OnlineAnywhere – On-Demand Official ISACA CISA

CISM Self-Assessment
Video Content
Interactive Content
Downloadable Workbooks and Job Aids
Case Study Activities
Practice Exam

Course Outline

Domain 1 — Information System Auditing Process

• Plan an audit to determine whether information systems are protected, controlled, and provide value to the organization.
• Conduct an audit in accordance with IS audit standards and a risk-based IS audit strategy.
• Communicate audit progress, findings, results and recommendations to stakeholders.
• Conduct audit follow-up to evaluate whether risk has been sufficiently addressed.
• Evaluate IT management and monitoring of controls.
• Utilize data analytics tools to streamline audit processes.
• Provide consulting services and guidance to the organization in order to improve the quality and control of information systems.
• Identify opportunities for process improvement in the organization’s IT policies and practices.

Domain 2 – Governance & Management of IT

• Evaluate the IT strategy for alignment with the organization’s strategies and objectives.
• Evaluate the effectiveness of IT governance structure and IT organizational structure.
• Evaluate the organization’s management of IT policies and practices.
• Evaluate the organization’s IT policies and practices for compliance with regulatory and legal requirements.
• Evaluate IT resource and portfolio management for alignment with the organization’s strategies and objectives.
• Evaluate the organization’s risk management policies and practices.
• Evaluate IT management and monitoring of controls.
• Evaluate the monitoring and reporting of IT key performance indicators (KPIs).
• Evaluate whether IT supplier selection and contract management processes align with business requirements.
• Evaluate whether IT service management practices align with business requirements.
• Conduct periodic review of information systems and enterprise architecture.
• Evaluate data governance policies and practices.
• Evaluate the information security program to determine its effectiveness and alignment with the organization’s strategies and objectives.
• Evaluate potential opportunities and threats associated with emerging technologies, regulations, and industry practices

Domain 3 – Information Systems Acquisition, Development, & Implementation

• Evaluate whether the business case for proposed changes to information systems meet business objectives.
• Evaluate the organization’s project management policies and practices.
• Evaluate controls at all stages of the information systems development life cycle.
• Evaluate the readiness of information systems for implementation and migration into production.
• Conduct post-implementation review of systems to determine whether project deliverables, controls and requirements are met.
• Evaluate change, configuration, release, and patch management policies and practices.

Domain 4 – Information Systems Operations and Business Resilience

• Evaluate the organization’s ability to continue business operations.
• Evaluate whether IT service management practices align with business requirements.
• Conduct periodic review of information systems and enterprise architecture.
• Evaluate IT operations to determine whether they are controlled effectively and continue to support the organization’s objectives.
• Evaluate IT maintenance practices to determine whether they are controlled effectively and continue to support the organization’s objectives.
• Evaluate database management practices.
• Evaluate data governance policies and practices.
• Evaluate problem and incident management policies and practices.
• Evaluate change, configuration, release, and patch management policies and practices.
• Evaluate end-user computing to determine whether the processes are effectively controlled.

Domain 5 – Protection of Information Assets

• Conduct audit in accordance with IS audit standards and a risk-based IS audit strategy.
• Evaluate problem and incident management policies and practices.
• Evaluate the organization’s information security and privacy policies and practices.
• Evaluate physical and environmental controls to determine whether information assets are adequately safeguarded.
• Evaluate logical security controls to verify the confidentiality, integrity, and availability of information.
• Evaluate data classification practices for alignment with the organization’s policies and applicable external requirements.
• Evaluate policies and practices related to asset life cycle management.
• Evaluate the information security program to determine its effectiveness and alignment with the organization’s strategies and objectives.
• Perform technical security testing to identify potential threats and vulnerabilities.
• Evaluate potential opportunities and threats associated with emerging technologies, regulations, and industry practices.