CISA 2016 - What's New

Kenneth Magee
April 19, 2016 by
Kenneth Magee

ISACA just recently released the 26th Edition of the CISA Review Manual to recognize and map to the new task/knowledge statements which can about as a result of ISACA's job practice analysis.  This analysis will be reflected in the exam offered in June 2016.  While the domains remain the same there is different emphasis for them.

Domain 1, The Process of Auditing Information Systems went from 14% to 21% of the exam and this domain was the one which most drastically.

Get certified with an Exam Pass Guarantee

Get certified with an Exam Pass Guarantee

Looking to get certified? Many of our boot camps are backed by an Exam Pass Guarantee, ensuring you leave with the certification you want.

Domain 2, Governance and Management of IT changed from 14% to 16%.

Domain 3, Information Systems Acquisition, Development and Implementation dropped from 19% to 18%.

Domain 4, Information Systems Operations, Maintenance and Support dropped from 23% to 20%, and

Domain 5, Protection of Information Assets has the biggest drop going from 30% to 25%.

The changes in Domain 1 centered around:

  • Adding the effect of laws and regulations on IS Audit Planning
  • Adding more detail to ISACA IS Audit and Assurance Standards
  • Adding more detail to ISACA IS Audit and Assurance Guidelines
  • Removing some of the detail regarding ITAF, as new guidance is being developed which when issued will be indexed within the framework
  • Rearranging the sequence of "IS Controls" and "Performing an IS Audit" and placing more emphasis on a Risk-based approach to auditing

The changes in Domain 2 centered around:

  • Adding detail in the section on Information Security Governance
  • Adding detail in the section on Risk Management Process
  • Adding SCADA and System Security Engineer to IT Roles and Responsibilities
  • Adding Business Continuity Management Good Practices to Plan Testing

The changes in Domain 3 centered around:

  • Adding System Development Project Cost Estimation to Project Planning
  • Adding Project Execution to Project Management Practices
  • Adding significant detail in the areas of Industrial Control Systems (ICS), Virtualization and Cloud Computing Environment
  • Reducing the number of areas in e-commerce
  • Updating the ISO/IEC standards references to the new 330XX series

There were a significant number of changes in Domain 4 even though the percentages dropped, new changes include:

  • Adding IT Service Management Frameworks to IS Operations and expanding existing detail in this area
  • Expanding the detail under IT Service Management
  • Adding Patch Management to the Change Management Process
  • Dropping IS Management and Media Sanitization from IS Operations
  • Adding IT Asset Management
  • In the Data Management area, dropping File Organization and adding Data Quality and Data Life Cycle
  • Dropping Tape and Disk Management Systems, as well as, Digital Rights Management from IS Architecture and Software
  • Adding Source Code Management and End-User Computing to IS Architecture and Software
  • Adding Enterprise Architecture and Auditing to the section on Auditing Infrastructure and Operations
  • Adding both, Disaster Recovery Testing Methods and Invoking Disaster Recovery Plans to the section on Disaster Recovery Planning

The changes in Domain 5 were equally significant with both major drops and adds:

  • Areas dropped included:
    • Detail under Computer Crime Issues and Exposures
    • Mobile Access
    • Portions of LAN Security
    • Client-server Risks and Issues
    • Five areas in Encryption
  • Areas added included:
    • Fraud Risk Factors
    • Information Security Control Design with substantial detail
    • Security Awareness, Training and Education under Critical Success Factors
    • Network Penetration Tests in Auditing Remote Access
    • Fireproof Walls, Floors and Ceilings of the Computer Room under Auditing Environmental Controls
    • Sections on:
      • Peer-to-peer computing
      • Instant Messaging
      • Social Media
      • Cloud Computing
      • Data Leakage with ten different areas of detail
      • End-user Computing Security Risk and Controls

As the industry changes, so also does the auditing community and ISACA's job analysis reflects these industry changes.  We are moving towards Social Medial, Instant Messaging and Cloud Computing and along with this movement comes the associated risks and rewards.  As auditors we must strive to keep management aware of the risks posed by all of the "new trends" in Information Technology.

Get certified with our Exam Pass Guarantee

Get certified with our Exam Pass Guarantee

Many of our boot camps come with an Exam Pass Guarantee: if you fail on your first attempt, we'll invite you to re-sit the course for free and cover the cost of your second exam.

I hope you have found this article interesting.  The author can be contacted via this resources website.

Kenneth Magee
Kenneth Magee

Ken is President and owner of Data Security Consultation and Training, LLC. He has taught cybersecurity at the JAG school at the University of Virginia, KPMG Advisory University, Microsoft and several major federal financial institutions and government agencies. As CISO for the Virginia Community College System, Ken’s focus was the standardization of security around the ISO 27000 series framework. Writing is one of his passions and he has authored and/or co-authored several courses, including CISSP, CISA, CISM, CGEIT, CRISC, DoD Cloud Computing SRG and a course for training Security Control Assessors using NIST SP 800-53A. Ken has also achieved a number of certifications, including CISSP, SSCP, CCSP, CAP, ISSMP, ISSAP, ISSEP, CISM, CISA, CAC, CEH, ISO9000LA, ISO14001LA, ISO27001PA, Security+, CySA+, CASP, CTT+, CPT, GSEC, GSNA, GWAPT, CIA, CGAP, CFE, MCP, MCSA, MCSE and MCT.