastructure., Risk Management, Requires risk awareness by senior corporate officers, a clear understanding of the enterprise’s appetite for risk, understanding of compliance requirements, transparency about the significant risks to the enterprise and embedding of risk management responsibilities into the organisation., Performance Measurement, Tracks and monitors strategy implementation, projection completion, resource usage, process performance and services delivery, using, for example, balanced scorecards that translate into action to achieve goals measurable beyond conventional accounting.

IS Governance (ISG)

Focused activity with specific value drivers, Integrity of information, Continuity of services, Protection of information assets

Integral part of IT Governance (ITG)

Importance of information security governance

Should be supported at the highest levels of the organization

IS Governance (ISG) broadens scope beyond simply protection of IT system and data – integration and over all security regardless of handling, processing, transporting, or storing.

Protects information assets at all times, in all forms (electronic, paper, communicated), and in all locations

Exposure to civil and legal liability, regulators., Provide assurance of policy compliance.

Enhance business Ops continuity – lower risk: uncertainty.

Foundation for risk management, process enhanced and fast incident response procedures.

Optimize allocation of the limited security resources as well as procurement process.

Ensuring that important decisions are made on accurate data.

Results, Strategic link to business / Organization, Objectives., Overall risk management., Optimize investments., Management of resources., Report on performance / results., Process integration

Information Technology Monitoring and Assurance Practices for Management

IT governance implies a system where all stakeholders provide input into the decision making process:, Board, Internal customers, Finance

IS Strategy

Strategic Planning.

Steering committee role.

Primary strategic functions

Strategic Enterprise Architecture Plans, Involves documenting an organization’s IT assets in a structured manner to facilitate understanding, management and planning for IT investments, Often involves both a current state and optimized future state representation

IT Strategy Committee, The creation of an IT strategy committee is an industry best practice, Committee should broaden its scope to include not only advice on strategy when assisting the board in its IT governance responsibilities, but also to focus on IT value, risks and performance

Techniques, Standard IT Balanced Scorecard, A process management evaluation technique that can be applied to the IT governance process in assessing IT functions and processes, Method goes beyond the traditional financial evaluation, One of the most effective means to aid the IT strategy committee and management in achieving IT and business alignment

Enterprise Architecture

The Zachman Framework

Federal Enterprise Architecture (FEA), Performance, Business, Service component, Technical, Data

Maturity and Process Improvement Models

IDEAL model

Capability Maturity Model Integration (CMMI)

Team Software Process (TSP)

Personal Software Process (PSP)

IT Investment and Allocation Practices

Financial benefits, Impact on budget and finances

Nonfinancial benefits, Impact on operations or mission performance and results

Auditing IT Governance Structure and Implementation

Indicators of potential problems include:, Unfavorable end-user attitudes, Excessive costs, Budget overruns, Late projects, High staff turnover, Inexperienced staff, Frequent hardware/software errors

Policies, Procedures, Standards

Reflect management guidance and direction in developing controls over:, Information systems, Related resources, IS department processes

Policies, High level documents, Must be clear and concise, Set tone for organization as a whole (top down), Lower-level policies - defined by individual divisions and departments, Information Security Policy, Defines information security, overall objectives and scope, Statement of management intent, Framework for setting control objectives including risk management, Defines responsibilities for information security management, Acceptable Use Policy

Procedures, Procedures are detailed documents that describe the steps a person must follow when undertaking an activity:, Define and document implementation policies, Must be derived from the parent policy, Must implement the spirit (intent) of the policy statement, Must be written in a clear and concise

Standards, Audits measure compliance with standards of:, Operational procedures, Best practices, Consistency of performance

Risk Management

IT risk management needs to operate at multiple levels including:, The strategic level, The program level, The project level, The operational level

Risk Analysis Methods, Qualitative, Semi quantitative, Quantitative, Probability and expectancy, Single Loss Expectancy (SLE), Annual loss expectancy (ALE)

Risk Mitigation

Resource Management

Organization of the IT Function, The auditor must assess whether the IT department is correctly:, Funded, Aligned with business needs, Managed, Staffed (skills)

Human Resource Management


Employee handbook

Promotion policies


Scheduling and time reporting

Employee performance evaluations

Required vacations

Termination policies

Sourcing Practices, Sourcing practices relate to the way an organization obtains the IS function required to support the business, Organizations can perform all IS functions inhouse or outsource all functions across the globe, Sourcing strategy should consider each IS function and determine which approach (insourcing or outsourcing) allows the IS function to meet the organization’s goals

IS Roles and Responsibilities

Systems development manager

Project management

Service Desk (help desk)

End user

End user support manager

Data management

Quality assurance manager

Information security manager

Vendor and outsourcer management

Infrastructure operations and maintenance

Media management

Data entry

Systems administration

Security administration

Quality assurance

Database administration

Systems analyst

Security architect

Applications development and maintenance

Infrastructure development and maintenance

Network management

Segregation of Duties within IS

Avoids possibility of errors or misappropriations

Discourages fraudulent acts

Limits access to data

Controls, Control measures to enforce segregation of duties include:, Transaction authorization, Custody of assets, Access to data, Authorization forms, User authorization tables, Compensating controls for lack of segregation of duties include:, Audit trails, Reconciliation, Exception reporting, Transaction logs, Supervisory reviews, Independent reviews

Organizational Change Management

Managing changes to the organization’s:, Projects, Systems, Technology, Configurations

Identify and apply technology improvements at the infrastructure and application level

All changes must be documented, approved and tested

All changes must be performed correctly and monitored for successful execution

Changes must not degrade system security or performance

Quality Management

Software development, maintenance and implementation

Acquisition of hardware and software

Day-to-day operations

Service management


Human resource management

General administration

Performance Optimization

Performance measures indicate the quality of the IT program, Measures should be set to evaluate services critical to business success

There are generally 5 ways to use performance measures:, 1. Measure products/services, 2. Manage products/services, 3. Ensure accountability, 4. Make budget decisions, 5. Optimize performance

Reviewing Documentation

IT strategies, plans and budgets

Security policy documentation

Organization/functional charts

Job descriptions

Steering committee reports

System development and program change procedures

Operations procedures

Human resource manuals

Quality assurance procedures

Reviewing Contractual Commitments

There are various phases to computer hardware, software and IS service contracts, including:, Development of contract requirements and service levels, Contract bidding process, Contract selection process, Contract acceptance, Contract maintenance, Contract compliance

Business Continuity Planning (BCP)

Business continuity planning (BCP) is a process designed to reduce the organization’s business risk

A BCP is much more than just a plan for the information systems

IS processing is of strategic importance, Critical component of overall BCP, Most key business processes depend on the availability of key systems and infrastructure components

Disasters and Other Disruptive Events, Disasters are disruptions that cause critical information resources to be inoperative for a period of time, Good BCP will take into account impacts on IS processing facilities


Business Continuity Policy, Defines the extent and scope of business continuity for both internal and external stakeholders, Should be proactive

Business Continuity Planning Incident Management, All types of incidents should be categorized, Negligible, Minor, Major, Crisis

Business Continuity Plan (BCP), Business continuity plan must:, Be based on the long-range IT plan, Comply with the overall business continuity strategy, Development of BCP (factors), The clear identification of the various resources required for recovery and continued operation of the organization, Evacuation procedures, Procedures for declaring a disaster (escalation procedures), Circumstances under which a disaster should be declared., The clear identification of the responsibilities in the plan, The clear identification of the persons responsible for each function in the plan, The clear identification of contract information, The step-by-step explanation of the recovery process, Pre-disaster readiness covering incident response management to address all relevant incidents affecting business processes, Components of BCP, Continuity of operations plan (COOP), Disaster recovery plan (DRP), Business resumption plan, Continuity of support plan / IT contingency plan, Crisis communications plan, Incident response plan, Transportation plan, Occupant emergency plan (OEP), Evacuation and emergency relocation plan, Key decision-making personnel, Backup of required supplies, Insurance, IS equipment and facilities, Media (software) reconstruction, Extra expense, Business interruption, Valuable papers and records, Errors and omissions, Fidelity coverage, Media transportation

Other Issues in Plan Development, Management and user involvement is vital to the success of BCP, Essential to the identification of critical systems, recovery times and resources, Involvement from support services, business operations and information processing support, Entire organization needs to be considered for BCP

Auditing Business Continuity, Understand and evaluate business continuity strategy, Evaluate plans for accuracy and adequacy, Verify plan effectiveness, Evaluate offsite storage, Evaluate ability of IS and user personnel to, respond effectively, Ensure plan maintenance is in place, Evaluate readability of business continuity manuals and procedures

Reviewing the Business Continuity Plan, IS auditors should verify that the plan is up to date including:, Currency of documents, Effectiveness of documents, Interview personnel for appropriateness and completeness of plan

Business Impact Analysis (BIA)

Critical step in developing the business continuity plan

3 main questions to consider during BIA phase:, 1. What are the different business processes?, 2. What are the critical information resources related to an organization’s critical business processes?, 3. What is the critical recovery time period for information resources in which business processing must be resumed before significant or unacceptable losses are suffered?

What is the system’s risk ranking?, Critical, Vital, Sensitive, Non-sensitive

Business Continuity Plan

Development of Business Continuity Plans, Factors to consider:, Pre-disaster readiness covering incident response management to address all relevant incidents affecting business processes, Evacuation procedures, Procedures for declaring a disaster (escalation procedures), Circumstances under which a disaster should be declared, The clear identification of the responsibilities in the plan, The clear identification of the persons responsible for each function in the plan, The clear identification of contract information, The step-by-step explanation of the recovery process, The clear identification of the various resources required for recovery and continued operation of the organization

Components of a Business Continuity, Continuity of operations plan (COOP), Disaster recovery plan (DRP), Business resumption plan, Continuity of support plan / IT contingency plan, Crisis communications plan, Incident response plan, Transportation plan, Occupant emergency plan (OEP), Evacuation and emergency relocation plan, Key decision-making personnel, Backup of required supplies, Insurance, IS equipment and facilities, Media (software) reconstruction, Extra expense, Business interruption, Valuable papers and records, Errors and omissions, Fidelity coverage, Media transportation

Domain 3: Information Systems Acquisition, Development, and Implementation

Domain 3 - CISA® Exam Relevance

The content area for Domain 1 will represent ..., 19% of the CISA® examination, 62 questions

Business case

Provides the information required for an organization to decide whether a project should proceed

Is normally derived from a feasibility study as part of project planning

Should be of sufficient detail to describe the justification for setting up and continuing a project

Portfolio/Program Management (PPM)

Objectives, Optimization of the results of the project portfolio, Prioritizing and scheduling projects, Resource coordination (internal and external), Knowledge transfer throughout the projects

Program, Programs have a limited time frame (start and end date) and organizational boundaries, Definition by ISACA:, ”A program is a group of projects and time-bound tasks that are closely linked together through common objectives, a common budget, intertwined schedules and strategies.”, Definition by AXELOS::

Portfolio, Definition by ISACA:, ”Groupings of ‘objects of interest’ (investment programmes, IT services, IT projects, other IT assets or resources) managed and monitored to optimise business value.”, Definition by AXELOS::, ”An organization’s change portfolio is the totality of its investment (or segment thereof) in the changes required to achieve its strategic objectives.”

Portfolio management, Definition by ISACA:, ”The goal of portfolio management (in relations to VAL IT) is to ensure that an enterprise secures optimal value across its portfolio of IT-enabled investments.”, Definition by AXELOS::, ”A coordinated collection of strategic processes and decisions that together enable the most effective balance of organizational change and business as usual (BAU).”

Benefits Realization Techniques

Describing benefits management or benefits realization

Assigning a measure and target

Establishing a tracking/measuring regime

Documenting the assumption

Establishing key responsibilities for realization

Validating the benefits predicted in the business

Planning the benefit that is to be realized

General IT Project Aspects

IS projects may be initiated from any part of an organization

A project is always a time-bound effort

Project management should be a business process of a project-oriented organization

The complexity of project management requires a careful and explicit design of the project management process

Project Context and Environment

A project context can be divided into a time and social context. The following must be taken into account:, Importance of the project in the organization, Connection between the organization’s strategy and the project, Relationship between the project and other projects, Connection between the project to the underlying business case

Project Organizational Forms

3 major forms of organizational alignment for project management are:, Influence project organization, Pure project organization, Matrix project organization

Project Communication

Depending on the size and complexity of the project and the affected parties, communication may be achieved by:, One-on-one meetings, Kick-off meetings, Project start workshops, A combination of the three

Project Objectives

A project needs clearly defined results that are specific, measurable, achievable, relevant and time-bound (SMART)

A commonly accepted approach to define project objectives is to begin with an object breakdown structure (OBS)

After the OBS has been compiled, a work breakdown structure (WBS) is designed

Roles and Responsibilities of Groups and Individuals

Senior management

Senior Responsible Owner (SRO)

User management

Project steering committee

Project sponsor

Systems development management

Project manager

Systems development project team

User project team

Security officer

Quality assurance

Project Management Practices

Classic project management is bound by the iron triangle:, Resources, Schedule, Scope

PRINCE2® based project management is bound by the 6 project aspects:, Benefits, Quality, Resources, Risk, Schedule, Scope

Project Planning

The various tasks that need to be performed to produce the expected business application system

The sequence or the order in which these tasks need to be performed

The duration or the time window for each task

The priority of each task

The IT resources that are available and required to perform these tasks

Budget or costing for each of these tasks

Source and means of funding

Software size estimation

Lines of source code

Function point analysis (FPA), FPA feature points, Cost budgets, Software cost estimation

Scheduling and establishing the time frame

Critical path methodology/method (CPM), Time box management, PERT, Gantt Chart

Project Controlling

Includes management of:, Scope, Resource usage, Risk, Review & evaluate, Assess, Mitigate, Discover, Inventory

Project Risk

The CISA® must review the project for risks that the project will not deliver the expected benefits:, Scope creep, Lack of skilled resources, Inadequate requirements definition, Inadequate testing, Push to production without sufficient allotted time

Closing a Project

When closing a project, there may still be some issues that need to be resolved, ownership of which needs to be assigned

The project sponsor should be satisfied that the system produced is acceptable and ready for delivery

Custody of contracts may need to be assigned, and documentation archived or passed on to those who will need it

Systems Development Models (SDLC)

Business Application Development, The implementation process for business applications, commonly referred to as an SDLC, begins when an individual application is initiated as a result of one or more of the following situations:, A new opportunity that relates to a new or existing business process, A problem that relates to an existing business process, A new opportunity that will enable the organization to take advantage of technology, A problem with the current technology

Traditional SDLC Approach, Also referred to as the waterfall technique, this life cycle approach is the oldest and most widely used for developing business applications, Based on a systematic, sequential approach to software development that begins with a feasibility study and progresses through requirements definition, design, development, implementation and post implementation, Some of the issues encountered with this approach include:, Unanticipated events, Difficulty in obtaining an explicit set of requirements from the user, Managing requirements and convincing the user about the undue or unwarranted requirements in the system functionality, The necessity of user patience, A changing business environment that alters or changes the user’s requirements before they are delivered, Classic Waterfall: DoD-STD-2167A, Modified Waterfall: MIL-STD-498, V-model (may be considered an extension of the waterfall), Boehm’s Spiral Model

Alternative Development Methods, Incremental, Iterative, Adaptive, Evolutionary, Agile (incremental + iterative + adaptive), The Agile Mindset, Values and Principles, 4 Agile Value, 1. Individuals and interactions over processes and tools, 2. Working software over comprehensive documentation, 3. Customer collaboration over contract negotiation, 4. Responding to change over following a plan, 12 Agile Principles, 1. Our highest priority is to satisfy the customer through early and continuous delivery of valuable software., 2. Welcome changing requirements, even late in development. Agile processes harness change for the customer's competitive advantage., 3. Deliver working software frequently, from a couple of weeks to a couple of months, with a preference to the shorter timescale., 4. Business people and developers must work together daily throughout the project., 5. Build projects around motivated individuals. Give them the environment and support they need, and trust them to get the job done., 6. The most efficient and effective method of conveying information to and within a development team is face-to-face conversation., 7. Working software is the primary measure of progress., 8. Agile processes promote sustainable development. The sponsors, developers, and users should be able to maintain a constant pace indefinitely., 9. Continuous attention to technical excellence and good design enhances agility., 10. Simplicity - the art of maximizing the amount of work not done - is essential., 11. The best architectures, requirements, and designs emerge from self-organizing teams., 12. At regular intervals, the team reflects on how to become more effective, then tunes and adjusts its behavior accordingly., The unlimited number of Agile Practices, The 'forest' of Agile Methods, Frameworks, Standards ..., see Agile World mind map, Being Agile vs Doing Agile, Agile is a umbrella term enclosing different methodologies, tools, techniques, practices and frameworks, In Agile community umbrella symbolizes different approaches in implementing Agile Manifesto but yet all from them are "Agilelish", SCRUM, Lean, KANBAN, XP are not ‘Agile Project Management’ practices but rather team level practices, No Project Manager role, No project definition and etablished project / programme governance, ..., see Agile World mind map, Plan-Driven Projects vs. Change-driven Project Projects, Traditional (waterfall or sequential) Project Management metaphor, Railway metaphor, Moving forward, based on delivering predicted upfront requirements in accepted tolerances with limited tolerance to change, destination (final product specification) is known upfront and it will hardly change to any other destination, Big Design Up Front (BDUF), We are expecting from customer to know everything and precisely what he wants (and needs) at the very beginning in project lifecycle, Which is very often not possible, “People don’t know what they want until you show it to them” (Steve Jobs, 1955 - 2011), Changing course of train based on requirements, Change is under strict control, change management process / procedure, a.k.a. Plan-driven, build around paradigm of process, defined process control model, All work is understood before execution, Given a well-defined set of inputs, the same outputs are generated every time, Follow the pre-determined steps to get known results, Agile (iterative + incremental + adaptive) Project Management metaphor, Sailing metaphor, Embracing change of requirements, finding TRUE value for stakeholders by experimenting, testing, changing status quo., Enough Design Up Front (EDUF), Customers often does not now what they want and by changes in project we will better understand customer needs and deliver valuable solution, Adapting / changing course of sailing based on business TRUE business needs and priorities, which could be different than requirements, Change is natural and recommended, it a part of our lives and projects as well, a.k.a. Change-driven, build around paradigm of change / adaptation, empirical (adaptive) process control model, Frequent inspection and adaptation occurs as work proceeds, Processes are accepted as imperfectly defined, Outputs are often unpredictable and unrepeatable, Agile is best for complex projects, Simple (straightforward), Everything is known and predicatable, Complicated, More is known than unknown, Complex, More is unknown than known, Chaotic (unpredictable), Very little is known

Types of Specialized Business Applications

Electronic Commerce

Electronic Data Interchange (EDI)

Electronic Mail

Electronic Banking

Electronic Finance

Electronic Funds Transfer (EFT)

Automated Teller Machine (ATM)

Artificial Intelligence and Expert Systems

Business Intelligence (BI)

Decision Support System


Hardware Acquisition, Organization type, Requirement for data processing, Hardware requirements, System software application, Support system, Adaptability needs, Constraint, Conversion needs

Software Acquisition, Business, technical, functional, collaborative needs, Security and reliability, Cost and benefits, Obsolescence and risk, System compatibility, Resource allocation, Training and personnel requirements, Need for scalability, Impact on present infrastructure

Auditing Systems Development Acquisition, Feasibility study, Requirements definition, Software acquisition Process, Design & Development, Testing, Implementation and review, Post-Implementation

Application Controls

Input/Origination Controls, Input authorization, Batch controls and balancing, Error reporting and handling

Processing Procedures and Controls, Data validation and editing procedures, Processing controls, Data file control procedures

Output Controls, Output controls provide assurance that the data delivered to users will be presented, formatted and delivered in a consistent and secure manner

Auditing Application Controls, Data integrity testing, Online Transaction Processing System, The ACID principle, Atomicity, Consistency, Isolation, Durability, Continuous Online audit

Domain 4: Information Systems Operations, Maintenance and Support

Domain 4 - CISA® Exam Relevance

The content area for Domain 1 will represent ..., 23% of the CISA® examination, 62 questions

Auditing System Operations and Maintenance

Information Security Management, Perform risk assessments on information assets, Perform business impact analyses (BIAs), Develop & enforce information security policy, procedures, & standards, Conduct security assessments on a regular basis, Implement a formal vulnerability management process

Information Systems Operations, IS operations are in charge of the daily support of an organization’s IS hardware and software environment, IS operations include, Management of IS operations, Infrastructure support including computer operations, Technical support / help desk, Information security management

Management of IS Operations, Operations management functions include, Resource allocation, Standards and procedures, IS operation processes monitoring

IT Service Management, Service levels are auditing through review of, Exception reports, System and application logs, Operator problem reports, Operator work schedules

Support / Help Desk, Document incidents that arise from users and initiate problem resolution, Prioritize the issues and forward them to the appropriate IT personnel, and escalate to IT management, as necessary, Follow up on unresolved incidents, Close out resolved incidents, noting proper authorization to close out the incident by the user

Change Management Process, System, operations and program documentation, Job preparation, scheduling and operating instructions, System and program test, Data file conversion, System conversion

Release Management, Major releases, Minor software releases, Emergency software fixes

System and Communications Hardware

Computer Hardware Components and Architectures, Common enterprise back-end devices, Print servers, File servers, Application (program) servers, Web servers, Proxy servers, Database servers, Appliances (specialized devices), Universal Serial Bus (USB), Memory cards / flash drives, Radio Frequency Identification (RFID)

Security Risks with Portable Media, Memory Cards / Flash Drives Risks, Viruses and other malicious software, Data theft, Data and media loss, Corruption of data, Loss of confidentiality, Security Control, Encryption, Inventory of assets, Educate security personnel, Enforce “lock desktop” policy, Use only secure devices

Capacity Management, CPU utilization (processing power), Computer storage utilization, Telecommunications, LAN & WAN bandwidth utilization, I/O channel utilization, Number of users, New technologies, New applications, Service level agreements (SLAs), Vendor performance

IS Architecture and Software, Operating systems, Software control features or parameters, Access control software, Data communications software, Data management, Database management system (DBMS), Tape and disk management system, Utility programs, Software licensing issues

Software Licensing Issues, Documented policies and procedures that guard against unauthorized use or copying of software, Listing of all standard, used and licensed application and system software, Centralizing control and automated distribution and the installation of software, Requiring that all PCs be diskless workstations and access applications from a secured LAN, Regularly scanning user PCs

Digital Rights Management (DRM), DRM removes usage control from the person in possession of digital content & puts it in the hands of a computer program, Prevents copying or modifying of data by unauthorized users

Auditing Networks

Telecommunications links for networks can be, Analog, Digital

Methods for transmitting signals over telecommunication links are, Copper, Fibre, Coaxial, Radio Frequency

Types of Networks, Personal area networks (PANs), Local area networks (LANs), Wide area networks (WANS), Metropolitan area networks (MANs), Storage area networks (SANs)

Network Services, E-mail services, Print services, Remote access services, Directory services, Network management, Dynamic Host Configuration Protocol (DHCP), DNS

Network Components, Repeaters, Hubs, Bridges, Switches, Routers

Communications Technologies, Asynchronous transfer mode, Circuit switching, Dial-up services, Digital subscriber lines, Frame Relay, Integrated services digital network (ISDN), Message switching, Multiprotocol label switching, Packet switching, Point to point - leased lines, Virtual Private Networks (VPNs), Virtual circuits, PVC, X.25

Wireless Networking, Wireless networks, Wireless wide area network (WWAN), Microwave, Optical, Wireless local area network (WLAN), 802.11, Wireless personal area network (WPAN), 802.15 Bluetooth, Wireless ad hoc networks, Wireless application protocol (WAP), Risks Associated with Wireless Communications, Interception of sensitive information, Loss or theft of devices, Misuse of devices, Loss of data contained in devices, Distraction caused by devices, Wireless user authentication, File security, Wireless encryption, Interoperability, Use of wireless subnets, Translation point

Auditing of Network Management, Applications in a networked environment, Client-server technology, Middleware, Cloud, Virtual, Software as a Service (SaaS), Service Oriented Architecture (SOA)

Business Continuity and Disaster Recovery Audits

Auditing of Business Continuity Plans

Recovery Point Objective (RPO), Based on acceptable data loss, Indicates the most current state of data that can be recovered

Recovery Time Objective (RTO), Based on acceptable downtime, Indicates the point in time at which the business plans to resume sustainable service levels after a disaster

Business Continuity Strategies, Interruption window, Service delivery objective (SDO), Maximum tolerable outages

Recovery Strategies

Recovery Alternatives, Cold sites, Mobile sites, Warm sites, Reciprocal agreements, Hot sites, Mirrored sites, Reciprocal agreements

Audit of Third Party Recovery Agreements, Provisions for use of third-party sites should cover:, Access, Audit, Availability, Communications, Configurations, Disaster declaration, Insurance, Preference, Priority, Reliability, Security, Speed of availability, Subscribers per site and area, Testing, Usage period, Warranties

Organization and Assignment of Responsibilities, Have recovery teams been set up to, Retrieve critical and vital data from offsite storage, Install and test systems software and applications at the systems recovery site, Acquire and install hardware at the system recovery site, Operate the system recovery site, Team Responsibilities, Rerouting communications traffic, Re-establish the local area user / system network, Transport users to the recovery facility, Restore databases, software and data, Supply necessary office goods, i.e., special forms, paper

Backup and Restoration, Offsite library controls, Security and control of offsite facilities, Media and documentation backup, Periodic backup procedures, Frequency of Rotation, Types of Media and Documentation Rotated, Backup Schemes, Method of Rotation

Domain 5: Protection of Information Assets

Domain 5 - CISA® Exam Relevance

The content area for Domain 1 will represent ..., 30% of the CISA® examination, 62 questions

Importance of IS Management

Security objectives to meet organization’s business requirements include:, Ensure compliance with laws, regulations and standards, Ensure the availability, integrity and confidentiality of information and information systems

Key Elements of IS Management

Senior management commitment and support

Policies and procedures


Security awareness and education

Monitoring and compliance

Incident handling and response

CSFs to IS Management

Strong commitment and support by the senior management on security training

Professional risk-based approach must be used systematically to identify sensitive and critical resources

Inventory and Classification of Information Assets

The inventory record of each information asset should include:, Identification of assets, Relative value of assets to the organization, Location (where the asset is located), Security / risk classification, Asset group, Owner, Designated custodian

Privacy Management Issues and the Role of IS Auditors

Privacy impact analysis or assessments should:, Pinpoint the nature of personally identifiable information (pii) associated with business processes, Document the collection, use, disclosure and destruction of personally identifiable information, Ensure that accountability for privacy issues exists, Set the foundation for informed policy, operations and system design decisions based on an understanding of privacy risk and the options available for mitigating that risk

Compliance with privacy policy and laws, Identify and understand legal requirements regarding privacy from laws, regulations and contract agreements, Check whether personal data are correctly managed in respect to these requirements, Verify that the correct security measures are adopted, Review management’s privacy policy to ascertain that it takes into consideration the requirement of applicable privacy laws and regulations.

Social Media Risks

Inappropriate sharing of information, Organizational activity, Staffing issues, Privacy-related sensitive data

Installation of vulnerable applications

Access Controls

System Access Permission, Who has access rights and to what?, What is the level of access to be granted?, Who is responsible for determining the access rights and access levels?, What approvals are needed for access?

Mandatory Access Controls (MAC), Enforces corporate security policy, Compares sensitivity of information resources

Discretionary Access Controls (DAC), Enforces data owner-defined sharing of information resources

IAAA, Identification, Method to distinguish each entity in a unique manner that is accessing resources, Knowledge, e.g., Password, passphrase, Ownership / possession, e.g., Smartcard, token, key fob, Characteristic, e.g., Biometrics, Authentication, Validate, verify or prove the identity, Authorization, Rights, permissions, privileges granted to an authenticated entity, Time limited (hours of work etc.), Least privilege, Mutual exclusivity, Dual control, Separation of duties, Need to know, Access restrictions at the file level include:, Read, inquiry or copy only, Write, create, update or delete only, Execute only, A combination of the above, Accounting (Audit), Track all activity

Challenges with Identity Management

Many changes to systems and users

Many types of users – employees, customers, guests, managers, regulators

Audit concerns, Unused IDs, Misconfigured IDs, Failure to follow procedures, Group IDs

Identification and Authentication

Vulnerabilities:, Weak authentication methods, Lack of confidentiality and integrity for the stored authentication information, Lack of encryption for authentication and protection of information transmitted over a network, User’s lack of knowledge on the risks associated with sharing passwords, security tokens, etc.

Logical Access

Logical Access Exposures, Technical exposures include:, Data leakage, Wire tapping, Trojan horses / backdoors, Viruses, Worms, Logic bombs, Denial-of-service attacks, Computer shutdown, War driving, Piggybacking, Trap doors, Asynchronous attacks, Rounding down, Salami technique

Paths of Logical Access, Network connectivity, Remote access, Operator console, Online workstations or terminals

Logical Access Control Software, Prevent unauthorized access and modification to an organization’s sensitive data and use of system critical functions., General operating and/or application systems access control functions include the following:, Create or change user profiles, Assign user identification and authentication, Apply user logon limitation rules, Notification concerning proper use and access prior to initial login, Create individual accountability and auditability by logging user activities. Establish rules for access to specific information resources (e.g., system-level application resources and data), Log events, Report capabilities, Database and / or application-level access control functions include:, Create or change data files and database profiles, Verify user authorization at the application and transaction levels, Verify user authorization within the application, Verify user authorization at the field level for changes within a database, Verify subsystem authorization for the user at the file level, Log database / data communications access activities for monitoring access violations

Auditing Logical Access, When evaluating logical access controls the IS auditor should:, Identify sensitive systems and data, Document and evaluate controls over potential access, Test controls over access paths to determine whether they are functioning and effective, Evaluate the access control environment to determine if the control objectives are achieved, Evaluate the security environment to assess its adequacy

Access Control Lists (ACLs), Users who have permission to use a particular system resource, The types of access permitted

Logical Access security administration:, Centralized environment, Decentralized environment, Advantages, Security controls are monitored frequently, Security administration is onsite at the distributed location, Security issues resolved in a timely manner, Risks, Local standards might be implemented rather than those required, Levels of security management might be below what can be maintained by central administration, Unavailability of management checks and audits

Single Sign-on (SSO), Consolidating access functions for multiple systems into a single centralized administrative function, A single sign-on interfaces with:, Client-server and distributed systems, Mainframe systems, Network security including remote access mechanisms, Advantages, Elimination of multiple user IDs and passwords, May select a stronger password, It improves an administrator’s ability to centrally manage users’ accounts and authorizations, Reduces administrative overhead, Greater access consistency between systems, It reduces the time taken by users to log into multiple applications and platforms, Disadvantages, May not support legacy applications or all operating environments, The costs associated with SSO development can be significant, The centralized nature of SSO presents the possibility of a single point of failure and total compromise of an organization’s information assets

Familiarization with the Organization’s IT Environment

Every layer of a system has to be reviewed for security controls including:, The network, Operating system platform, Applications software, Database, Physical and environmental security

Remote Access

Today’s organizations require remote access connectivity to their information resources for different types of users such as employees, vendors, consultants, business partners and customer representatives., Consolidated, Monitored, Policies, Appropriate access levels, Encrypted

Risks, Denial of service, Malicious third parties, Misconfigured communications software, Misconfigured devices on the corporate computing infrastructure, Host systems not secured appropriately, Physical security issues on remote users’ computers

Auditing Remote Access, Assess remote access points of entry, Test dial-up access controls, Test the logical controls, Evaluate remote access approaches for costeffectiveness, risk and business requirements, Audit Internet points of presence:, E-mail, Marketing, Sales channel / electronic commerce, Channel of deliver for goods / services, Information gathering

Audit logging and monitoring system access

Provides management an audit trail to monitor activities of a suspicious nature, such as a hacker attempting brute force attacks on a privileged logon ID

Record all activity for future investigation


Symmetric vs. Asymmetric Summary

Summary of Cryptography Algorithms

Physical and Environmental Controls

Security Objectives & Controls, Administrative controls, Facility location, construction, and management, Physical security risks, threats, and countermeasures, Technical controls, Authenticating individuals and intrusion detection, Electrical issues and countermeasures, Fire prevention, detection, and suppression, Physical controls, Perimeter & Building Grounds, Building Entry Point, Box-within a box Floor Plan, Data Centers or Server Room Security

Physical Access Controls (non-exhaustive list), Locks, Mechanical locks, Bolting door locks, Key, Combination locks, Magnetic locks, Electronic locks, Combination lock, Proximity / RFID badge, Bio-metric, Entrance Protection, Turnstiles, Mantraps, Fail-safe, Fail-secure, Closed-circuit television (CCTV), Security guards, Lighting, Electrical Power Supply, Electrostatic Discharge, HVAC, Fire Suppression Systems, Halon, FM-200, Carbon Dioxide, Dry Chemicals, Dry Pipe, Pre-action, Fire / Smoke Detection, Ionization-type smoke detector, Optical (photoelectric) smoke detector, Fixed / rate-of-rise temperature sensor

Overview of the CISA® certification

About the CISA® exam

CISA® exam questions are developed with the intent of measuring and testing practical knowledge and the application of general concepts and standards.

PBE & CBE (only pencil & eraser are allowed)., PBE - Paper based exam., CBE - Closed book exam.

4 hour exam.

200 multiple choice questions designed with one best answer.

No negative points.

Pre-requisite for exam:, none

Pre-requisite for certification:, Read CISA® Application Form,

Interactive Glossary

Interactive CISA® Glossary

Recommended additional study

CISA Essential Exam Notes 2014

Effective Approach and Practical Tips for CISA Exam

This freeware, non-commercial mind map (aligned with the newest version of CISA® exam) was carefully hand crafted with passion and love for learning and constant improvement as well for promotion the CISA® qualification and as a learning tool for candidates wanting to gain CISA® qualification. (please share and give feedback - your feedback and comments are my main motivation for further elaboration. THX!)

Questions / issues / errors? What do you think about my work? Your comments are highly appreciated. Please don't hesitate to contact me for :-) Mirosław Dąbrowski, Poland/Warsaw.


ISO 19011:2011 (Guidelines for auditing management systems)