CISA证书经验班

CISA Boot Camp Course Outline

CISA (Certified Information Systems Auditor) is a globally recognized certification in the field of audit, control and security of information systems. CISA gained worldwide acceptance having uniform certification criteria. The certification has a high degree of visibility and recognition in the fields of IT security, IT audit, IT risk management and governance. Vacancies in the fields often ask for a CISA certification. CISA is awarded by ISACA (Information Systems Audit and Control Association), United States.

The CISA Boot Camp provides candidates the opportunity to study with an experienced, accredited professional. This boot camp is designed to cover the required knowledge and skills of the Five Domains of CISA exam. Courses include instructor-led training, case studies and practice questions. Courses last for 10 weeks, 4 hours per week. Candidates will gain a better understanding of IS audit and assurance guidelines, standards, and best practices for IS audit and control, governance of enterprise IT, information systems lifecycle and protection of information assets.

ISACA recently released the 26th Edition of the CISA Review Manual to recognize and map to the new task/knowledge statements which can about as a result of ISACA’s job practice analysis. This analysis has been reflected in the exams from June 2016. While the domains remain the same there is different emphasis for them. The job practice domains and task and knowledge statements are as follows:

Domain 1—The Process of Auditing Information Systems (21%)

Domain 2—Governance and Management of IT (16%)

Domain 3—Information Systems Acquisition, Development and Implementation (18%)

Domain 4—Information Systems Operations, Maintenance and Service Management (20%)

Domain 5—Protection of Information Assets (25%)

Couse Outline for Domain 1: The Process of Auditing Information Systems

The first domain covers how IT auditors provide services in accordance with IT audit standards, in order to assist the organization in protecting and controlling information systems. The tasks include developing and implementing a risk-based IT audit strategy, planning and conducting the audit, and reporting findings. Candidates are expected to know the ISACA IT Audit and Assurance Standards, Guidelines and Tools and Techniques, Code of Professional Ethics and other applicable standards.

·         Various types of audits (e.g., internal, external, financial)

·         Risk-based audit planning and audit project management

·         The risk assessment concepts and tools and techniques

·         Fundamental business processes (e.g., purchasing, payroll, accounts payable, accounts receivable)

·         The applicable laws and regulations that affect IT audits

·         The evidence collection techniques

·         Different sampling methodologies and other substantive/data analytical procedures

·         Reporting and communication techniques

·         IT Audit and Assurance Standards, Guidelines and Techniques

·         Code of Professional Ethics

·         Case Studies for Domain 1:

üAnnual Audit Planning for one Financial Services Group

üPlanning one SOX attestation for a US-listed manufacturer

Course Outline for Domain 2: Governance and Management of IT

The second domain covers how IT auditors provide assurance that necessary organization structure and processes are in place. For example, they need to evaluate the effectiveness of the IT governance structure, organizational structure, HR management, and policies and standards, in order to determine whether they support the organization’s strategies and objectives.

·         The purpose and processes for the development, implementation and maintenance of IT strategy, policies, standards and procedures

·         IT governance, management, security and control frameworks

·         Organizational structure, roles and responsibilities related to IT

·         Organization’s technology direction and IT architecture

·         IT resource investment and allocation practices

·         IT supplier selection, contract management, relationship management and performance monitoring processes

·         Enterprise risk management (ERM)

·         Quality management and quality assurance (QA) systems

·         The practices for monitoring and reporting of IT performance

·         Business impact analysis (BIA) and business continuity plan (BCP)

·         Case Studies for Domain 2:

ü  Risks and Controls for one Information Security Governance Audit (Banking)

Domain 3: Information Systems Acquisition, Development and Implementation

The third domain covers how IT auditors provide assurance that the practices for the acquisition, development, testing, and implementation of IS meet the organization’s strategies and objectives. Tasks include evaluating proposed investments in IS acquisition, development, maintenance and subsequent retirement, evaluating project management practices and controls and conducting reviews.

·         Benefits realization practices, (e.g., business cases, TCO)

·         IT acquisition and vendor management practices

·         Project governance mechanisms and project management control frameworks, practices and tools

·         Requirements analysis and management practices

·         Enterprise architecture (EA) related to data, applications and technology

·         System development methodologies and tools

·         Testing methodologies and practices related to the information system development life cycle (SDLC)

·         System migration and infrastructure deployment practices and data conversion

·         Post-implementation review

·         Case Studies for Domain 3:

ü  Audit SAP Implementation project for one Retail Company

ü  Audit of one Agile SAP Implementation (Retail)

Domain 4: Information Systems Operations, Maintenance and Support

Provide assurance that the processes for information systems operations, maintenance and support meet the organization’s strategies and objectives. Specifically, it includes conducting periodic reviews of IS, and evaluation such as service level management practices, operations and end-user procedures, and process of information systems maintenance.

4.1  Knowledge of the fundamental technology (e.g., hardware and network components, system software, middleware, database management systems)

·         IT Operations

a.    Job scheduling and batch management

b.    the integrity of system interfaces

c.      Systems performance monitoring

d.    Data backup, storage, maintenance and restoration

e.    System resiliency tools and techniques

f.       Database management and optimization practices

g.    Disaster recovery plans (DRPs)

·         Services Management

a.    Service management frameworks and practices

b.    Problem and incident management

c.     Techniques for monitoring third-party performance

d.    Capacity planning and related monitoring tools and techniques

e.    Change management

f.      Configuration management

g.    Release management

·         IT asset management, software licensing and inventory practices

·         Data quality and life cycle management

·         Case Studies for Domain 3:

ü  Audit of Incident and Problem Management Processes

ü  Audit of general IT operation controls – Big 4 Approach

Domain 5: Protection of Information Assets

The last domain covers how IT auditors provide assurance that the organization’s security policies, standards, procedures and controls ensure the confidentiality, integrity and availability of information assets. This includes evaluating the information security policies, standards and procedures; the design, implementation and monitoring of various controls, such as system and logical security controls, data classification processes, and physical access and environmental controls.

·         Practices and applicable external requirements (e.g., laws, regulations) related to the protection of information assets

·         Data classification standards related to the protection of information assets

·         Techniques for the design, implementation, maintenance, monitoring and reporting of security controls

·         Physical and environmental controls and supporting practices

·         Physical access controls

·         Logical access controls

·         Security controls related to hardware, application, operating systems, databases and networks

·         Encryption-related techniques

·         Information system attack methods, prevention and detection of attacks

·         Processes related to monitoring and responding to security incidents

·         Case Studies for Domain 5:

ü  Testing of security controls for one Retail Company

ü  Testing of general access controls – Big 4 Approach

Trainer Bio

Changming Li has 10 years of experience in IT Auditing, Information Security and Technology Risk Management. Currently he is IT Audit Manager in a leading Canada-based financial services group. Prior to joining the group, he worked for Loblaw and Saint-Gobain as Senior Internal Auditor. Changming started his career in Deloitte where he led teams to provide SOX compliance, information security consulting and other audit services to world leading companies e.g. General Motors, Dow Chemical. He is the certification holder of CISA, CISSP, CIA, CISM, FRM and PMP. He has a Master’s Degree and Bachelor’s Degree from Tongji University.