ALREADY HAVE A CISA CERTIFICATION? LOG IN TO MYISACA

CISA的工作实践和考试准备有什么新的更新?

注册信息系统审计师® (CISA®) certification is undergoing a job practice update this year that considers innovations and evolving technologies related to the role of an IT audit professional. The updated CISA exam will reflect the new exam content outline (ECO) beginning 1 August 2024. CISA exams consist of 150 questions covering five job practice domains, all testing your knowledge and ability on real-life job practices leveraged by expert professionals. Exam prep material for the updated CISA exam will be available on 1 May 2024. 请参阅下面的图表,比较2019年和2024年的CISA ECO域名. (注:5个域名标题没有变化. Find more information in ISACA’s Knowledge Base).

信息系统审计流程图
Domain 1

信息系统审计流程
IT图的治理和管理
Domain 2

Governance & Management of IT
信息系统获取、开发和实现图
Domain 3

信息系统的获取和开发 & Implementation
信息系统操作和业务弹性
Domain 4

信息系统操作和业务弹性
保护资产信息
Domain 5

Protection of Information Assets
获取当前的考试准备材料 下载当前考试考生指南
墙上的证书插图,前面是人

ISACA’S commitment

Since its inception in 1978, more than 200,000 people have obtained ISACA’s CISA certification to validate their expertise in understanding and performing vital roles in audit, security and control. The domains, 子主题和任务是广泛研究的结果, feedback and validation from subject matter experts and prominent industry leaders from around the globe.

Updated job practice areas tested for and validated by a CISA certification

18% DOMAIN 1 -信息系统审计流程

Providing industry-standard audit services to assist organizations in protecting and controlling information systems, Domain-1 affirms your credibility to offer conclusions on the state of an organization’s IS/IT security, risk and control solutions.

A–PLANNING

  1. 审计准则、准则和道德准则是什么
  2. Business Processes
  3. Types of Controls
  4. Risk-Based Audit Planning
  5. Types of Audits and Assessments

B–EXECUTION

  1. Audit Project Management
  2. Sampling Methodology
  3. 审计证据收集技巧
  4. Data Analytics
  5. 报告和沟通技巧
  6. 审计过程的质量保证和改进

18% DOMAIN 2 – GOVERNANCE & MANAGEMENT OF IT

This domain confirms to stakeholders your abilities to identify critical issues and recommend enterprise-specific practices to support and safeguard the governance of information and related technologies.

A–IT GOVERNANCE

  1. IT Governance and IT Strategy
  2. IT-Related Frameworks
  3. IT标准、政策和程序
  4. Organizational Structure
  5. Enterprise Architecture
  6. Enterprise Risk Management
  7. Maturity Models
  8. 影响本组织的法律、法规和行业标准

B–IT MANAGEMENT

  1. IT Resource Management
  2. IT服务提供商获取和管理
  3. IT性能监控和报告
  4. 资讯科技品质保证及品质管理

12% DOMAIN 3 -信息系统的获取、开发 & IMPLEMENTATION

领域3和领域4不仅证明了您在IT控制方面的能力, 还包括你对IT与业务之间关系的理解.

信息系统的获取和发展

  1. 项目管治及管理
  2. 商业案例和可行性分析
  3. System Development Methodologies
  4. 控制识别与设计

b -信息系统实施

  1. Testing Methodologies
  2. 配置和发布管理
  3. 系统迁移、基础设施部署和数据转换
  4. Post-implementation Review

26% DOMAIN 4 – INFORMATION SYSTEMS OPERATIONS & BUSINESS RESILIENCE

领域3和领域4不仅证明了您在IT控制方面的能力, 还包括你对IT与业务之间关系的理解.

A–INFORMATION SYSTEMS OPERATIONS

  1. Common Technology Components
  2. IT Asset Management
  3. 作业调度和生产过程自动化
  4. System Interfaces
  5. End-User Computing
  6. Data Governance
  7. Systems Performance Management
  8. Problem and Incident Management
  9. 变更、配置、发布和补丁管理
  10. IT Service Level Management
  11. Database Management

B–BUSINESS RESILIENCE

  1. Business Impact Analysis (BIA)
  2. System Resiliency
  3. 数据备份、存储和恢复
  4. Business Continuity Plan (BCP)
  5. Disaster Recovery Plans (DRP)  

26% DOMAIN 5 ——保护信息资产

网络安全现在几乎涉及到每一个信息系统角色, and understanding its principles, 最佳实践和陷阱是领域5的主要焦点.

a -信息资产安全与控制

  1. 信息资产安全框架、标准和指南
  2. Privacy Principles
  3. 物理访问和环境控制
  4. Identity and Access Management
  5. Network and End-Point Security
  6. Data Classification
  7. 数据加密和加密相关技术
  8. Public Key Infrastructure (PKI)
  9. 基于网络的通信技术
  10. Virtualized Environments
  11. 移动、无线和物联网(IoT)设备

B–SECURITY EVENT MANAGEMENT

  1. 安全意识培训和计划
  2. 信息系统攻击方法与技术
  3. 安全测试工具和技术
  4. 安全监控工具和技术
  5. Incident Response Management
  6. Evidence Collection and Forensics  

SUPPORTING TASKS

  1. 计划审计以确定信息系统是否受到保护, 控制并为组织提供价值.
  2. Conduct audit in accordance with IS audit standards and a risk based IS audit strategy.
  3. Communicate audit progress, findings, results and recommendations to stakeholders.
  4. Conduct audit follow‐up to evaluate whether risks have been sufficiently addressed.
  5. Evaluate the IT strategy for alignment with the organization’s strategies and objectives.
  6. Evaluate the effectiveness of IT governance structure and IT organizational structure.
  7. 评估组织对IT政策和实践的管理.
  8. Evaluate the organization’s IT policies and practices for compliance with regulatory and legal requirements.
  9. Evaluate IT resource and portfolio management for alignment with the organization’s strategies and objectives.
  10. 评估组织的风险管理政策和实践.
  11. 评估IT管理和监控控制.
  12. Evaluate the monitoring and reporting of IT key performance indicators (KPIs).
  13. 评估组织持续业务运作的能力.
  14. Evaluate whether the business case for proposed changes to information systems meet business objectives.
  15. Evaluate whether IT supplier selection and contract management processes align with business requirements.
  16. 评估组织的项目管理政策和实践.
  17. Evaluate controls at all stages of the information systems development lifecycle.
  18. Evaluate the readiness of information systems for implementation and migration into production.
  19. Conduct post‐implementation review of systems to determine whether project deliverables, 控制和需求得到满足.
  20. Evaluate whether IT service management practices align with business requirements.
  21. Conduct periodic review of information systems and enterprise architecture.
  22. Evaluate IT operations to determine whether they are controlled effectively and continue to support the organization’s objectives.
  23. Evaluate IT maintenance practices to determine whether they are controlled effectively and continue to support the organization’s objectives.
  24. 评估数据库管理实践.
  25. 评估数据治理策略和实践.
  26. 评估问题和事件管理政策和实践.
  27. Evaluate change, configuration, release and patch management policies and practices.
  28. Evaluate end-user computing to determine whether the processes are effectively controlled.
  29. Evaluate the organization's information security and privacy policies and practices.
  30. Evaluate physical and environmental controls to determine whether information assets are adequately safeguarded.
  31. 评估逻辑安全控制以验证机密性, 信息的完整性和可用性.
  32. Evaluate data classification practices for alignment with the organization’s policies and applicable external requirements.
  33. Evaluate policies and practices related to asset lifecycle management.
  34. Evaluate the information security program to determine its effectiveness and alignment with the organization’s strategies and objectives.
  35. Perform technical security testing to identify potential threats and vulnerabilities.
  36. 利用数据分析工具简化审计流程.
  37. Provide consulting services and guidance to the organization in order to improve the quality and control of information systems.
  38. Identify opportunities for process improvement in the organization's IT policies and practices.
  39. Evaluate potential opportunities and threats associated with emerging technologies, 法规和行业惯例.

正在为这次考试做准备

ISACA offers a variety of exam preparation resources including group training, self-paced training and study resources in various languages to help you prepare for the current certification exam. 选择适合你的时间表和学习需要的方法.

获取当前的考试准备材料

Download exam terminology list

While studying for your CISA exam, explore our lists of terms that will appear on the test. See the terms in English alongside how they will appear in the other languages offered. 

Chinese Simplified | Chinese Traditional | French | German | Hebrew | Italian | Japanese  | Korean | Spanish | Turkish | Portuguese