This is the eBook version of the print title. Note that the eBook may not provide access to the practice test software that accompanies the print book.

Learn, prepare, and practice for CISA exam success with this Cert Guide from Pearson IT Certification, a leader in IT certification learning.

• Master CISA exam topics
• Assess your knowledge with chapter-ending quizzes
• Review key concepts with exam preparation tasks

Certified Information Systems Auditor (CISA) Cert Guide is a best-of-breed exam study guide. World-renowned enterprise IT security leaders Michael Gregg and Rob Johnson share preparation hints and test-taking tips, helping you identify areas of weakness and improve both your conceptual knowledge and hands-on skills. Material is presented in a concise manner, focusing on increasing your understanding and retention of exam topics.

The book presents you with an organized test preparation routine through the use of proven series elements and techniques. Exam topic lists make referencing easy. Chapter-ending Exam Preparation Tasks help you drill on key concepts you must know thoroughly. Review questions help you assess your knowledge, and a final preparation chapter guides you through tools and resources to help you craft your final study plan.

Well-regarded for its level of detail, assessment features, and challenging review questions and exercises, this study guide helps you master the concepts and techniques that will allow you to succeed on the exam the first time.

The study guide helps you master all the topics on the CISA exam, including:

• Essential information systems audit techniques, skills, and standards
• IT governance, management/control frameworks, and process optimization
• Maintaining critical services: business continuity and disaster recovery
• Acquiring information systems: build-or-buy, project management, and development methodologies
• Auditing and understanding system controls
• System maintenance and service management, including frameworks and networking infrastructure
• Asset protection via layered administrative, physical, and technical controls
• Insider and outsider asset threats: response and management
  

Michael Gregg (CISSP, SSCP, CISA, MCSE, MCT, CTT+, A+, N+, Security+, CCNA, CASP, CISA, CISM, CEH, CHFI, and GSEC) works for a Houston, Texas-based IT security consulting firm.

Michael is responsible for working with organizations to develop cost-effective and innovative technology solutions to security issues and for evaluating the security of emerging technologies. He has more than 20 years of experience in the IT field and holds two associate's degrees, a bachelor's degree, and a master's degree. In addition to co-authoring the first, second, and third editions of Security Administrator Street Smarts, Michael has written or co-authored 15 other books, including The Network Security Test Lab: A Step-by-Step Guide (Wiley, 2015); CompTIA Security+ Rapid Review (Microsoft, 2013); Certified Ethical Hacker Cert Guide (Pearson, 2017); and CISSP Exam Cram (Que, 2016).

Michael has been quoted in newspapers such as the New York Times and featured on various television and radio shows, including NPR, ABC, CBS, Fox News, CNN, and others, discussing cybersecurity and ethical hacking. He has created more than a dozen IT security training classes, and he has created and performed video instruction on many security topics, such as cybersecurity, CISSP, CASP, Security+, and others. When not consulting, teaching, or writing, Michael enjoys 1960s muscle cars and has a slot in his garage for a new project car.

Rob Johnson (CISSP, CISA, CISM, CGEIT, and CRISC) is experienced in information risk, IT audit, privacy, and security management. He has a diverse background that includes hands-on operational experience as well as providing strategic risk assessment and support to leadership and board-level audiences.

Rob currently serves as a senior vice president and technology executive with global teams and responsibilities at Bank of America. He has held various technology and executive positions throughout his career, including chief information security officer for a global insurance company, head of IT audit for a major domestic bank, chief information security officer for a large midwestern bank, chief cybersecurity architect and product owner for a major software house where he led deployments across 15 countries, and senior partner at a consulting firm.

Rob is well known across a number of industry groups. He is a published author and frequent speaker at conferences. Rob has served on a number of ISACA global committees; for example, he was formerly the chair of the ISACA Education Committee and a member of the ISACA Assurance Committee to name a few. In addition, Rob was one of the 12 members of the prestigious ISACA COBIT 5 Task Force, which led to the creation of the COBIT 5 global standard.

Rob holds a Bachelor of Science Degree in Interdisciplinary Studies from the University of Houston. He lives a quiet life, where he enjoys his children, watches his amazing son Donald win chess tournaments, and spends time with his wonderful wife, Lin.

Introduction xxiii Chapter 1 The CISA Certification 3 Exam Intent 3 Why the CISA Certification Is So Important 4 CISA: The Gold Standard 5 Exam Requirements 6 CISA Exam Windows 6 Scheduling to Take the Exam 7 Deadline to Apply for the CISA Certification 7 ISACA Agreements 9 CISA Exam Domains 10 Question Format and Grading 13 Exam Grading 13 Exam Questions 14 Getting Exam Results and Retests 15 Maintaining CISA Certification 16 Reporting CPE Hours Earned 16 Earning CPE Hours 17 Top 10 Tips and Tricks 18 Chapter Summary 19 Define Key Terms 20 Suggested Readings and Resources 20 Chapter 2 The Information Systems Audit 23 "Do I Know This Already?" Quiz 23 Foundation Topics 27 Skills and Knowledge Required to Be an IS Auditor 27 Work-Related Skills 27 Knowledge of Ethical Standards 28 ISACA Standards, Procedures, Guidelines, and Baselines 31 Knowledge of Regulatory Standards 35 Guidance Documents 36 Auditing Compliance with Regulatory Standards 38 Knowledge of Business Processes 38 Types of Audits 39 Risk Assessment Concepts 40 Risk Management 43 Auditing and the Use of Internal Controls 45 The Auditing Life Cycle 47 Audit Methodology 47 The Auditing Life Cycle Steps 48 Chain of Custody and Evidence Handling 49 Automated Work Papers 50 CAATs 51 Audit Closing 52 Report Writing 53 The Control Self-Assessment Process 54 Continuous Monitoring 55 Quality Assurance 56 The Challenges of Audits 57 Communicating Results 57 Negotiation and the Art of Handling Conflicts 58 Chapter Summary 59 Exam Preparation Tasks 60 Review All the Key Topics 60 Complete Tables from Memory 61 Define Key Terms 61 Exercises 61 2.1 Network Inventory 61 Review Questions 64 Suggested Readings and Resources 68 Chapter 3 The Role of IT Governance 71 "Do I Know This Already?" Quiz 71 Foundation Topics 75 The IT Steering Committee 75 Corporate Structure 77 IT Governance Frameworks 77 COBIT 78 ITIL 78 COBIT Versus ITIL 79 Enterprise Risk Management 80 The Risk Management Team 81 Asset Identification 82 Threat Identification 82 Quantitative Risk Assessment 84 Qualitative Risk Assessment 86 The Three Lines of Defense Model 87 Policy Development 90 Policy 91 Policy, Standards, Procedures, and Baselines 92 Auditing Policies, Standards, Procedures, and Baselines 93 Data Classification 96 Security Po…