General Information:

CISA is the globally recognized gold standard for IS audit, control, and assurance, in demand and valued by leading global brands. It’s often a mandatory qualification for employment as an IT auditor. CISA holders have validated the ability to apply a risk-based approach to planning, executing, and reporting on audit engagements. 

There are 150 Questions on the exam, which must be completed in 4 hours. It is available online via remote proctoring and at in-person testing centers.

The CISA certification is intended for:

Early to mid-career professionals seeking recognition and enhanced credibility in interactions with internal and external stakeholders, regulators, and customers. Job roles include: 

• IT Audit Directors/Managers/Consultants
• IT and Internal Auditors
• Compliance/Risk/Privacy Directors
• IT Directors/Managers/Consultants

CPE Overview:

To maintain your CISA, you must earn and report a minimum of 120 CPE hours every 3-year reporting cycle and at least 20 hours annually. CISA awards up to 1 hour of CPE for every 1 hour of instructor-led training. The online review course earns 28 CPEs, and Virtual Instructor-Led Training (VILT) earns 14 CPEs.

Course Duration:

Online Course: Approximately 22 hours

In-person training or VILT: 2-4 days

Course Topics:

Domain 1: Information Systems Auditing Process

Planning

• IS Audit Standards, Guidelines, and Codes of Ethics
• Business Proces Types of Controls
• Risk-based Audit Planning
• Types of Audits and Assessments

Execution

• Audit Project Management
• Sampling Methodology
• Audit Evidence Collection Techniques
• Data Analytics
• Reporting and Communication Techniques
• Quality Assurance and Improvement of the Audit Process

Domain 2: Governance and Management of IT

IT Governance and IT Strategy

• IT-related Frameworks
• IT Standards, Policies, and Procedures
• Organizational Structure
• Enterprise Architecture
• Enterprise Risk Management
• Maturity Models
• Laws, Regulations, and Industry Standards Affecting the Organization

IT Management

• IT Resource Management
• IT Service Provider Acquisition and Management
• IT Performance Monitoring and Reporting
• Quality Assurance and Quality Management of IT

Domain 3: Information Systems Acquisition, Development, and Implementation

Information Systems Acquisition and Development

• Project Governance and Management
• Business Case and Feasibility Analysis
• System Development Methodologies
• Control Identification and Design

Information Systems Implementation

• Testing Methodologies
• Configuration and Release Management
• System Migration, Infrastructure Deployment, and Data Conversion
• Post-implementation Review

Domain 4: Information Systems Operations and Business Resilience

Information Systems Operations

• Common Technology Component
• IT Asset Management
• Job Scheduling and Production Process Automation
• System Interfaces
• End-user Computing
• Data Governance
• Systems Performance Management
• Problem and Incident Management
• Change, Configuration, Release, and Patch Management
• IT Service Level Management
• Database Management

Business Resilience

• Business Impact Analysis
• System Resiliency
• Data Backup, Storage, and Restoration
• Business Continuity Plan
• Disaster Recovery Plans

Domain 5: Protection of Information Assets

Information Asset Security Frameworks, Standards, and Guidelines

• Privacy Principles
• Physical Access and Environmental Controls
• Identity and Access Management
• Network and Endpoint Security
• Data Classification
• Data Encryption and Encryption-related Techniques
• Public Key Infrastructure
• Web-based Communication Technologies
• Virtualized Environments
• Mobile, Wireless and Internet-of-things Devices

Security Event Management

• Security Awareness Training and Programs
• Information System Attack Methods and Techniques
• Security Testing Tools and Techniques
• Security Monitoring Tools and Techniques
• Incident Response Management
• Evidence Collection and Forensics