1 / 43

Information Systems Audit and Control Association

betty_james
Télécharger la présentation

Information Systems Audit and Control Association

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


    1. 2007 CISA Review Course Introduction - page 1 This presentation is for the purpose of describing the details of the CISA Review Course to those interested in preparing for the CISA examination and becoming certified. This presentation is for the purpose of describing the details of the CISA Review Course to those interested in preparing for the CISA examination and becoming certified.

    2. 2007 CISA Review Course Introduction - page 2 Title SlideTitle Slide

    3. 2007 CISA Review Course Introduction - page 3 ISACA Facts Founded in 1969, as the EDP Auditors Association More than 53,000 members in over 140 countries More than 170 chapters in over 60 countries worldwide ISACA’s membership—more than 53,000 strong worldwide—is characterized by its diversity. Members live and work in more than 140 countries and cover a variety of professional IT-related positions—to name just a few, IS auditor, consultant, educator, IS security professional, regulator, chief information officer and internal auditor. Some are new to the field, others are at middle management levels and still others are in the most senior ranks. They work in nearly all industry categories, including financial and banking, public accounting, government and the public sector, utilities and manufacturing. This diversity enables members to learn from each other, and exchange widely divergent viewpoints on a variety of professional topics. It has long been considered one of ISACA’s strengths. Another of ISACA’s strengths is its chapter network. ISACA has chapters in more than 170 chapters established in over 60 countries worldwide, and those chapters provide members education, resource sharing, advocacy, professional networking and a host of other benefits on a local level. In the three decades since its inception, ISACA has become a pace-setting global organization for information governance, control, security and audit professionals. Together, ISACA and its affiliated IT Governance Institute lead the information technology control community and serve its practitioners by providing the elements needed by IT professionals in an ever-changing worldwide environment. ISACA’s membership—more than 53,000 strong worldwide—is characterized by its diversity. Members live and work in more than 140 countries and cover a variety of professional IT-related positions—to name just a few, IS auditor, consultant, educator, IS security professional, regulator, chief information officer and internal auditor. Some are new to the field, others are at middle management levels and still others are in the most senior ranks. They work in nearly all industry categories, including financial and banking, public accounting, government and the public sector, utilities and manufacturing. This diversity enables members to learn from each other, and exchange widely divergent viewpoints on a variety of professional topics. It has long been considered one of ISACA’s strengths. Another of ISACA’s strengths is its chapter network. ISACA has chapters in more than 170 chapters established in over 60 countries worldwide, and those chapters provide members education, resource sharing, advocacy, professional networking and a host of other benefits on a local level. In the three decades since its inception, ISACA has become a pace-setting global organization for information governance, control, security and audit professionals. Together, ISACA and its affiliated IT Governance Institute lead the information technology control community and serve its practitioners by providing the elements needed by IT professionals in an ever-changing worldwide environment.

    4. 2007 CISA Review Course Introduction - page 4 ISACA Edmonton Facts Founded in 1991. We have 108 members. 55 CISAs ? CISMs Monthly breakfast meetings. Sponsor seminars. 2 Day course for ACL, COBIT, and ???? Sponsor the yearly CISA review course. ISACA’s membership—more than 53,000 strong worldwide—is characterized by its diversity. Members live and work in more than 140 countries and cover a variety of professional IT-related positions—to name just a few, IS auditor, consultant, educator, IS security professional, regulator, chief information officer and internal auditor. Some are new to the field, others are at middle management levels and still others are in the most senior ranks. They work in nearly all industry categories, including financial and banking, public accounting, government and the public sector, utilities and manufacturing. This diversity enables members to learn from each other, and exchange widely divergent viewpoints on a variety of professional topics. It has long been considered one of ISACA’s strengths. Another of ISACA’s strengths is its chapter network. ISACA has chapters in more than 170 chapters established in over 60 countries worldwide, and those chapters provide members education, resource sharing, advocacy, professional networking and a host of other benefits on a local level. In the three decades since its inception, ISACA has become a pace-setting global organization for information governance, control, security and audit professionals. Together, ISACA and its affiliated IT Governance Institute lead the information technology control community and serve its practitioners by providing the elements needed by IT professionals in an ever-changing worldwide environment. ISACA’s membership—more than 53,000 strong worldwide—is characterized by its diversity. Members live and work in more than 140 countries and cover a variety of professional IT-related positions—to name just a few, IS auditor, consultant, educator, IS security professional, regulator, chief information officer and internal auditor. Some are new to the field, others are at middle management levels and still others are in the most senior ranks. They work in nearly all industry categories, including financial and banking, public accounting, government and the public sector, utilities and manufacturing. This diversity enables members to learn from each other, and exchange widely divergent viewpoints on a variety of professional topics. It has long been considered one of ISACA’s strengths. Another of ISACA’s strengths is its chapter network. ISACA has chapters in more than 170 chapters established in over 60 countries worldwide, and those chapters provide members education, resource sharing, advocacy, professional networking and a host of other benefits on a local level. In the three decades since its inception, ISACA has become a pace-setting global organization for information governance, control, security and audit professionals. Together, ISACA and its affiliated IT Governance Institute lead the information technology control community and serve its practitioners by providing the elements needed by IT professionals in an ever-changing worldwide environment.

    5. 2007 CISA Review Course Introduction - page 5 CISA Certification Details Title SlideTitle Slide

    6. 2007 CISA Review Course Introduction - page 6 Individuals with experience providing: IT audit and assurance services Assurance that the organization can achieve corporate governance of IT Assurance that systems and infrastructure life cycle management meets the organization’s objectives Assurance that IT service management practices meet the organization’s objectives Assurance that an organization’s security architecture ensures confidentiality, integrity and availability of information assets Assurance that disaster recovery and business continuity plans will ensure timely resumption of IT services while minimizing the business impact Who is the CISA Certification Intended for? By hiring or retaining the services of a CISA, an organization has invested in a professional who has: • Distinguished himself/herself from other industry professionals • Followed a career path allowing him/her to demonstrate IT audit, security and control knowledge and skill • Committed to maintaining his/her skills through ongoing professional development Finding or developing IT professionals who can perform critical IT tasks is not easy, especially when those professionals must have proven experience providing: IT audit and assurance services Assurance that the organization can achieve corporate governance of IT Assurance that systems and infrastructure life cycle management meets the organization’s objectives Assurance that IT service management practices meet the organization’s objectives Assurance that an organization’s security architecture ensures confidentiality, integrity and availability of information assets Assurance that disaster recovery and business continuity plans will ensure timely resumption of IT services while minimizing the business impact The CISA program, global in scope and recognition, is the only certification program devoted exclusively to IT audit, control and security. More than 40,000 individuals worldwide have earned the highly prized and respected CISA designation.By hiring or retaining the services of a CISA, an organization has invested in a professional who has: • Distinguished himself/herself from other industry professionals • Followed a career path allowing him/her to demonstrate IT audit, security and control knowledge and skill • Committed to maintaining his/her skills through ongoing professional development Finding or developing IT professionals who can perform critical IT tasks is not easy, especially when those professionals must have proven experience providing: IT audit and assurance services Assurance that the organization can achieve corporate governance of IT Assurance that systems and infrastructure life cycle management meets the organization’s objectives Assurance that IT service management practices meet the organization’s objectives Assurance that an organization’s security architecture ensures confidentiality, integrity and availability of information assets Assurance that disaster recovery and business continuity plans will ensure timely resumption of IT services while minimizing the business impact The CISA program, global in scope and recognition, is the only certification program devoted exclusively to IT audit, control and security. More than 40,000 individuals worldwide have earned the highly prized and respected CISA designation.

    7. 2007 CISA Review Course Introduction - page 7 More than 44,000 CISAs worldwide June 2005 exam offered in 11 languages, in 220+ locations June 2005, a record 17,790 individuals registered for the exam December 2005, 13,174 individuals registered (as of 08 December) CISA Certification Current Facts

    8. 2007 CISA Review Course Introduction - page 8 CISAs as our Current and Future Leaders

    9. 2007 CISA Review Course Introduction - page 9 CISA Record Growth Over 30, 000 registered. Normal pass rate is about 50%. Edmonton has a very high pass rate. Over 30, 000 registered. Normal pass rate is about 50%. Edmonton has a very high pass rate.

    10. 2007 CISA Review Course Introduction - page 10 Why Become A CISA? To demonstrate your willingness to improve your technical knowledge and skills To demonstrate to management your commitment toward organizational excellence To obtain credentials that employers seek To enhance your professional image To be included with other professionals who have gained worldwide recognition Why do professionals want to become CISAs? What Benefits do they receive when they are CISAs? To demonstrate your willingness to improve your technical knowledge and skills To demonstrate to management your commitment toward organizational excellence To obtain credentials that employers seek To enhance your professional image To be included with other professionals who have gained worldwide recognition Why do professionals want to become CISAs? What Benefits do they receive when they are CISAs? To demonstrate your willingness to improve your technical knowledge and skills To demonstrate to management your commitment toward organizational excellence To obtain credentials that employers seek To enhance your professional image To be included with other professionals who have gained worldwide recognition

    11. 2007 CISA Review Course Introduction - page 11 CISA Certification ANSI Accreditation The American National Standards Institute (ANSI) has awarded accreditation under ISO/IEC 17024 to the Certified Information Systems Auditor (CISA) and Certified Information Security Manager (CISM) certification programs. Accreditation by ANSI signifies that ISACA’s procedures meet ANSI’s essential requirements for openness, balance, consensus and due process. The CISA Certification was awarded with the accreditation from ANSI The American National Standards Institute (ANSI) has awarded accreditation under ISO/IEC 17024 to the Certified Information Systems Auditor (CISA) and Certified Information Security Manager (CISM) certification programs. Accreditation by ANSI signifies that ISACA’s procedures meet ANSI’s essential requirements for openness, balance, consensus and due process. The CISA Certification was awarded with the accreditation from ANSI The American National Standards Institute (ANSI) has awarded accreditation under ISO/IEC 17024 to the Certified Information Systems Auditor (CISA) and Certified Information Security Manager (CISM) certification programs. Accreditation by ANSI signifies that ISACA’s procedures meet ANSI’s essential requirements for openness, balance, consensus and due process.

    12. 2007 CISA Review Course Introduction - page 12 CIO Magazine, SC Magazine features a provocative Foote Partners pay research survey (New Canaan, CT, August 17, 2005)  Pay for auditing certifications such as the Certified Information Systems Auditor (CISA) will continue to be boosted by stiff compliance requirements and independent auditor control provisions . A recent recognition to CISA: CIO Magazine, SC Magazine feature provocative Foote Partners pay research (New Canaan, CT, August 17, 2005)  Pay for auditing certifications such as the Certified Information Systems Auditor (CISA) will continue to be boosted by stiff compliance requirements and independent auditor control provisions . A recent recognition to CISA: CIO Magazine, SC Magazine feature provocative Foote Partners pay research (New Canaan, CT, August 17, 2005)  Pay for auditing certifications such as the Certified Information Systems Auditor (CISA) will continue to be boosted by stiff compliance requirements and independent auditor control provisions .

    13. 2007 CISA Review Course Introduction - page 13 The Canadian Institute of Chartered Accountants (CICA) accredited ISACA and CISA An information security law in Korea requires that highly skilled professionals, such as CISAs, perform information system audit and security services The Chinese National Audit Office (CNAO) supports the CISA program The US Department of Veteran Affairs reimburses exam fees for the CISA exam Punjab National Bank of India (PNB) and Central Bank of Pakistan provides incentives to CISA passers The National Infocomm Competency Centre (NICC) funds exam fees for the CISA program CISA is recognized worldwide, by many organizations, and in many ways. For example: The Canadian Institute of Chartered Accountants (CICA) accredited ISACA as the only body whose designation (CISA) leads to recognition as a CA-designated specialist in information systems audit, control and security; An "information security law" in Korea requires nominated companies to have highly skilled professionals, such as CISAs, perform information system audit and security services; The Chinese National Audit Office (CNAO) added its support of the CISA program through translation review, promotion and training; The US Department of Veteran Affairs approved the CISA exam for reimbursement of exam fees; Punjab National Bank of India (PNB), the second largest bank in India, increased the incentives it provides to professionals who achieve the CISA designation and the Central Bank of Pakistan provides cash awards to CISA passers; and The National Infocomm Competency Centre (NICC) accredited the CISA program which provides access to government funding of up to 70 percent of exam fees. CISA is recognized worldwide, by many organizations, and in many ways. For example: The Canadian Institute of Chartered Accountants (CICA) accredited ISACA as the only body whose designation (CISA) leads to recognition as a CA-designated specialist in information systems audit, control and security; An "information security law" in Korea requires nominated companies to have highly skilled professionals, such as CISAs, perform information system audit and security services; The Chinese National Audit Office (CNAO) added its support of the CISA program through translation review, promotion and training; The US Department of Veteran Affairs approved the CISA exam for reimbursement of exam fees; Punjab National Bank of India (PNB), the second largest bank in India, increased the incentives it provides to professionals who achieve the CISA designation and the Central Bank of Pakistan provides cash awards to CISA passers; and The National Infocomm Competency Centre (NICC) accredited the CISA program which provides access to government funding of up to 70 percent of exam fees.

    14. 2007 CISA Review Course Introduction - page 14 IS Audit Process – 10% Provide IS audit services in accordance with IS audit standards, guidelines, and best practices to assist the organization in ensuring that its information technology and business systems are protected and controlled. IT Governance – 15% To provide assurance that the organization has the structure, policies, accountability, mechanisms, and monitoring practices in place to achieve the requirements of corporate governance of IT. Systems and Infrastructure Lifecycle – 16% To provide assurance that the management practices for the development/acquisition, testing, implementation, maintenance, and disposal of systems and infrastructure will meet the organization’s objectives. IT Service Delivery and Support – 14% To provide assurance that the IT service management practices will ensure the delivery of the level of services required to meet the organization’s objectives. Protection of Information Assets – 31% To provide assurance that the security architecture (policies, standards, procedures, and controls) ensures the confidentiality, integrity, and availability of information assets. Business Continuity and Disaster Recovery – 14% To provide assurance that in the event of a disruption the business continuity and disaster recovery processes will ensure the timely resumption of IT services while minimizing the business impact. New CISA Job Practice –Effective in 2006 Content Area 1: IS Audit Process – 10% Provide IS audit services in accordance with IS audit standards, guidelines, and best practices to assist the organization in ensuring that its information technology and business systems are protected and controlled. Content Area 2: IT Governance – 15% To provide assurance that the organization has the structure, policies, accountability, mechanisms, and monitoring practices in place to achieve the requirements of corporate governance of IT. Content Area 3: Systems and Infrastructure Lifecycle – 16% To provide assurance that the management practices for the development/acquisition, testing, implementation, maintenance, and disposal of systems and infrastructure will meet the organization’s objectives. Content Area 4: IT Service Delivery and Support – 14% To provide assurance that the IT service management practices will ensure the delivery of the level of services required to meet the organization’s objectives. Content Area 5: Protection of Information Assets – 31% To provide assurance that the security architecture (policies, standards, procedures, and controls) ensures the confidentiality, integrity, and availability of information assets. Content Area 6: Business Continuity and Disaster Recovery – 14% To provide assurance that in the event of a disruption the business continuity and disaster recovery processes will ensure the timely resumption of IT services while minimizing the business impact. Content Area 1: IS Audit Process – 10% Provide IS audit services in accordance with IS audit standards, guidelines, and best practices to assist the organization in ensuring that its information technology and business systems are protected and controlled. Content Area 2: IT Governance – 15% To provide assurance that the organization has the structure, policies, accountability, mechanisms, and monitoring practices in place to achieve the requirements of corporate governance of IT. Content Area 3: Systems and Infrastructure Lifecycle – 16% To provide assurance that the management practices for the development/acquisition, testing, implementation, maintenance, and disposal of systems and infrastructure will meet the organization’s objectives. Content Area 4: IT Service Delivery and Support – 14% To provide assurance that the IT service management practices will ensure the delivery of the level of services required to meet the organization’s objectives. Content Area 5: Protection of Information Assets – 31% To provide assurance that the security architecture (policies, standards, procedures, and controls) ensures the confidentiality, integrity, and availability of information assets. Content Area 6: Business Continuity and Disaster Recovery – 14% To provide assurance that in the event of a disruption the business continuity and disaster recovery processes will ensure the timely resumption of IT services while minimizing the business impact.

    15. 2007 CISA Review Course Introduction - page 15 2001-2005 The Audit Process (10%) Management, Planning, and Organization of IS (11%) Technical Infrastructure and Operational Practices (13%) Protection of Information Assets (25%) Disaster Recovery and Business Continuity (10%) Business Application System Development, Acquisition, Implementation, and Maintenance (16%) Business Process Evaluation and Risk Management (15%) 2006-2010 IS Audit Process (10%) IT Governance (15%) Systems and Infrastructure Lifecycle (16%) IT Service Delivery and Support (14%) Protection of Information Assets (31%) Business Continuity and Disaster Recovery (14%) CISA Certification New CISA Job Practice Beginning in 2006, the CISA examination will test the new CISA Job Practice. The Information Systems Audit and Control Association (ISACA) conducts a practice analysis study of the work of Certified Information Systems Auditors (CISAs) every five years or sooner to maintain the validity of the CISA certification program. The most recent practice analysis study was completed in January 2005 and applies to CISA exams beginning in June 2006. The primary focus of the practice analysis is on the tasks performed and the knowledge used by CISAs in contemporary practices, along with trends in practice and expertise that CISAs may need to acquire in the future. By gathering evidence of the current work practice of CISAs, ISACA is able to ensure that the CISA examination program continues to meet the high standards for the certification of professionals throughout the world. Comparing the previous CISA job practice, the new areas of study to be tested are shown in the table on this slide. The IS audit process remains the same as the previous CISA job practice. IT governance is recognized as an area that requires more attention from IS auditors; therefore, topics related to management, planning and organization of IS become part of the IT governance content area. Also, the business process evaluation and risk management area from the previous analysis becomes part of the contents of this new area. The new systems and infrastructure life cycle management area is integrated with the previous content of the technical infrastructure and operational practices and the business application system development, acquisition, implementation and maintenance areas. The areas on protection of information assets and disaster recovery and business continuity remain as independent areas but are enhanced to cover the current practices for the IS audit profession.Beginning in 2006, the CISA examination will test the new CISA Job Practice. The Information Systems Audit and Control Association (ISACA) conducts a practice analysis study of the work of Certified Information Systems Auditors (CISAs) every five years or sooner to maintain the validity of the CISA certification program. The most recent practice analysis study was completed in January 2005 and applies to CISA exams beginning in June 2006. The primary focus of the practice analysis is on the tasks performed and the knowledge used by CISAs in contemporary practices, along with trends in practice and expertise that CISAs may need to acquire in the future. By gathering evidence of the current work practice of CISAs, ISACA is able to ensure that the CISA examination program continues to meet the high standards for the certification of professionals throughout the world. Comparing the previous CISA job practice, the new areas of study to be tested are shown in the table on this slide. The IS audit process remains the same as the previous CISA job practice. IT governance is recognized as an area that requires more attention from IS auditors; therefore, topics related to management, planning and organization of IS become part of the IT governance content area. Also, the business process evaluation and risk management area from the previous analysis becomes part of the contents of this new area. The new systems and infrastructure life cycle management area is integrated with the previous content of the technical infrastructure and operational practices and the business application system development, acquisition, implementation and maintenance areas. The areas on protection of information assets and disaster recovery and business continuity remain as independent areas but are enhanced to cover the current practices for the IS audit profession.

    16. 2007 CISA Review Course Introduction - page 16 CISM Certification Details Title SlideTitle Slide

    17. 2007 CISA Review Course Introduction - page 17 Who is the CISM Certification Intended for? Individuals who design, implement and manage an enterprise’s information security program. Security managers Security directors Security officers Security consultants The CISM program is specifically geared toward experienced information security managers, directors, officers, consultants and those who have information security management responsibilities. CISM is designed for the large contingent of individuals who must maintain a constant view of the “big picture” by designing, implementing and managing an enterprise’s information security program. The CISM program is specifically geared toward experienced information security managers, directors, officers, consultants and those who have information security management responsibilities. CISM is designed for the large contingent of individuals who must maintain a constant view of the “big picture” by designing, implementing and managing an enterprise’s information security program.

    18. 2007 CISA Review Course Introduction - page 18 CISM Uniqueness What makes CISM Unique? Designed for information security managers exclusively Criteria and exam developed from job practice analysis validated by information security managers Experience requirement includes information security management The CISM program is designed for experienced information security managers and those who have the following information security management responsibilities: Establish and maintain an information security governance framework Identify and manage information security risks Design, develop and manage an information security program(me) Oversee and direct information security activities Develop and manage a response and recovery program from disruptive and destructive information security events Although there are many IT security credentials, portions of which may overlap with portions of CISM, CISM is the credential specifically designed to assess the skill and knowledge of information security managers. The CISM program is designed for experienced information security managers and those who have the following information security management responsibilities: Establish and maintain an information security governance framework Identify and manage information security risks Design, develop and manage an information security program(me) Oversee and direct information security activities Develop and manage a response and recovery program from disruptive and destructive information security events Although there are many IT security credentials, portions of which may overlap with portions of CISM, CISM is the credential specifically designed to assess the skill and knowledge of information security managers.

    19. 2007 CISA Review Course Introduction - page 19 CISM General Requirements Certified Information Security Manager (CISM) Criteria Pass exam Submit verified evidence of a minimum of five years of information security work experience Adhere to ISACA Code of Professional Ethics Comply with continuing education policy To earn the CISM designation, candidates are required to: Successfully complete the CISM exam. Submit evidence of a minimum of five (5) years of general information security work experience and 3 years performing information security management tasks outlined in the CISM job practice. Substitutions of the general information security experience are as follows: Two Years Certified Information Systems Auditor (CISA) in good standing Certified Information Systems Security Professional (CISSP) in good standing Post-graduate degree in information security or a related field (for example: business administration, information systems, information assurance) One Year One-full year of information systems management experience Skill-based Security Certifications (e.g. SANS Global Information Assurance Certification (GIAC), Microsoft Certified Systems Engineer (MCSE), CompTIA Security +) The experience substitutions will not satisfy any portion of the three-year information security management work experience requirement. Experience must have been gained within the 10-year period preceding the date of the application for certification, or within five years from the date of initially passing the exam. It is important to note that many individuals choose to take the CISM exam prior to meeting the experience requirements. Adhere to ISACA’s Code of Professional Ethics. Comply with a CISM Continuing Education Policy (discussed later). To earn the CISM designation, candidates are required to: Successfully complete the CISM exam. Submit evidence of a minimum of five (5) years of general information security work experience and 3 years performing information security management tasks outlined in the CISM job practice. Substitutions of the general information security experience are as follows: Two Years Certified Information Systems Auditor (CISA) in good standing Certified Information Systems Security Professional (CISSP) in good standing Post-graduate degree in information security or a related field (for example: business administration, information systems, information assurance) One Year One-full year of information systems management experience Skill-based Security Certifications (e.g. SANS Global Information Assurance Certification (GIAC), Microsoft Certified Systems Engineer (MCSE), CompTIA Security +) The experience substitutions will not satisfy any portion of the three-year information security management work experience requirement. Experience must have been gained within the 10-year period preceding the date of the application for certification, or within five years from the date of initially passing the exam. It is important to note that many individuals choose to take the CISM exam prior to meeting the experience requirements. Adhere to ISACA’s Code of Professional Ethics. Comply with a CISM Continuing Education Policy (discussed later).

    20. 2007 CISA Review Course Introduction - page 20 CISM Recognition U.S. Department of Defense approves obtaining a CISM among the three approved baseline certifications for IT Assurance Managers at Level II and III The US Department of Veteran Affairs reimburses exam fees for the CISM exam Microsoft recognizes CISM as a part of its Infrastructure Security and Security Management specializations

    21. 2007 CISA Review Course Introduction - page 21 CISM Exam Growth Record number of exam registrants worldwide who registered for the CISM exam in 2005 1714 Registrations in June 2005 1356 registered for the December 2005 administration 1614 registered for the June 2006 administration Record number of exam registrants worldwide who registered for the CISM exam in 2005 1714 Registrations in June 2005 1356 registered for the December 2005 administration 1614 registered for the June 2006 administration

    22. 2007 CISA Review Course Introduction - page 22 CISMs by Job Title

    23. 2007 CISA Review Course Introduction - page 23 CISMs as our Current and Future Leaders A current profile of CISMs demonstrates the managerial influence and authority achieved by CISMs within their organizations: • More than 800 serve as a chief information officer, chief executive officer or serve in another executive management position. • Nearly 2,000 serve as an information security director, manager or consultant. • More than 1,100 serve as an IT director, manager or consultant. This strong executive and managerial presence demonstrates the importance of the credential and the quality of CISM professionals.A current profile of CISMs demonstrates the managerial influence and authority achieved by CISMs within their organizations: • More than 800 serve as a chief information officer, chief executive officer or serve in another executive management position. • Nearly 2,000 serve as an information security director, manager or consultant. • More than 1,100 serve as an IT director, manager or consultant. This strong executive and managerial presence demonstrates the importance of the credential and the quality of CISM professionals.

    24. 2007 CISA Review Course Introduction - page 24 Summary of CISM Job Practice Areas Information Security Governance (21%) Risk Management (21%) Information Security Program Management (21%) Information Security Management (24%) Response Management (13%) New CISM “Practice” Analysis to be effective in 2007 The questions on the CISM exam are selected to comply with the aforementioned job practice analysis. Because the CISM exam is experienced based, candidates should prepare for the exam by learning to apply their practical knowledge of information security management principles and practices to these areas. The percentages listed here represent the approximate percentage of questions that will appear on the exam. Information Security Governance (21%) Establish and maintain a framework to provide assurance that information security strategies are aligned with business objectives and consistent with applicable laws and regulations. Risk Management (21%) Identify and manage information security risks to achieve business objectives. Information Security Program(me) Management (21%) Design, develop and manage an information security program(me) to implement the information security governance framework. Information Security Management (24%) Oversee and direct information security activities to execute the information security program(me). Response Management (13%) Develop and manage a capability to respond to and recover from disruptive and destructive information security events. To ensure currency a new CISM “Practice” analysis is being conducted in 2005, to be effective in 2007. The questions on the CISM exam are selected to comply with the aforementioned job practice analysis. Because the CISM exam is experienced based, candidates should prepare for the exam by learning to apply their practical knowledge of information security management principles and practices to these areas. The percentages listed here represent the approximate percentage of questions that will appear on the exam. Information Security Governance (21%) Establish and maintain a framework to provide assurance that information security strategies are aligned with business objectives and consistent with applicable laws and regulations. Risk Management (21%) Identify and manage information security risks to achieve business objectives. Information Security Program(me) Management (21%) Design, develop and manage an information security program(me) to implement the information security governance framework. Information Security Management (24%) Oversee and direct information security activities to execute the information security program(me). Response Management (13%) Develop and manage a capability to respond to and recover from disruptive and destructive information security events. To ensure currency a new CISM “Practice” analysis is being conducted in 2005, to be effective in 2007.

    25. 2007 CISA Review Course Introduction - page 25 Why Become A CISM? To demonstrate your willingness to improve your technical knowledge and skills To demonstrate to management your commitment toward organizational excellence To obtain credentials that employers seek To enhance your professional image To be included with other professionals who have gained worldwide recognition BENEFITS OF BECOMING A CISM Being recognized as a CISM brings with it a great number of professional and organizational benefits. Successful achievement demonstrates and attests to an individual's information systems audit, control and security expertise and indicates a desire to serve an organization with distinction. This expertise is extremely valuable given the changing nature of information technology and the need to employ certified professionals who are able to apply the most effective information systems audit, control and security practices, and who have an awareness of the unique requirements particular to information technology environments. Those who become CISMs join other recognized professionals worldwide who have earned this highly sought after professional designation. Although certification may not be mandatory for everyone, a growing number of organizations are recommending that employees become certified. The CISM designation assures employers that their staff is able to apply state-of-the-art information security management practices and techniques and that these skills are maintained. For these reasons, many employers require the achievement of the CISM designation as a strong factor for employment and/or advanced promotion. BENEFITS OF BECOMING A CISM Being recognized as a CISM brings with it a great number of professional and organizational benefits. Successful achievement demonstrates and attests to an individual's information systems audit, control and security expertise and indicates a desire to serve an organization with distinction. This expertise is extremely valuable given the changing nature of information technology and the need to employ certified professionals who are able to apply the most effective information systems audit, control and security practices, and who have an awareness of the unique requirements particular to information technology environments. Those who become CISMs join other recognized professionals worldwide who have earned this highly sought after professional designation. Although certification may not be mandatory for everyone, a growing number of organizations are recommending that employees become certified. The CISM designation assures employers that their staff is able to apply state-of-the-art information security management practices and techniques and that these skills are maintained. For these reasons, many employers require the achievement of the CISM designation as a strong factor for employment and/or advanced promotion.

    26. 2007 CISA Review Course Introduction - page 26 CISA CISM Exam Details Title SlideTitle Slide

    27. 2007 CISA Review Course Introduction - page 27 Types of Questions on the CISM and CISA Exams Each exam consists of 200 questions administered over a four-hour period Questions are designed to test practical knowledge and experience All questions are multiple choice Questions require the candidate to choose one best answer Every question or statement has four options (answer choices) Each exam consists of 200 questions given over a four-hour period. CISM exam questions are developed with the intent of measuring and testing practical knowledge and the application of generally accepted standards. All questions are multiple choice and are designed for one best answer. Every question has a stem (question) and four options (answer choices). The candidate is asked to choose the correct or best answer from the options. The stem may be in the form of a question or incomplete statement. In some instances, a scenario or description problem may also be included. These questions normally include a description of a situation and require the candidate to answer two or more questions based on the information provided. Each exam consists of 200 questions given over a four-hour period. CISM exam questions are developed with the intent of measuring and testing practical knowledge and the application of generally accepted standards. All questions are multiple choice and are designed for one best answer. Every question has a stem (question) and four options (answer choices). The candidate is asked to choose the correct or best answer from the options. The stem may be in the form of a question or incomplete statement. In some instances, a scenario or description problem may also be included. These questions normally include a description of a situation and require the candidate to answer two or more questions based on the information provided.

    28. 2007 CISA Review Course Introduction - page 28 Quality of the Exam Job Analysis Study: determines content Test Development Standards: ensures high standards for the development and review of questions Review Process: provides two reviews of questions by independent committees before acceptance into pool Periodic Pool Cleaning: ensures that questions in the pool are up-to-date by continuously reviewing questions Statistical Analysis of Questions: ensures quality questions and grading by analyzing exam statistics for each language A comprehensive process of content and question review and evaluation is used to keep the CISM exam current. Job Practice Analysis Study: A job practice study is conducted every five years to ensure exam relevancy. Test Development Standards: Specific item development standards are applied to ensure items are developed to properly measure a candidates knowledge and their ability to distinguish best practice. Review Process: Each item on the exam is reviewed by a Test Enhancement Committee and CISM Certification Board prior to being placed in the item pool and the exam. Periodic Pool Cleaning: A continuous review of items in the question pool is conducted to ensure that questions are always kept current. Items judged to no longer be relevant are discarded from the pool or rewritten. Statistical Analysis of Questions: At the conclusion of each exam, item statistics are reviewed for every exam item in each language. Any item which does not perform according to established levels is reviewed for correctness as well as translation accuracy. A comprehensive process of content and question review and evaluation is used to keep the CISM exam current. Job Practice Analysis Study: A job practice study is conducted every five years to ensure exam relevancy. Test Development Standards: Specific item development standards are applied to ensure items are developed to properly measure a candidates knowledge and their ability to distinguish best practice. Review Process: Each item on the exam is reviewed by a Test Enhancement Committee and CISM Certification Board prior to being placed in the item pool and the exam. Periodic Pool Cleaning: A continuous review of items in the question pool is conducted to ensure that questions are always kept current. Items judged to no longer be relevant are discarded from the pool or rewritten. Statistical Analysis of Questions: At the conclusion of each exam, item statistics are reviewed for every exam item in each language. Any item which does not perform according to established levels is reviewed for correctness as well as translation accuracy.

    29. 2007 CISA Review Course Introduction - page 29 Administration of the CISA & CISM Exam Next exams dates: 09 June 2007 08 December 2007 More than 220 test sites worldwide – including Edmonton. The next CISM exam is offered on Saturday, 10 June 2006 and on Saturday 9 December 2006 in locations around the world. Alternate dates are available due to religious conflicts. The administration of the exam is offered in every city where there is an ISACA chapter or a large interest in sitting for the exam. It is anticipated that the 2006 exam will be held in more than 220 test sites. Approximately 10 weeks after the test date, score reports will be mailed to candidates. A scaled score of 75 or more is required to pass. This score does NOT represent the percentage of items answered correctly. The next CISM exam is offered on Saturday, 10 June 2006 and on Saturday 9 December 2006 in locations around the world. Alternate dates are available due to religious conflicts. The administration of the exam is offered in every city where there is an ISACA chapter or a large interest in sitting for the exam. It is anticipated that the 2006 exam will be held in more than 220 test sites. Approximately 10 weeks after the test date, score reports will be mailed to candidates. A scaled score of 75 or more is required to pass. This score does NOT represent the percentage of items answered correctly.

    30. 2007 CISA Review Course Introduction - page 30 CISA & CISM individual 2007 Registration Fees Exam on 09 June 2007: On or before 14 February 2007: ISACA Member: US $360.00 Non-Member: US $480.00 After 14 February, but on or before 11 April 2007: ISACA Member: US $410.00 Non-Member: US $530.00 Register Online Online registration via the ISACA web site is encouraged, as candidates will save US $50.00. Non-members can join ISACA at the same time, which maximizes their savings. PLEASE UPDATE FEES FOR BOTH DATES JUNE AND DECEMBER EXAM. 2006 Registration Fees and Payment On or before 8 February 2006 ISACA Member: US $340.00 Non-Member: US $460.00 After 8 February, but on or before 30 April 2006 ISACA Member: US $390.00 Non-Member: US $510.00 Register Online Online registration via the ISACA web site is encouraged. By doing so candidates will save US $35. Non-members will also have the ability to join ISACA at the same time, thus maximizing their savings.PLEASE UPDATE FEES FOR BOTH DATES JUNE AND DECEMBER EXAM. 2006 Registration Fees and Payment On or before 8 February 2006 ISACA Member: US $340.00 Non-Member: US $460.00 After 8 February, but on or before 30 April 2006 ISACA Member: US $390.00 Non-Member: US $510.00 Register Online Online registration via the ISACA web site is encouraged. By doing so candidates will save US $35. Non-members will also have the ability to join ISACA at the same time, thus maximizing their savings.

    31. 2007 CISA Review Course Introduction - page 31 Passing score on CISA or CISM Exam Passing mark of 75 (scaled score) At least five years of IS audit or IS Security Management experience (substitutions available) Adherence to Code of Professional Ethics Minimum 120 contact hours of continuing education every three years CISA & CISM Certification Requirements PLEASE REVIEW ACCURACY ACCORDING TO CERTIFICATION REQUIREMENTS. To earn the CISM designation, candidates are required to: Successfully complete the CISM exam. Submit evidence of a minimum of five (5) years of professional information security managing work experience. Substitution and waivers of such experience may be obtained as follows: A maximum of one year of information systems, operating or programming experience or one year of information security experience can be substituted for one year of information systems security management experience. An Associate’s or Bachelor’s degree (the equivalent of 60 to 120 completed college semester credit hours) can be substituted for one or two years, respectively, of information security management experience. Each two years of experience as a full-time university instructor in a related field (e.g. computer science, accounting, information systems security) may be substituted for one year of information systems auditing, control or security experience. Experience must have been gained within the 10-year period preceding the date of the application for certification, or within five years from the date of initially passing the exam. It is important to note that many individuals choose to take the CISM exam prior to meeting the experience requirements. Adhere to the Information Systems Audit and Control Association’s Code of Professional Ethics. Comply with the CISM Continuing Education Program (discussed later). PLEASE REVIEW ACCURACY ACCORDING TO CERTIFICATION REQUIREMENTS. To earn the CISM designation, candidates are required to: Successfully complete the CISM exam. Submit evidence of a minimum of five (5) years of professional information security managing work experience. Substitution and waivers of such experience may be obtained as follows: A maximum of one year of information systems, operating or programming experience or one year of information security experience can be substituted for one year of information systems security management experience. An Associate’s or Bachelor’s degree (the equivalent of 60 to 120 completed college semester credit hours) can be substituted for one or two years, respectively, of information security management experience. Each two years of experience as a full-time university instructor in a related field (e.g. computer science, accounting, information systems security) may be substituted for one year of information systems auditing, control or security experience. Experience must have been gained within the 10-year period preceding the date of the application for certification, or within five years from the date of initially passing the exam. It is important to note that many individuals choose to take the CISM exam prior to meeting the experience requirements. Adhere to the Information Systems Audit and Control Association’s Code of Professional Ethics. Comply with the CISM Continuing Education Program (discussed later).

    32. 2007 CISA Review Course Introduction - page 32 Bulletin of Information and Registration Form Sent to potential candidates in ISACA database each year Can be downloaded from ISACA web site Additional copies provided to ISACA chapters A Bulletin of Information is mailed to potential candidates from ISACA’s database each October/November. Additional copies are mailed at periodic intervals and upon request. CISMs are also mailed a Bulletin of Information as part of a mentoring program. In this case, CISMs are expected to pass program brochures to prospective candidates and encourage participation. A Bulletin of Information can be downloaded from ISACA’s web site at http://www.isaca.org/cism Additional Bulletins of Information are provided to ISACA chapters for local distribution. Candidates who require a printed brochure are encouraged to obtain one from their chapter. At that time they will also learn of preparation classes that the chapter may be offering. The Bulletin of Information includes: The aforementioned CISM requirements A description of the exam Registration instructions Test date procedures Score reporting procedures Specific test center locations Registration form A Bulletin of Information is mailed to potential candidates from ISACA’s database each October/November. Additional copies are mailed at periodic intervals and upon request. CISMs are also mailed a Bulletin of Information as part of a mentoring program. In this case, CISMs are expected to pass program brochures to prospective candidates and encourage participation. A Bulletin of Information can be downloaded from ISACA’s web site at http://www.isaca.org/cism Additional Bulletins of Information are provided to ISACA chapters for local distribution. Candidates who require a printed brochure are encouraged to obtain one from their chapter. At that time they will also learn of preparation classes that the chapter may be offering. The Bulletin of Information includes: The aforementioned CISM requirements A description of the exam Registration instructions Test date procedures Score reporting procedures Specific test center locations Registration form

    33. 2007 CISA Review Course Introduction - page 33 Candidate’s Guide to the CISA Exam - free to each paid registrant writing the CISA 2007 Review Manual 2. CISA 2007 Review Database V7 web based exam questions. (Includes all supplements for questions and answers) CISA Study Materials Passing the CISA exam can be achieved through an organized plan of study. To assist individuals with the development of a successful study plan, ISACA provides several study aids and review courses to exam candidates. (Also see www.isaca.org for more details.) Candidate's Guide to the CISA Examination is supplied to individuals upon receipt of the CISA exam registration form and payment. This guide provides a detailed outline of the process and content areas covered on the exam, a suggested list of reference materials, a glossary of acronyms commonly used on the exam and a sample copy of the answer sheet used for the exam. The CISA Review Manual 2006 is updated extensively each year to reflect current and changing industry principles and practices. It is a comprehensive study guide that assists individuals in preparing for the CISA exam. It includes a thorough explanation of the structure and content of the examination, tips on how to develop a study plan and provides guidance and coverage of technical matter outlined in the process and content areas of the exam. Also provided are updated definitions and practical examples, as well as references to other helpful study material and a glossary of terms commonly found on the exam. In addition, review questions are provided at the end of each chapter to acquaint candidates with question structure. This manual can be used as a stand-alone document for individual study or as a guide or reference for study groups and chapters conducting local review courses. CISA Review Questions, Answers & Explanations Manual 2006 consists of 625 multiple-choice study questions arranged in the same proportion as the NEW 2006 CISA Job Practice. Many of these items appeared in previous CISA Review Questions, Answers and Explanations manuals published in 2004 and 2005, but have been rewritten to be more representative of actual exam items and to provide further clarity or a change in practice. These questions are not actual test items, and are intended to provide the CISA candidate with an understanding of the type and structure of question that has typically appeared on the exam. CISA Review Questions, Answers & Explanations Manual 2006 Supplement--Each year ISACA is dedicated to the creation of 100 new sample questions, answers and explanations for the candidates to use in preparation for the CISA exam. The 2006 Supplement was created using a similar process for item development as is used for actual exam items. CISA Review Questions, Answers & Explanations CD-ROM 2006 consists primarily of the same 725 questions answers and explanations included in the CISA Review Questions, Answers & Explanations Manual 2006 and the CISA Review Questions, Answers & Explanations Manual 2006 Supplement. With this product, CISA candidates can identify strengths and weaknesses by taking various length random sample exams and breaking the results down by area. Sample exams can also be chosen by area allowing for concentrated study, one area at a time, and other sort features, such as the omission of previous correctly answered questions. Also included are Information Systems Control Journal articles referenced in the CISA Review Manual 2006. Passing the CISA exam can be achieved through an organized plan of study. To assist individuals with the development of a successful study plan, ISACA provides several study aids and review courses to exam candidates. (Also see www.isaca.org for more details.) Candidate's Guide to the CISA Examination is supplied to individuals upon receipt of the CISA exam registration form and payment. This guide provides a detailed outline of the process and content areas covered on the exam, a suggested list of reference materials, a glossary of acronyms commonly used on the exam and a sample copy of the answer sheet used for the exam. The CISA Review Manual 2006 is updated extensively each year to reflect current and changing industry principles and practices. It is a comprehensive study guide that assists individuals in preparing for the CISA exam. It includes a thorough explanation of the structure and content of the examination, tips on how to develop a study plan and provides guidance and coverage of technical matter outlined in the process and content areas of the exam. Also provided are updated definitions and practical examples, as well as references to other helpful study material and a glossary of terms commonly found on the exam. In addition, review questions are provided at the end of each chapter to acquaint candidates with question structure. This manual can be used as a stand-alone document for individual study or as a guide or reference for study groups and chapters conducting local review courses. CISA Review Questions, Answers & Explanations Manual 2006 consists of 625 multiple-choice study questions arranged in the same proportion as the NEW 2006 CISA Job Practice. Many of these items appeared in previous CISA Review Questions, Answers and Explanations manuals published in 2004 and 2005, but have been rewritten to be more representative of actual exam items and to provide further clarity or a change in practice. These questions are not actual test items, and are intended to provide the CISA candidate with an understanding of the type and structure of question that has typically appeared on the exam. CISA Review Questions, Answers & Explanations Manual 2006 Supplement--Each year ISACA is dedicated to the creation of 100 new sample questions, answers and explanations for the candidates to use in preparation for the CISA exam. The 2006 Supplement was created using a similar process for item development as is used for actual exam items. CISA Review Questions, Answers & Explanations CD-ROM 2006 consists primarily of the same 725 questions answers and explanations included in the CISA Review Questions, Answers & Explanations Manual 2006 and the CISA Review Questions, Answers & Explanations Manual 2006 Supplement. With this product, CISA candidates can identify strengths and weaknesses by taking various length random sample exams and breaking the results down by area. Sample exams can also be chosen by area allowing for concentrated study, one area at a time, and other sort features, such as the omission of previous correctly answered questions. Also included are Information Systems Control Journal articles referenced in the CISA Review Manual 2006.

    34. 2007 CISA Review Course Introduction - page 34 Candidate’s Guide to the 2007 CISM Exam - free to each paid registrant writing the CISM 2007 Review Manual 2. CISM 2007 Review Database V7 web based exam questions. (Includes all supplements for questions and answers) CISM Study Materials Passing the CISA exam can be achieved through an organized plan of study. To assist individuals with the development of a successful study plan, ISACA provides several study aids and review courses to exam candidates. (Also see www.isaca.org for more details.) Candidate's Guide to the CISA Examination is supplied to individuals upon receipt of the CISA exam registration form and payment. This guide provides a detailed outline of the process and content areas covered on the exam, a suggested list of reference materials, a glossary of acronyms commonly used on the exam and a sample copy of the answer sheet used for the exam. The CISA Review Manual 2006 is updated extensively each year to reflect current and changing industry principles and practices. It is a comprehensive study guide that assists individuals in preparing for the CISA exam. It includes a thorough explanation of the structure and content of the examination, tips on how to develop a study plan and provides guidance and coverage of technical matter outlined in the process and content areas of the exam. Also provided are updated definitions and practical examples, as well as references to other helpful study material and a glossary of terms commonly found on the exam. In addition, review questions are provided at the end of each chapter to acquaint candidates with question structure. This manual can be used as a stand-alone document for individual study or as a guide or reference for study groups and chapters conducting local review courses. CISA Review Questions, Answers & Explanations Manual 2006 consists of 625 multiple-choice study questions arranged in the same proportion as the NEW 2006 CISA Job Practice. Many of these items appeared in previous CISA Review Questions, Answers and Explanations manuals published in 2004 and 2005, but have been rewritten to be more representative of actual exam items and to provide further clarity or a change in practice. These questions are not actual test items, and are intended to provide the CISA candidate with an understanding of the type and structure of question that has typically appeared on the exam. CISA Review Questions, Answers & Explanations Manual 2006 Supplement--Each year ISACA is dedicated to the creation of 100 new sample questions, answers and explanations for the candidates to use in preparation for the CISA exam. The 2006 Supplement was created using a similar process for item development as is used for actual exam items. CISA Review Questions, Answers & Explanations CD-ROM 2006 consists primarily of the same 725 questions answers and explanations included in the CISA Review Questions, Answers & Explanations Manual 2006 and the CISA Review Questions, Answers & Explanations Manual 2006 Supplement. With this product, CISA candidates can identify strengths and weaknesses by taking various length random sample exams and breaking the results down by area. Sample exams can also be chosen by area allowing for concentrated study, one area at a time, and other sort features, such as the omission of previous correctly answered questions. Also included are Information Systems Control Journal articles referenced in the CISA Review Manual 2006. Passing the CISA exam can be achieved through an organized plan of study. To assist individuals with the development of a successful study plan, ISACA provides several study aids and review courses to exam candidates. (Also see www.isaca.org for more details.) Candidate's Guide to the CISA Examination is supplied to individuals upon receipt of the CISA exam registration form and payment. This guide provides a detailed outline of the process and content areas covered on the exam, a suggested list of reference materials, a glossary of acronyms commonly used on the exam and a sample copy of the answer sheet used for the exam. The CISA Review Manual 2006 is updated extensively each year to reflect current and changing industry principles and practices. It is a comprehensive study guide that assists individuals in preparing for the CISA exam. It includes a thorough explanation of the structure and content of the examination, tips on how to develop a study plan and provides guidance and coverage of technical matter outlined in the process and content areas of the exam. Also provided are updated definitions and practical examples, as well as references to other helpful study material and a glossary of terms commonly found on the exam. In addition, review questions are provided at the end of each chapter to acquaint candidates with question structure. This manual can be used as a stand-alone document for individual study or as a guide or reference for study groups and chapters conducting local review courses. CISA Review Questions, Answers & Explanations Manual 2006 consists of 625 multiple-choice study questions arranged in the same proportion as the NEW 2006 CISA Job Practice. Many of these items appeared in previous CISA Review Questions, Answers and Explanations manuals published in 2004 and 2005, but have been rewritten to be more representative of actual exam items and to provide further clarity or a change in practice. These questions are not actual test items, and are intended to provide the CISA candidate with an understanding of the type and structure of question that has typically appeared on the exam. CISA Review Questions, Answers & Explanations Manual 2006 Supplement--Each year ISACA is dedicated to the creation of 100 new sample questions, answers and explanations for the candidates to use in preparation for the CISA exam. The 2006 Supplement was created using a similar process for item development as is used for actual exam items. CISA Review Questions, Answers & Explanations CD-ROM 2006 consists primarily of the same 725 questions answers and explanations included in the CISA Review Questions, Answers & Explanations Manual 2006 and the CISA Review Questions, Answers & Explanations Manual 2006 Supplement. With this product, CISA candidates can identify strengths and weaknesses by taking various length random sample exams and breaking the results down by area. Sample exams can also be chosen by area allowing for concentrated study, one area at a time, and other sort features, such as the omission of previous correctly answered questions. Also included are Information Systems Control Journal articles referenced in the CISA Review Manual 2006.

    35. 2007 CISA Review Course Introduction - page 35 How to Develop a Study Plan A proper study plan consists of many steps Self-appraisal Determination of the type of study program Having an adequate amount of time to prepare Maintaining momentum Readiness review A proper study plan consists of many steps. The first step is a self-appraisal. The candidate should perform a general review of the CISM content areas in the Candidate’s Guide to the CISM Examination to determine overall familiarity with the concepts and practices covered in the exam. The candidate also should evaluate his/her own study habits and discipline. Based on this evaluation the candidate will have a general idea as to the amount of time and energy needed to adequately prepare for the exam. The second step is a determination of the type of study program to undertake. Options range from a brush-up of the material for the experienced IS audit, control and security professional to a more intense self-study program for the less experienced candidate to a program of both self-study and attendance at a formal CISM review program like this one. The third step is making sure that a candidate has the adequate amount of time to prepare. Candidates should plan to set aside an appropriate number of hours each week to prepare for the exam. The fourth step is maintaining momentum. A candidate can easily lose interest in studying and encounter obstacles to study. A candidate must realize that this will normally occur and not become discouraged. The final step is performing a readiness review. The formal study program should be completed at least one week prior to the date of the exam. A proper study plan consists of many steps. The first step is a self-appraisal. The candidate should perform a general review of the CISM content areas in the Candidate’s Guide to the CISM Examination to determine overall familiarity with the concepts and practices covered in the exam. The candidate also should evaluate his/her own study habits and discipline. Based on this evaluation the candidate will have a general idea as to the amount of time and energy needed to adequately prepare for the exam. The second step is a determination of the type of study program to undertake. Options range from a brush-up of the material for the experienced IS audit, control and security professional to a more intense self-study program for the less experienced candidate to a program of both self-study and attendance at a formal CISM review program like this one. The third step is making sure that a candidate has the adequate amount of time to prepare. Candidates should plan to set aside an appropriate number of hours each week to prepare for the exam. The fourth step is maintaining momentum. A candidate can easily lose interest in studying and encounter obstacles to study. A candidate must realize that this will normally occur and not become discouraged. The final step is performing a readiness review. The formal study program should be completed at least one week prior to the date of the exam.

    36. 2007 CISA Review Course Introduction - page 36 How to Study for the CISA or CISM Exam Read the Candidate’s Guide thoroughly Study the CISA or CISM Review Manual Work through the CISA or CISM Review Questions, Answers & Explanations Manual, Supplement Participate in an ISACA Chapter Review Course Read literature in areas where you need to strengthen skills Join or organize study groups Candidates preparing for the exam are encouraged to: Read the Candidate’s Guide thoroughly (provided to candidates upon registration for the exam) Study the CISM Review Manual Work through the CISM Review Questions, Answers & Explanations Manual, Supplement and CD Participate in an ISACA Chapter Review Course (you have taken this important step) Read literature in areas of weakness Spend time studying the complement of their field: If external auditor, study IS audit from the internal audit perspective and vice-versa Join or organize study groups Candidates preparing for the exam are encouraged to: Read the Candidate’s Guide thoroughly (provided to candidates upon registration for the exam) Study the CISM Review Manual Work through the CISM Review Questions, Answers & Explanations Manual, Supplement and CD Participate in an ISACA Chapter Review Course (you have taken this important step) Read literature in areas of weakness Spend time studying the complement of their field: If external auditor, study IS audit from the internal audit perspective and vice-versa Join or organize study groups

    37. 2007 CISA Review Course Introduction - page 37 Edmonton CISA Review Course Official ISACA CISA Prep course material 5 Saturdays of study 9:00 – 3:00 Argyll Plaza Hotel – easy access & free parking Certified CISAs & CISMs as instructors to pass on their knowledge Starts April 21, 2007 (no course May 19th) Only $195.00 for ISACA members! $295 for non members. Limited to the first 9 people. Candidates preparing for the exam are encouraged to: Read the Candidate’s Guide thoroughly (provided to candidates upon registration for the exam) Study the CISM Review Manual Work through the CISM Review Questions, Answers & Explanations Manual, Supplement and CD Participate in an ISACA Chapter Review Course (you have taken this important step) Read literature in areas of weakness Spend time studying the complement of their field: If external auditor, study IS audit from the internal audit perspective and vice-versa Join or organize study groups Candidates preparing for the exam are encouraged to: Read the Candidate’s Guide thoroughly (provided to candidates upon registration for the exam) Study the CISM Review Manual Work through the CISM Review Questions, Answers & Explanations Manual, Supplement and CD Participate in an ISACA Chapter Review Course (you have taken this important step) Read literature in areas of weakness Spend time studying the complement of their field: If external auditor, study IS audit from the internal audit perspective and vice-versa Join or organize study groups

    38. 2007 CISA Review Course Introduction - page 38 Edmonton CISA Review Course Comments “Made me open my book and study!” “Having John Servage to teach on how to read and answer this exam was fantastic! “ “Course was excellent, it made me study!” “The best thing about the course was the experience and knowledge of the presenters.” Candidates preparing for the exam are encouraged to: Read the Candidate’s Guide thoroughly (provided to candidates upon registration for the exam) Study the CISM Review Manual Work through the CISM Review Questions, Answers & Explanations Manual, Supplement and CD Participate in an ISACA Chapter Review Course (you have taken this important step) Read literature in areas of weakness Spend time studying the complement of their field: If external auditor, study IS audit from the internal audit perspective and vice-versa Join or organize study groups Candidates preparing for the exam are encouraged to: Read the Candidate’s Guide thoroughly (provided to candidates upon registration for the exam) Study the CISM Review Manual Work through the CISM Review Questions, Answers & Explanations Manual, Supplement and CD Participate in an ISACA Chapter Review Course (you have taken this important step) Read literature in areas of weakness Spend time studying the complement of their field: If external auditor, study IS audit from the internal audit perspective and vice-versa Join or organize study groups

    39. 2007 CISA Review Course Introduction - page 39 CISA & CISM Continuing Education Policy Details CISM Continuing Education Policy DetailsCISM Continuing Education Policy Details

    40. 2007 CISA Review Course Introduction - page 40 Continuing Education Requirements Certification is granted annually to those who: annually report a minimum of 20 hours of Continuing Professional Education credits (CPEs) Pay the annual maintenance fee comply with the ISACA Code of Professional Ethics report a minimum of 120 hours of continuing education for each fixed three-year period The Continuing Education Policy requires the attainment of continuing education hours over an annual and three-year reporting period. CISMs and CISAs must comply with the following requirements to retain certification: Attain and submit an annual minimum of twenty (20) continuing professional education hours Submit annual continuing education maintenance fees to ISACA Headquarters in full Respond and submit required documentation of continuing education activities if selected for an annual audit Comply with ISACA Code of Professional Ethics Attain and submit a minimum of one-hundred and twenty (120) continuing education hours for a three-year reporting period. Both annual and three-year requirements begin 1 January of the following year after becoming certified. Specific activities are required and described in the CISM and CISA Continuing Education Policy. The Continuing Education Policy requires the attainment of continuing education hours over an annual and three-year reporting period. CISMs and CISAs must comply with the following requirements to retain certification: Attain and submit an annual minimum of twenty (20) continuing professional education hours Submit annual continuing education maintenance fees to ISACA Headquarters in full Respond and submit required documentation of continuing education activities if selected for an annual audit Comply with ISACA Code of Professional Ethics Attain and submit a minimum of one-hundred and twenty (120) continuing education hours for a three-year reporting period. Both annual and three-year requirements begin 1 January of the following year after becoming certified. Specific activities are required and described in the CISM and CISA Continuing Education Policy.

    41. 2007 CISA Review Course Introduction - page 41 ISACA Code of Professional Ethics Members and ISACA certification holders shall: Support the implementation of, and encourage compliance with, appropriate standards, procedures and controls for information systems. Perform their duties with objectivity, due diligence and professional care, in accordance with professional standards and best practices. Serve in the interest of stakeholders in a lawful and honest manner, while maintaining high standards of conduct and character, and not engage in acts discreditable to the profession. Maintain the privacy and confidentiality of information obtained in the course of their duties unless disclosure is required by legal authority. Such information shall not be used for personal benefit or released to inappropriate parties. ISACA sets forth this Code of Professional Ethics to guide the professional and personal conduct of members of the association and/or its certification holders. Members and ISACA certification holders shall: Support the implementation of, and encourage compliance with, appropriate standards, procedures and controls for information systems. Perform their duties with objectivity, due diligence and professional care, in accordance with professional standards and best practices. Serve in the interest of stakeholders in a lawful and honest manner, while maintaining high standards of conduct and character, and not engage in acts discreditable to the profession. Maintain the privacy and confidentiality of information obtained in the course of their duties unless disclosure is required by legal authority. Such information shall not be used for personal benefit or released to inappropriate parties.     ISACA sets forth this Code of Professional Ethics to guide the professional and personal conduct of members of the association and/or its certification holders. Members and ISACA certification holders shall: Support the implementation of, and encourage compliance with, appropriate standards, procedures and controls for information systems. Perform their duties with objectivity, due diligence and professional care, in accordance with professional standards and best practices. Serve in the interest of stakeholders in a lawful and honest manner, while maintaining high standards of conduct and character, and not engage in acts discreditable to the profession. Maintain the privacy and confidentiality of information obtained in the course of their duties unless disclosure is required by legal authority. Such information shall not be used for personal benefit or released to inappropriate parties.   

    42. 2007 CISA Review Course Introduction - page 42 Members and ISACA certification holders shall: Maintain competency in their respective fields and agree to undertake only those activities, which they can reasonably expect to complete with professional competence. Inform appropriate parties of the results of work performed; revealing all significant facts known to them. Support the professional education of stakeholders in enhancing their understanding of information systems security and control.   ISACA Code of Professional Ethics (cont’d) ISACA sets forth this Code of Professional Ethics to guide the professional and personal conduct of members of the association and/or its certification holders. Members and ISACA certification holders shall: (Continued) Maintain competency in their respective fields and agree to undertake only those activities, which they can reasonably expect to complete with professional competence. Inform appropriate parties of the results of work performed; revealing all significant facts known to them. Support the professional education of stakeholders in enhancing their understanding of information systems security and control. Failure to comply with this Code of Professional Ethics can result in an investigation into a member's, and/or certification holder's conduct and, ultimately, in disciplinary measures.    ISACA sets forth this Code of Professional Ethics to guide the professional and personal conduct of members of the association and/or its certification holders. Members and ISACA certification holders shall: (Continued) Maintain competency in their respective fields and agree to undertake only those activities, which they can reasonably expect to complete with professional competence. Inform appropriate parties of the results of work performed; revealing all significant facts known to them. Support the professional education of stakeholders in enhancing their understanding of information systems security and control. Failure to comply with this Code of Professional Ethics can result in an investigation into a member's, and/or certification holder's conduct and, ultimately, in disciplinary measures.  

    43. 2007 CISA Review Course Introduction - page 43 ISACA and ITGI Web site: www.isaca.org For more information candidates are encouraged to contact their local chapter. A list of chapters and contact information is available on ISACA’s web site. ISACA candidates can contact ISACA headquarters at: Mail: ISACA 3701 Algonquin Road, Suite 1010 Rolling Meadows, IL, USA 60008 Phone: +1.847.253.1545 Fax: +1.847.253.1443 E-mail: info at isaca.org Web site: www.isaca.org For more information candidates are encouraged to contact their local chapter. A list of chapters and contact information is available on ISACA’s web site. ISACA candidates can contact ISACA headquarters at: Mail: ISACA 3701 Algonquin Road, Suite 1010 Rolling Meadows, IL, USA 60008 Phone: +1.847.253.1545 Fax: +1.847.253.1443 E-mail: info at isaca.org Web site: www.isaca.org

More Related