CISA 2016 – What’s New
ISACA just recently released the 26th Edition of the CISA Review Manual to recognize and map to the new task/knowledge statements which can about as a result of ISACA’s job practice analysis. This analysis will be reflected in the exam offered in June 2016. While the domains remain the same there is different emphasis for them.
Domain 1, The Process of Auditing Information Systems went from 14% to 21% of the exam and this domain was the one which most drastically.
Domain 2, Governance and Management of IT changed from 14% to 16%.
Domain 3, Information Systems Acquisition, Development and Implementation dropped from 19% to 18%.
Domain 4, Information Systems Operations, Maintenance and Support dropped from 23% to 20%, and
Domain 5, Protection of Information Assets has the biggest drop going from 30% to 25%.
The changes in Domain 1 centered around:
- Adding the effect of laws and regulations on IS Audit Planning
- Adding more detail to ISACA IS Audit and Assurance Standards
- Adding more detail to ISACA IS Audit and Assurance Guidelines
- Removing some of the detail regarding ITAF, as new guidance is being developed which when issued will be indexed within the framework
- Rearranging the sequence of “IS Controls” and “Performing an IS Audit” and placing more emphasis on a Risk-based approach to auditing
The changes in Domain 2 centered around:
- Adding detail in the section on Information Security Governance
- Adding detail in the section on Risk Management Process
- Adding SCADA and System Security Engineer to IT Roles and Responsibilities
- Adding Business Continuity Management Good Practices to Plan Testing
The changes in Domain 3 centered around:
- Adding System Development Project Cost Estimation to Project Planning
- Adding Project Execution to Project Management Practices
- Adding significant detail in the areas of Industrial Control Systems (ICS), Virtualization and Cloud Computing Environment
- Reducing the number of areas in e-commerce
- Updating the ISO/IEC standards references to the new 330XX series
There were a significant number of changes in Domain 4 even though the percentages dropped, new changes include:
- Adding IT Service Management Frameworks to IS Operations and expanding existing detail in this area
- Expanding the detail under IT Service Management
- Adding Patch Management to the Change Management Process
- Dropping IS Management and Media Sanitization from IS Operations
- Adding IT Asset Management
- In the Data Management area, dropping File Organization and adding Data Quality and Data Life Cycle
- Dropping Tape and Disk Management Systems, as well as, Digital Rights Management from IS Architecture and Software
- Adding Source Code Management and End-User Computing to IS Architecture and Software
- Adding Enterprise Architecture and Auditing to the section on Auditing Infrastructure and Operations
- Adding both, Disaster Recovery Testing Methods and Invoking Disaster Recovery Plans to the section on Disaster Recovery Planning
The changes in Domain 5 were equally significant with both major drops and adds:
- Areas dropped included:
- Detail under Computer Crime Issues and Exposures
- Mobile Access
- Portions of LAN Security
- Client-server Risks and Issues
- Five areas in Encryption
- Areas added included:
- Fraud Risk Factors
- Information Security Control Design with substantial detail
- Security Awareness, Training and Education under Critical Success Factors
- Network Penetration Tests in Auditing Remote Access
- Fireproof Walls, Floors and Ceilings of the Computer Room under Auditing Environmental Controls
- Sections on:
- Peer-to-peer computing
- Instant Messaging
- Social Media
- Cloud Computing
- Data Leakage with ten different areas of detail
- End-user Computing Security Risk and Controls
As the industry changes, so also does the auditing community and ISACA’s job analysis reflects these industry changes. We are moving towards Social Medial, Instant Messaging and Cloud Computing and along with this movement comes the associated risks and rewards. As auditors we must strive to keep management aware of the risks posed by all of the “new trends” in Information Technology.
I hope you have found this article interesting. The author can be contacted via this resources website.