Scribd
Upload
154 views

CISA Domain 2

This document provides an overview of the 13 areas covered in Domain 2 of the CISA exam, which focuses on governance and management of IT. It outlines the key topics for each area, including corporate governance, IT governance, information systems strategy, risk management, business continuity planning, and auditing IT governance and business continuity. Candidates are advised to familiarize themselves with various frameworks, models, and concepts referenced, and to memorize specific charts and definitions that may be tested in the exam. Thorough review of the CISA manual is recommended to understand the responsibilities, processes, and best practices involved in effectively governing and managing IT systems.

Uploaded by

Danger
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
154 views

CISA Domain 2

This document provides an overview of the 13 areas covered in Domain 2 of the CISA exam, which focuses on governance and management of IT. It outlines the key topics for each area, including corporate governance, IT governance, information systems strategy, risk management, business continuity planning, and auditing IT governance and business continuity. Candidates are advised to familiarize themselves with various frameworks, models, and concepts referenced, and to memorize specific charts and definitions that may be tested in the exam. Thorough review of the CISA manual is recommended to understand the responsibilities, processes, and best practices involved in effectively governing and managing IT systems.

Uploaded by

Danger
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 3

CISA – Domain 2 – Governance and Management of IT

ISACA has revamped the CISA material and this domain now contains the Business
Continuity section from the old Domain 6. There are 13 areas that you need to understand in
Domain 2.

1) Corporate Governance

• Know the definition for corporate governance


• Know what ISO 26000 is (30,000 foot view)
• Familiarize yourself with OECD 2004, OECD Principles of Corporate Governance

2) IT Governance (ITG)

• ITG is concerned with two issues; What are they and what drives them?

3) Information Technology Monitoring and Assurance Practices for Board and Senior
Management

• Who is responsible for ITG


• Name the five focus areas for ITG
• Familiarize yourself with the different IT Governance frameworks (COBIT,
ISO27001, ITIL, IBPC, ISM3, AS8015 and ISO38500)
• Know audit’s role in ITG
• Know what the responsibilities are for the IT Strategy Committee and the IT Steering
Committee (this is another one of those charts that you’ve just got to memorize)
• Another memory chart – know the relationships of Security Governance outcomes to
Management Responsibilities
• Look at the Zachman Framework and also the hierarchy of five reference models of
the Federal Enterprise Architecture (FEA)

4) Information Systems Strategy

• Understand the importance of IT strategic planning and the primary function


performed by the Steering Committee

5) Maturity and Process Improvement Models

• Know the definitions for CMMI, TSP and PSP


• The IDEAL model from SEI is getting a lot of attention from ISACA

6) IT Investment and Allocation Practices

• Go to the ISACA website and download the ValIT document and read it, enough said.
• What does IT Portfolio Management allow organizations to do that the Balanced
Scorecard doesn’t

7) Policies and Procedures

• The highest policy is the organization’s information security policy


• Other security policies might include 1)data classification, 2)acceptable use, 3) End-
user computing, and 4) Access control
• Know the different things to look for when you review the information security policy
• Procedures are required and they are “step by step instructions” <– that’s a hint!!!!!

8) Risk Management

• What are management’s options? Avoid, Mitigate, Transfer, Accept


• Know the different levels that IT Risk Management needs to operate at: Operational,
Project, and Strategic
• Understand the difference between Qualitative Analysis, Semiquantitative analysis
and Quantitative analysis
• Know how to calculate Annual Loss Expectancy (ALE)

9) IS Management Practices (Five sub areas you will need to understand)

• Human Resources Management (before, during and after)


• Sourcing Practices (Insourced, Outsourced, Hybrid as well as the concepts and
defintions for Onsite, Offsite and Offshore)
• Organizational change management – nothing gets changed without management
approval
• Financial Management Practices – you need to understand the concept of Chargeback
• Quality Management – You need to be aware of QM and ISO9000 but ISACA does
not test specifics on any ISO standard

10) IS Organizational Structure and Responsibilities

• Roles and responsibilities – there’s a chart in the CISA manual entitled Segregation of
Duties Control Matrix, this is another one of those things to MEMORIZE
• There are also some definitions specific to DBA and the QA personnel that you will
need to read about

11) Auditing IT Governance Structure and Implementation

• In this area you need to know that the first thing you do is “Gain an Understanding of
the Business” means reading the Information Security Policy
• After that, go get the organization charts, job descriptions and your Memorized
Segregation of Duties Control Matrix and see if you can find discrepancies

12) Business Continuity Planning (this is the new section which was moved from the old
Disaster Recovery and Business Continuity Planning Domain 6)

• First and foremost you have to have a Business Impact Analysis of all the business
functions, then you need some evaluation criteria to determine which ones are critical
• There are four (4) classifications for systems (Critical, Vital, Sensitive, Nonsensitive)
memorize the definitions of each of the four
• Why do you buy insurance? To transfer risk of course
• Another key element to BCP is testing and you should know the different types
included preparedness and full operational
13) Auditing Business Continuity

• Review the BCP


• Review the test results, we’re assuming they tested the BCP of course and they should
have documented “Lessons Learned” <– Another hint, ISACA likes this term

I hope this helps you understand Domain 2

You might also like