Changes to CISA Job Practice Areas
In its press release on November 1st, 2018, the Information Systems Audit and Control Association (ISACA) announced its intention to update job practice areas of its Certified Information Systems Auditor (CISA) certification for 2019 and beyond. The new version of the exam will take effect in June 2019. However, candidates can currently acquire updated CISA material and book training courses to start preparing for the exam.
If you want to take the CISA exam with current job practice areas on or before May 24th, 2019, the final registration deadline is May 18th, 2019. This testing window starts from February 1st, 2019 to May 24th, 2019. Afterwards, you must take the new exam.
The CISA certification concerns the security and deployment of modern IT technology and information systems. Thousands of cyberthreats are emerging every day, and security practitioners develop new strategies to prevent these threats. In addition, modern technological advancements also require analysts to keep their knowledge up to date in order to learn the deployment of these new technologies. For this to be done effectively, ISACA has updated CISA job practice areas to make it perfect for most recent industry trends impacting the IT audit realm.
What Are the Major Changes to CISA Job Practice Areas?
The number of domains will remain the same. However, slight changes have been made to exam content and weightage criteria. In addition, two subdomains have also been added to each of the five job practice areas. The following table shows a comparison of the 2016 CISA domains to 2019 CISA domains.
| Domains | % Weight |
|---|---|
| 1. Current — The Process of Auditing Information Systems | 21% |
| 1. New — Information System Auditing Process | 21% |
| 2. Current — Governance and Management of IT | 16% |
| 2. New — Same as current | 17% |
| 3. Current — Information Systems Acquisition, Development and Implementation | 18% |
| 3. New — Same as current | 12% |
| 4. Current — Information Systems Operations, Maintenance and Service Management | 20% |
| 4. New — Information Systems Operations and Business Resilience | 23% |
| 5. Current — Protection of Information Assets | 25% |
| 5. New — Same as current | 27% |
In new job practice areas, knowledge statements are rewritten to make them perfect for current technologies and combined appropriately to eliminate redundancies.
The CISA 2019 job practice areas comprise 39 task statements. Of these, one was eliminated, 35 remain the same to the previous but were rewritten to utilize current terminology and five are new to deal with changes within the IT audit profession.What Are the Five New Tasks in CISA 2019?
ISACA updated the CISA 2019 outline with the help of the CISA Practice Analysis Task Force and the collective expertise of more than 4,000 CISA-certified professionals. The result was the addition of the five new tasks listed below:
- Since cybersecurity is a continuous phenomenon, the CISA Working Group added the evaluation of threats and opportunities related to emerging technologies, regulations and industry standards.
- Performing technical security tests is essential to identify threats and vulnerabilities.
- IT practices and policies are critical factors for organizations’ security. Therefore, organizations always identify new opportunities for process improvement in IT practices and policies
- Streamlining audit processes will require the use of data analytics tools
- To improve control and quality of information systems, it is essential to provide guidance and consulting services to the organization
What Do I Need to Know About the Short Summary of New CISA Job Practice Areas?
A short but comprehensive coverage of the new CISA domains is given below.
1. Auditing Information Systems
In this domain, you will learn how CISA certification offers standardized audit services to help enterprises in controlling and safeguarding information systems. You will also learn to be mindful of the practices that assist in finding the conclusion of the company’s current IT security, potential risks, and control solutions.
There are multiple subdomains here, including Planning and Execution. Planning involves risk-based audit planning, control types, business processes and information system audit standards, code of ethics and guidelines. Execution incorporates audit project management, sampling methodologies, data analytics, audit evidence collection techniques and reporting and communication techniques.
2. Governance and Management of IT
The second domain ensures that the essential processes, structures and leadership are available to accomplish the organization’s objectives and support strategies. In addition, this domain also confirms that you have obtained the necessary skills to identify important issues and provide a recommendation for supporting and protecting the governance of information and associated technology. You will learn these skills under subdomains such as IT Governance and IT Management.
3. Information Systems Acquisition, Development and Implementation
As the name of this domain implies, you are required to learn about Information Systems Acquisition, Development and Implementation in order to meet organizational objectives and strategies. Subdomains under this job practice area include Information Systems Acquisition and Development and Information Systems Implementation.
4. Information Systems Operations and Business Resilience
This domain confirms that you have the knowledge of IT asset management, system interfaces, data governance, end-user computing, system performance management, database management and change, release, configuration and patch management. Business resilience involves the understanding of Disaster Recovery Plan (DRP), Business Continuity Plan (BCP), Business Impact Analysis (BIA), System Resiliency and Data Backup, Storage and Restoration. These topics fall under the subdomains Information Systems Operations and Business Resilience.
5. Protection of Information Assets
This is the most important domain of CISA certification. Since cyberattacks are becoming more sophisticated, protecting information assets is one of the primary goals of CISA certification holders. In this critical domain, you will gain an in-depth insight into subdomains including Security Event Management (e.g., security awareness training and programs, attack methods and techniques, incident response management, and so on) and Information Asset Security and Control (e.g., privacy principles, physical and environmental controls, network and endpoint security, PKI and so on).
Will I Need to Retake the Exam When New Changes Go Into Effect?
No, you don’t need to retake the exam after the expiration of the current exam. CISA-certified professionals will gain exposure to the updated CISA exam by meeting the Continuing Professional Education (CPE) maintenance requirements. You will be obtaining a minimum of 20 CPE hours annually and 120 CPE hours for the three-year reporting period.
Conclusion
In this article, we reviewed the new changes occur to CISA Job Practice Areas. Like the previous exam, the new CISA exam consists of five domains. However, there is a slight change in the exam content and percentage. In addition, five new tasks have been added to new Job Practice Areas. The candidates taking the current CISA exam are not required to retake the exam. Instead, they just need to renew the exam through the ISACA CPE policy.
