CERTIFIED INFORMATION SYSTEMS AUDITOR (CISA)

Offer auditing services aligned with IS audit standards to aid the organization in safeguarding and managing information systems. Task Statements:

• Implement a risk-centric IS audit approach following IS audit standards to ensure the examination of critical risk domains.
• Design specific audits to assess the protection, control, and value contribution of information systems within the organization.
• Execute audits in compliance with IS audit standards to accomplish predetermined audit objectives.
• Share audit findings and present recommendations to key stakeholders through meetings and audit reports, fostering change when necessary.
• Conduct post-audit assessments to verify if management has taken appropriate actions promptly.

Assure that the requisite leadership and organizational structures and processes are established to attain objectives and support the organization’s strategy. Task Statements:

• Assess the IT strategy, encompassing IT direction, and review the processes for formulating, endorsing, executing, and sustaining the strategy to ensure alignment with the organization’s strategies and objectives.
• Examine the efficiency of the IT governance framework to ascertain whether IT decisions, orientations, and performance align with the organization’s strategies and objectives.
• Scrutinize the IT organizational structure and management of human resources (personnel) to verify their compatibility with the organization’s strategies and objectives.
• Review the organization’s IT policies, standards, and procedures, as well as the processes governing their development, approval, dissemination, implementation, and maintenance, to determine their support for the IT strategy and compliance with regulatory and legal requirements.
• Evaluate IT resource management, encompassing investment, prioritization, allocation, and utilization, to ensure alignment with the organization’s strategies and objectives.
• Assess IT portfolio management, including investment, prioritization, and allocation, to verify alignment with the organization’s strategies and objectives.
• Review risk management practices to confirm that the organization identifies, assesses, monitors, reports, and manages IT-related risks.
• Examine IT management’s oversight and monitoring of controls (e.g., continuous monitoring, quality assurance [QA]) to ensure compliance with the organization’s policies, standards, and procedures.
• Evaluate the monitoring and reporting of IT key performance indicators (KPIs) to determine if management receives adequate and timely information.
• Assess the organization’s business continuity plan (BCP), including the alignment of the IT disaster recovery plan (DRP) with the BCP, to determine the organization’s capability to sustain essential business operations during an IT disruption.

Ensure that the processes involved in acquiring, developing, testing, and implementing information systems align with the organization’s strategic goals and objectives. Here are the specific tasks:

• Assess the business case for proposed investments in information systems acquisition, development, maintenance, and retirement to verify their alignment with business objectives.
• Review the processes for selecting IT suppliers and managing contracts to ensure they meet the organization’s service level requirements and necessary controls.
• Evaluate the project management framework and controls to ensure that business requirements are met in a cost-effective manner while effectively managing risks.
• Conduct reviews to verify that projects are progressing according to their plans, are adequately supported by documentation, and provide timely and accurate status reports.
• Examine controls for information systems during the requirements, acquisition, development, and testing phases to ensure compliance with the organization’s policies, standards, procedures, and relevant external requirements.
• Assess the readiness of information systems for implementation and migration into production to confirm that project deliverables, controls, and organizational requirements are satisfied.
• Perform post-implementation reviews of systems to verify that project deliverables, controls, and organizational requirements have been met.

Ensure that the procedures governing the operations, upkeep, and management of information systems align with the organization’s overarching strategies and goals. The following task statements outline the necessary actions:

• Assess the IT service management framework and practices, whether developed internally or outsourced to third parties, to verify adherence to the organization’s prescribed controls and service level expectations, and to confirm alignment with strategic objectives.
• Conduct periodic assessments of information systems to ascertain their ongoing alignment with the organization’s objectives as specified within the enterprise architecture (EA).
• Review the effectiveness of IT operations, such as job scheduling, configuration management, capacity and performance management, to ensure they are adequately controlled and continue to serve the organization’s objectives.
• Evaluate the management of IT maintenance activities, including patches and upgrades, to ensure they are well-regulated and continue to contribute to the organization’s objectives.
• Assess database management practices to gauge the integrity and optimization of databases.
• Review data quality and life cycle management processes to determine their continued alignment with strategic objectives.
• Evaluate the effectiveness of problem and incident management practices in preventing, detecting, analyzing, reporting, and resolving issues in a timely manner to support the organization’s objectives.
• Review change and release management practices to confirm that changes made to systems and applications are appropriately controlled and documented.
• Assess end-user computing processes to ensure they are effectively regulated and in line with the organization’s objectives.
• Evaluate the controls and effectiveness of IT continuity and resilience measures, including backups, restores, and disaster recovery plans (DRP), to confirm their alignment with the organization’s objectives.

Ensure that the organization’s information assets are secure, confidential, and available as required by assessing the effectiveness of its policies, standards, procedures, and controls. Task Statements:

• Assess the completeness, alignment with industry best practices, and compliance with external requirements of information security and privacy policies, standards, and procedures.
• Evaluate the adequacy of physical and environmental controls in place for safeguarding information assets, including their design, implementation, maintenance, monitoring, and reporting.
• Verify the confidentiality, integrity, and availability of information by assessing the design, implementation, maintenance, monitoring, and reporting of system and logical security controls.
• Examine the alignment of data classification processes and procedures with the organization’s policies, standards, procedures, and relevant external requirements.
• Assess the processes and procedures for storing, retrieving, transporting, and disposing of assets to ensure the adequate safeguarding of information assets.
• Evaluate the effectiveness of the information security program and its alignment with the organization’s strategies and objectives.