ISACA - CISA Review Manual

About ISACA

Now in its 50th anniversary year, ISACA (isaca.org) is a global association helping individuals and enterprises achieve the positive potential of technology. Todays world is powered by information and technology, and ISACA equips professionals with the knowledge, credentials, education and community to advance their careers and transform their organizations.

Among those credentials, ISACA advances and validates business-critical skills and knowledge through the globally respected Certified Information Systems Auditor (CISA), Certified in Risk and Information Systems Control (CRISC), Certified Information Security Manager (CISM) and Certified in the Governance of Enterprise IT (CGEIT) credentials.

ISACA leverages the expertise of its 460,000 engaged professionals

including its 140,000 membersin information and cybersecurity,

governance, assurance, risk and innovation, as well as its enterprise performance subsidiary, CMMI Institute, to help advance innovation through technology. ISACA has a presence in more than 188 countries, including more than 220 chapters worldwide and offices in both the United States and China.

Disclaimer

ISACA has designed and created CISA Review Manual 27th Edition primarily as an educational resource to assist individuals preparing to take the CISA certification exam. It was produced independently from the CISA exam and the CISA Certification Committee, which has had no responsibility for its content. Copies of past exams are not released to the public and were not made available to ISACA for preparation of this publication. ISACA makes no representations or warranties whatsoever with regard to these or other ISACA publications assuring candidates passage of the CISA exam.

Reservation of Rights

2019 ISACA. All rights reserved. No part of this publication may be used, copied, reproduced, modified, distributed, displayed, stored in a retrieval

system or transmitted in any form by any means (electronic, mechanical, photocopying, recording or otherwise) without the prior written authorization of ISACA.

ISACA

1700 E. Golf Road, Suite 400

Schaumburg, IL 60173 USA

Phone: +1.847.660.5505

Fax: +1.847.253.1755

Contact us: https://support.isaca.org

Website: www.isaca.org

Participate in the ISACA Online Forums:

https://engage.isaca.org/onlineforums

Twitter: www.twitter.com/ISACANews

LinkedIn: www.linkd.in/ISACAOfficial

Facebook: www.facebook.com/ISACAHQ

Instagram: www.instagram.com/isacanews

ISBN 978-1-60420-767-5

CISA Review Manual 27th Edition

CRISC is a trademark/service mark of ISACA. The mark has been applied for or registered in countries throughout the world.

CISA Review Manual 27th Edition

ISACA is pleased to offer the 27th edition of the CISA Review Manual. The purpose of this manual is to provide Certified Information Systems Auditor (CISA) candidates with the technical information and reference material to assist in preparation for the Certified Information Systems Auditor exam.

The content in this manual is based on the CISA Job Practice, available at

www.isaca.org/cisajobpractice. This job practice is the basis for the CISAexam. The development of the job practice involves thousands of CISA-certified individuals and other industry professionals worldwide who serve as committee members, focus group participants, subject matter experts and survey respondents.

The CISA Review Manual is updated to keep pace with rapid changes in the information systems (IS) audit, control and security professions. As with previous manuals, the 27th edition is the result of contributions from many qualified authorities who have generously volunteered their time and expertise. We respect and appreciate their contributions and hope their efforts provide extensive educational value to CISA Review Manual readers.

Certification has positively impacted many careers; the CISA designation is respected and acknowledged by organizations around the world. We wish you success with the CISA exam. Your commitment to pursue the leading certification in IS audit, assurance, control and security is exemplary.

Acknowledgments

The 27th edition of the CISA Review Manual is the result of the collective efforts of many volunteers. ISACA members from throughout the global IS

audit, control and security professions participated, generously offering their talent and expertise. This international team exhibited a spirit and selflessness that have become the hallmark of contributors to this manual. Their participation and insight are truly appreciated.

Special thanks to Pamela J. Nigro, CISA, CGEIT, CRISC, Senior Director GRC, Information Security, Health Care Service Corporation, USA; Deborah A. Oetjen, USA; and Terry Trsar, USA, for their assistance in developing the content for the update.

Contributors

Ian Cooke, CISA, CRISC, CGEIT, CIPT, COBIT Assessor and Implementer, CFE, CPTE, DipFM, ITIL Foundation, Six Sigma Green

Belt, An Post, Ireland

Zou Guodong, CISA, CISM, CGEIT, CRISC, China

Rudy Matiska, CISA, PwC, USA

Patricia North-Martino, CISA, MSCIS, USA

Pavel Strongin, CISA, CISM, CPA, USA

Lisa Fengping Yip, CISA, USA

Expert Reviewers

Sanjiv Agarwala, MD, CISA, CISM, CGEIT, Oxygen Consulting Services Pvt Ltd, India

Akinwale Akindiya, CISA, ACA, Royalway Consulting, Nigeria

Sunil Bhaskar Bakshi CISA, CISM, CGEIT, CRISC, AMIIB, BS 25999 LI, CEH, CISSP, ISO 27001 LA, MCA, PMP, India

Konstantinos Baliotis, CISA, Greece

Zsolt Bederna, CISA, CISM, CGEIT, C|EH, CISSP, ITIL 2011 Foundation, TOGAF 9 Foundation, Hungary

Anupma Bhatia, CISA, CRISC, USA

Ishwar Chandra, CISA, FCA, IC & Associates, Chartered Accountants, India Mouhamed Diop, CISA, CISM, CGEIT, CRISC, Senegal

Ahmad ElGhazouly, DBA, CISA, CISM, CRISC, ACP, PBA, PMP, RMP,

TOGAF, PGESCo, Egypt

Marco Ermini, PhD, CISA, CISM, CISSP, ITILv3, GCIH, RCSS, Germany Shigeto Fukuda, CISA, EYACC, Japan

Sarada Ganti, CISA, CISM, Allergan Pharma, USA

Mohamed Gohar, CISA, CISM, CRISC, CGEIT, CEH, CISSP, CLPTP,

COBIT 5, ISO 21500 LPM, ISO/IEC 20000 LI, ISO/IEC 24762 IT DRM,

ISO/IEC 27001 LA/LI, ISO/IEC 27005 LRM, ISO/IEC 27032 LCM,

ISO/IEC 27034 App Sec LI, ISO/IEC 38500 IT CGM, ITIL

Practitioner/Expert, PMP, Resilia Practitioner, SSGB, TOGAF

Practitioner, Egypt

Shruti Shrikant Kulkarni, CISA, CRISC, CCSK, CISSP, ITIL V3 Expert, Interpublic Group, UK

S. Krishna Kumar, CISA, CISM, CGEIT, India

Vivian Mojuetan, CISA, CRISC, Vocalink, UK

Juan Carlos Morales, CISA, CISM, CGEIT, CRISC, Guatemala

Mukesh Nathani, CISA, PMP, Deloitte, Canada

Dapo Ogunkola, CISA, CRISC, ACA, CFE, CFSA, EY, UK

Ganiyu Oladimeji, CISA, CISM, CRISC, Moshood Abiola Polytechnic, Nigeria

Opeyemi Onifade, CISA, CISM, CGEIT, BRMP, CCSP, CISSP, ISO

27001LA, PCI-QSA, Afenoid Enterprise Limited, Nigeria

Teju Oyewole, CISA, CISM, CRISC, CCSP, CISSP, PMP, Indigo Books &

Music, Canada

Vaibhav Patkar, CISA, CISM, CGEIT, CRISC, CISSP, India

Esteban Pizzini, CISA, Argentina

Robert Prince, CISA, CISSP, Sempra Energy, USA

Shahid Qureshi, CISA, CGA, CIA (USA), CPA, FCCA (UK), FCMA, FCIS, FCSM, Canada

Sreekrishna Rao, CISA, UK