Add to collection(s) Add to saved
  1. Business
  2. Management
  3. Project Management

appendix a: the cisa exam and cobit

advertisement 
Appendix A
TM
Appendix A: The CISA Exam and CobiT
The CISA Exam and CobiT
CobiT 4.1 is an initiative conducted by the IT Governance Institute.
CobiT has been developed as a generally applicable and accepted
framework for good IT security and control practices that provide a
reference for management, users, and IS audit, control and security
practitioners. CobiT is based on ITGI’s control objectives, enhanced
with existing and emerging international technical, professional,
regulatory and industry-specific standards. The resulting control
objectives have been developed for application to organizationwide
information systems.
CobiT also supports a generic IT assurance/audit process which
can be summarized as:
• Obtaining an understanding of business requirements, related
risks and relevant control measures
• Evaluating the appropriateness of stated controls
• Assessing compliance by testing whether the stated controls are
working: as prescribed, consistently and continuously
• Substantiating the risk of control objectives not being met by
using analytical techniques and/or consulting alternative sources
Although knowledge of CobiT is not specifically tested on the
CISA exam, the CobiT control objectives or processes reflect the
tasks identified in the CISA job practice. As such, a thorough
review of CobiT is recommended for candidate preparation for
the CISA exam. To focus a candidate’s attention on the specific
CobiT processes that relate to CISA practice analysis tasks, the
following table has been provided to aid in a candidate’s exam
preparation.
Note: The CobiT framework is available at no charge from
ISACA/ITGI and can be downloaded at www.isaca.org/cobit.
To focus a candidate’s attention on the specific CobiT processes
that relate to CISA practice analysis tasks, the following table has
been provided to aid in a candidate’s exam preparation.
Chapter 1: The IS Audit Process
CobiT 3rd Edition
CISA Review Manual
1.1
evelop and implement a risk-based IS audit strategy for the
D
organization in compliance with IS audit standards, guidelines and best
practices.
PO9
M3
Plan specific audits to ensure that IT and business systems are
protected and controlled.
M3
1.3
onduct audits in accordance with IS audit standards, guidelines and
C
best practices to meet planned audit objectives.
1.4
1.2
1.5
CobiT 4.0 and 4.1
CobiT Processes
Tasks
Assess risk
btain independent
O
assurance
Provide for independent
audit
PO9
btain independent
O
assurance
Provide for independent
audit
PO9
M4
P rovide for independent
audit
ME2 M
onitor and evaluate
internal control
ommunicate emerging issues, potential risks and audit results to key
C
stakeholders.
M3
btain independent
O
assurance
Provide for independent
audit
PO8
PO9
A dvise on the implementation of risk management and control
practices within the organization while maintaining independence.
PO9 Assess risk
PO11 Manage quality
M3 Obtain independent
assurance
M4 Provide for independent
audit
CISA Review Manual 2010
M4
M4
M4
A ssess and manage
IT risks
ME2 Monitor and evaluate
internal control
A ssess and manage
IT risks
ME2 Monitor and evaluate
internal control
Manage quality
Assess and manage
IT risks
421
Appendix A
TM
Chapter 2: IT Governance (cont.)
CobiT 3rd Edition
CISA Review Manual
CobiT 4.0 and 4.1
CobiT Processes
Tasks
PO1
PO4
efine a strategic plan
D
Define the IT processes,
organization and
relationships
PO5 Manage the IT investment
PO6 Communicate
management aims and
directions
ME4 Provide IT governance
2.1
E valuate the effectiveness of the IT governance structure to ensure
adequate board control over the decisions, directions and performance
of IT so that it supports the organization’s strategies and objectives.
PO1 D
efine a strategic plan
PO4 Define the IT organization
and relationship
PO5 Manage the IT investment
PO6 Communicate
management aims and
directions
M2 Assess internal control
adequacy
M3 Obtain independent
assurance
M4 Provide for independent
audit
2.2
E valuate IT organizational structure and human resources (personnel)
management to ensure that they support the organization’s strategies
and objectives.
PO4
2.3
E valuate the IT strategy and the process for its development, approval,
implementation and maintenance to ensure that it supports the
organizations strategies and objectives.
PO1
PO5
efine a strategic IT plan
D
Manage the IT investment
PO1
PO5
efine a strategic IT plan
D
Manage the IT investment
2.4
Evaluate the organization’s IT policies, standards, procedures and
processes for their development, approval, implementation, and
maintenance to ensure that they support the IT strategy and comply
with regulatory and legal
PO8
E nsure compliance with
external requirements
Manage changes
Monitor the processes
AI6
ME1
Manage changes
onitor and evaluate
M
performance
Ensure regulatory
compliance (4.0)
Ensure compliance with
external requirements (4.1)
PO7
DS1
AI6
M1
efine the IT organization PO4 Define the IT processes,
D
and relationships
organization and
Manage human resources
relationships
Define and manage service PO7 Manage IT human
levels
resources
DS1 Define and manage
service levels
ME3
ME3
2.5
E valuate management practices to ensure compliance with the
organization’s IT strategy, policies, standards and procedures.
PO6 C
ommunicate
management aims and
direction
PO7 Manage human resources
PO10 Manage project
PO11 Manage quality
DS6 Identify and allocate costs
PO6 C
ommunicate
management aims and
direction
PO7 Manage IT human
resources
PO8 Manage quality
PO10 Manage projects
DS6 Identify and allocate costs
2.6
E valuate IT resource investment, use and allocation practices to ensure
alignment with the organization’s strategies and objectives.
PO5 Manage the IT investment
PO10 Manage projects
PO5 Manage the IT investment
PO10 Manage projects
2.7
E valuate IT contracting strategies and policies and contract
management practices to ensure that they support the organization’s
strategies and objectives.
PO7 Manage human resources
PO8 Ensure compliance with
external requirements
AI1 Identify automated
solutions
DS2 Manage third-party
services
DS9 Manage the configuration
PO7 M
anage IT human
resources
AI1 Identify automated
solutions
DS2 Manage third-party
services
DS9 Manage the configuration
ME3 Ensure regulatory
compliance (4.0)
ME3 Ensure compliance with
external requirements (4.1)
422
CISA Review Manual 2010
Appendix A
TM
Chapter 2: IT Governance (cont.)
CobiT 3rd Edition
CISA Review Manual
CobiT 4.0 and 4.1
CobiT Processes
Tasks
2.8
E valuate risk management practices to ensure that the organization’s
IT related risks are properly managed.
PO1 D
efine a strategic IT plan
PO6 Communicate
management aims and
directions
PO9 Assess risk
PO10 Manage projects
M1 Monitor the process
M4 Provide for independent
audit
PO1 Define a strategic IT plan
PO6 Communicate
management aims and
directions
PO9 Assess and manage IT
risks
PO10 Manage projects
ME4 Provide IT governance
2.9
E valuate monitoring and assurance practices to ensure that the board
and executive management receive sufficient and timely information
about IT performance.
PO8
PO8 Manage quality
PO10 Manage projects
ME2 Monitor and evaluate
internal control
ME3 Ensure regulatory
compliance (4.0)
ME3 Ensure compliance with
external requirements (4.1)
CISA Review Manual 2010
E nsure compliance with
external requirements
PO10 Manage projects
PO11 Manage quality
M2 Assess internal control
adequacy
M3 Obtain independent
assurance
423
Appendix A
TM
Chapter 3: Systems and Infrastructure Life Cycle Management (cont.)
CobiT 3rd Edition
CISA Review Manual
CobiT Processes
Tasks
3.1
3.2
E valuate the business case for the proposed system development/
acquisition to ensure that it meets the organization’s business goals.
E valuate the project management framework and project governance
practices to ensure that business objectives are achieved in a costeffective manner while managing risks to the organization.
CobiT 4.0 and 4.1
etermine technological
D
direction
PO11 Manage quality
AI1 Identify automated
solutions
AI2 Acquire and maintain
application software
AI3 Acquire and maintain
technology infrastructure
DS9 Manage the configuration
PO3
PO9
PO10
PO11
AI1
PO8
PO9
PO10
AI1
PO3
AI2
Assess risks
Manage projects
Manage quality
Identify automated
solutions
Acquire and maintain
application software
PO8
AI1
AI2
AI3
DS9
AI2
etermine technological
D
direction
Manage quality
Identify automated
solutions
Acquire and maintain
application software
Acquire and maintain
technology infrastructure
Manage the configuration
Manage quality
Assess and manage IT risk
Manage projects
Identify automated
solutions
Acquire and maintain
application software
PO10 Manage projects
AI1 Identify automated
solutions
AI2
Acquire and maintain
application software
ME2 Monitor and evaluate
internal control
3.3
P erform reviews to ensure that a project is progressing in accordance
PO10 Manage project
with project plans, it is adequately supported by documentation and the AI1 Identify automated
status reporting is accurate.
solutions
AI2 Acquire and maintain
application software
M3 Obtain independent
assurance
M4 Provide for independent
audit
3.4
E valuate proposed control mechanisms for systems and/or
infrastructure during specification, development/acquisition, and
testing to ensure that they will provide safeguards and comply with the
organization’s policies and other requirements.
PO10 Manage projects
PO11 Manage quality
AI1 Identify automated
solutions
AI2 Acquire and maintain
application software
AI5 Install and accredit
systems
PO8 Manage quality
PO10 Manage projects
AI1 Identify automated
solutions
AI2
Acquire and maintain
application software
AI7 Install and accredit
solutions and changes
3.5
E valuate the processes by which systems and/or infrastructure are
developed/acquired and tested to ensure that the deliverables meet the
organization’s objectives.
PO10 Manage projects
PO11 Manage quality
AI1 Identify automated
solutions
PO8 Manage quality
PO10 Manage projects
AI1 Identify automated
solutions
AI2
Acquire and maintain
application software
AI7
Install and accredit
solutions and changes
3.6
E valuate the readiness of the system and/or infrastructure for
implementation and migration into production.
AI2
A cquire and maintain
application software
Install and accredit
systems
PO3
etermine technological
D
direction
Acquire and maintain
technology infrastructure
Install and accredit
systems
PO8 Manage quality
PO10 Manage projects
AI7 Install and accredit
solutions and changes
3.7
P erform postimplementation review of systems and/or infrastructure to
ensure that they meet the organization’s objectives and are subject to
effective internal control.
AI5
PO3
AI3
AI5
424
AI3
AI7
etermine technological
D
direction
Acquire and maintain
technology infrastructure
Install and accredit
solutions and changes
CISA Review Manual 2010
Appendix A
TM
Chapter 3: Systems and Infrastructure Life Cycle Management (cont.)
CobiT 3rd Edition
CISA Review Manual
CobiT 4.0 and 4.1
CobiT Processes
Tasks
3.8
P erform periodic reviews of systems and/or infrastructure to ensure
that they continue to meet the organization’s objectives and are subject
to effective internal control.
PO10 Manage projects
PO11 Manage quality
AI5
Install and accredit
systems
PO6 Communicate
management aims and
direction
PO10 Manage projects
PO11 Manage quality
AI5 Install and accredit
systems
DS1 Define and manage
service levels
DS3 Manage performance and
capacity
M2
Assess internal control
adequacy
M3 Obtain independent
assurance
M4 Provide for independent
audit
PO6
3.9
E valuate the process by which systems and/or infrastructure are
maintained to ensure the continued support of the organization’s
objectives and are subject to effective internal control.
PO3
etermine technological
D
direction
PO11 Manage quality
AI3
Acquire and maintain
technology infrastructure
AI6
Manage changes
PO3
PO6
PO6
3.10 E valuate the process by which systems and/or infrastructure are
disposed of to ensure that they comply with the organization’s policies
and procedures.
AI1
ommunicate
C
management aims and
direction
Identify automated
solutions
ommunicate
C
management aims and
direction
PO8 Manage quality
PO10 Manage projects
AI7
Install and accredit
solutions and changes
DS1 Define and manage
service levels
DS3 Manage performance and
capacity
ME2 Monitor and evaluate
internal control
PO8
AI3
AI6
AI1
etermine technological
D
direction
Manage quality
Acquire and maintain
technology infrastructure
Manage changes
ommunicate
C
management aims and
direction
Identify automated
solutions
Chapter 4: IT Service Delivery and Support (cont.)
CobiT 3rd Edition
CISA Review Manual
CobiT Processes
Tasks
4.1
E valuate service level management practices to ensure that the level
of service from internal and external service providers is defined and
managed.
AI4
DS1
DS2
DS6
DS8
M1
4.2
E valuate operations management to ensure that IT support functions
effectively meet business needs.
CISA Review Manual 2010
CobiT 4.0 and 4.1
PO9
AI4
evelop and maintain
D
procedures
Define and manage
service levels
Manage third-party
services
Identify and allocate costs
Assist and advise
customers
Monitor the process
Assess risks
evelop and maintain
D
procedures
AI5 Install and accredit
systems
DS13 Manage operations
M2
Assess internal control
adequacy
AI4
DS1
Enable operation and use
efine and manage
D
service levels
DS2 Manage third-party
services
DS6 Identify and allocate costs
DS8 Manage service desk and
incidents
DS10 Manage problems
ME1 Monitor and evaluate IT
performance
PO9
A ssess and manage IT
risks
AI4 Enable operation and use
AI7
Install and accredit
solutions and changes
DS13 Manage operations
ME1 Monitor and evaluate IT
performance
425
Appendix A
TM
Chapter 4: IT Service Delivery and Support (cont.)
CobiT 3rd Edition
CISA Review Manual
CobiT Processes
Tasks
4.3
E valuate data administration practices to ensure the integrity and
optimization of databases.
CobiT 4.0 and 4.1
PO2
PO4
AI1
AI2
AI5
DS5
M1
efine the information
D
architecture
Define the IT organisation
and relationships
Identify automated
solutions
Acquire and maintain
application software
Install and accredit
systems
Ensure systems security
Monitor the process
PO2
efine the information
D
architecture
PO4 Define the IT processes,
organization and
relationships
AI1 Identify automated
solutions
AI2 Acquire and maintain
application software
AI7 Install and accredit
solutions and changes
DS5 Ensure systems security
ME1 Monitor and evaluate IT
performance
4.4
E valuate the use of capacity and performance monitoring tools
and techniques to ensure that IT services meet the organization’s
objectives.
PO11 Manage quality
AI1
Identify automated
solutions
AI5
Install and accredit
systems
DS1 Define and manage
service levels
DS3 Manage performance and
capacity
M1
Monitor the process
AI1
4.5
E valuate change, configuration and release management practices
to ensure that changes made to the organization’s production
environment are adequately controlled and documented.
AI2
PO8
AI2
AI3
AI5
AI6
DS9
A cquire and maintain
application software
Acquire and maintain
technology infrastructure
Install and accredit
systems
Manage changes
Manage the configuration
Identify automated
solutions
AI7 Install and accredit
solutions and changes
DS1 Define and manage service
levels
DS3 Manage performance and
capacity
ME1 Monitor and evaluate IT
performance
AI3
AI6
AI7
DS9
4.6
E valuate problem and incident management practices to ensure that
incidents, problems or errors are recorded, analyzed and resolved in a
timely manner.
DS8
A ssist and advise
customers
DS10 Manage problems and
incidents
DS11 Manage data
DS8
4.7
E valuate the functionality of the IT infrastructure (e.g., network
components, hardware, system software) to ensure that it supports the
organization’s objectives.
PO3
PO3
426
Manage quality
A cquire and maintain
application software
Acquire and maintain
technology infrastructure
Manage changes
Install and accredit
solutions and change
Manage the configuration
anage service desk and
M
incidents
DS10 Manage problems
DS11 Manage data
ME1 Monitor and evaluate IT
performance
etermine technological
D
direction
PO11 Manage quality
AI3
Acquire and maintain
technology infrastructure
AI6
Manage changes
PO8
AI3
AI6
etermine technological
D
direction
Manage quality
Acquire and maintain
technology infrastructure
Manage changes
CISA Review Manual 2010
Appendix A
TM
Chapter 5: Protection of Information Assets (cont.)
CobiT 3rd Edition
CISA Review Manual
CobiT Processes
Tasks
5.1
E valuate the design, implementation and monitoring of logical
access controls to ensure the confidentiality, integrity, availability and
authorized use of information assets.
CobiT 4.0 and 4.1
M1
Manage changes
Ensure continous service
Ensure systems security
Manage problems and
incidents
Monitor the process
AI6
DS4
DS5
DS10
ME1
Manage changes
Ensure continous service
Ensure systems security
Manage problems
Monitor and evaluate IT
performance
Ensure continous service
Ensure systems security
Manage data
Manage operations
Monitor and evaluate IT
performance
AI6
DS4
DS5
DS10
5.2
E valuate network infrastructure security to ensure confidentiality,
integrity, availability and authorized use of the network and the
information transmitted.
DS4
DS5
DS11
DS13
M1
Ensure continous service
Ensure systems security
Manage data
Manage operations
Monitor the process
DS4
DS5
DS11
DS13
ME1
5.3
E valuate the design, implementation and monitoring of environmental
controls to prevent or minimize loss.
PO9
DS4
DS12
M1
Assess risks
Ensure continous service
Manage facilities
Monitor the process
PO9 Assess and manage IT risk
DS4 Ensure continous service
DS12 Manage the physical
environment
ME1 Monitor and evaluate IT
performance
ME3 Ensure regulatory
compliance (4.0)
ME3 Ensure compliance with
external requirements (4.1)
5.4
E valuate the design, implementation and monitoring of physical access
controls to ensure that information assets are adequately safeguarded.
PO4 D
efine the IT organization
and relationships
PO8 Ensure compliance with
external requirements
DS5 Ensure systems security
DS12 Manage facilities
M1 Monitor the process
PO4 D
efine the IT processes,
organization and
relationships
DS5 Ensure systems security
DS12 Manage the physical
environment
ME1 Monitor and evaluate IT
performance
ME3 Ensure regulatory
compliance (4.0)
ME3 Ensure compliance with
external requirements (4.1)
5.5
E valuate the processes and procedures used to store, retrieve,
transport and dispose of confidential information assets.
AI
AI3
A cquire and maintain
technology infrastructure
DS4 Ensure continous service
DS5 Ensure systems security
DS11 Manage data
M1 Monitor the process
DS4
DS5
DS11
ME1
ME3
ME3
CISA Review Manual 2010
A cquire and maintain
technology infrastructure
Ensure continous service
Ensure systems security
Manage data
Monitor and evaluate IT
performance
Ensure regulatory
compliance (4.0)
Ensure compliance with
external requirements (4.1)
427
Appendix A
TM
Chapter 6: Business Continuity and Disaster Recovery
CobiT 3rd Edition
CISA Review Manual
CobiT 4.0 and 4.1
CobiT Processes
Tasks
6.1
E valuate the adequacy of backup and restore provisions to ensure the
availability of information required to resume processing.
PO2 D
efine the information
architecture
DS4 Ensure continuous service
DS11 Manage data
PO2 D
efine the information
architecture
DS4 Ensure continuous service
DS11 Manage data
6.2
E valuate the organization’s disaster recovery plan to ensure that it
enables the recovery of IT processing capabilities in the event of a
disaster.
DS4
DS11
DS12
DS13
DS4 Ensure continuous service
DS11 Manage data
DS12 Manage the physical
environment
ME3 Ensure regulatory
compliance (4.0)
ME3 Ensure compliance with
external requirements (4.1)
6.3
E valuate the organization’s business continuity plan to ensure its ability
to continue essential business operations during the period of an IT
disruption.
DS4 Ensure continuous service
428
Ensure continuous service
Manage data
Manage facilites
Manage operations
DS4 Ensure continuous service
DS13 Manage operations
CISA Review Manual 2010
Appendix A
TM
CobiT® 3rd Edition®
The following information provides the CobiT domains and the 34 IT processes which can be identified for each CISA job practice task
listed in the previous tables.
Planning and Organisation
High Level Control Objective
Planning and Organisation
PO1
PO2
PO3
PO4
PO5
PO6
PO7
PO8
PO9
PO10
PO11
Define a strategic IT plan
Define the information architecture
Determine technological direction
Define the IT organisation and relationships
Manage the IT investment
Communicate management aims and direction
Manage human resources
Ensure compliance with external requirements
Assess risks
Manage projects
Manage quality
Acquisition and Implementation
AI1
AI2
AI3
AI4
AI5
AI6
Identify automated solutions
Acquire and maintain application software
Acquire and maintain technology infrastructure
Develop and maintain procedures
Install and accredit systems
Manage changes
Delivery and Support
DS1
DS2
DS3
DS4
DS5
DS6
DS7
DS8
DS9
DS10
DS11
DS12
DS13
Define and manage service levels
Manage third-party services
Manage performance and capacity
Ensure continuous service
Ensure systems security
Identify and allocate costs
Educate and train users
Assist and advise customers
Manage the configuration
Manage problems and incidents
Manage data
Manage facilities
Manage operations
Monitoring
M1
M2
M3
M4
Monitor the process
Assess internal control adequacy
Obtain independent assurance
Provide for independent audit
CISA Review Manual 2010
429
Appendix A
TM
CobiT® 4.0
The following information provides the CobiT domains and the 34 IT processes which can be identified for each CISA job practice task
listed in the previous tables.
Domain
Process
Plan and Organise
PO1
PO2
PO3
PO4
PO5
PO6
PO7
PO8
PO9
PO10
Define a strategic IT plan.
Define the information architecture.
Determine technological direction.
Define the IT processes, organisation and relationships.
Manage the IT investment.
Communicate management aims and direction.
Manage IT human resources.
Manage quality.
Assess and manage IT risks.
Manage projects.
Acquire and Implement
AI1
AI2
AI3
AI4
AI5
AI6
AI7
Identify automated solutions.
Acquire and maintain application software.
Acquire and maintain technology infrastructure.
Ensure operation and use.
Procure IT resources.
Manage changes.
Install and accredit solutions and changes.
Deliver and Support
DS1
DS2
DS3
DS4
DS5
DS6
DS7
DS8
DS9
DS10
DS11
DS12
DS13
Define and manage service levels.
Manage third-party services.
Manage performance and capacity.
Ensure continuous service.
Ensure systems security.
Identify and allocate costs.
Educate and train users.
Manage service desk and Incidents.
Manage the configuration.
Manage problems.
Manage data.
Manage the physical environment.
Manage operations.
Monitor and Evaluate
ME1
ME2
ME3
ME4
Monitor and evaluate IT performance.
Monitor and evaluate internal control.
Ensure regulatory compliance.
Provide IT governance.
430
CISA Review Manual 2010
Appendix A
TM
CobiT® 4.1
The following information provides the CobiT domains and the 34 IT processes which can be identified for each CISA job practice task
listed in the previous tables.
Domain
Process
Plan and Organise
PO1
PO2
PO3
PO4
PO5
PO6
PO7
PO8
PO9
PO10
Define a strategic IT plan.
Define the information architecture.
Determine technological direction.
Define the IT processes, organisation and relationships.
Manage the IT investment.
Communicate management aims and direction.
Manage IT human resources.
Manage quality.
Assess and manage IT risks.
Manage projects.
Acquire and Implement
AI1
AI2
AI3
AI4
AI5
AI6
AI7
Identify automated solutions.
Acquire and maintain application software.
Acquire and maintain technology infrastructure.
Ensure operation and use.
Procure IT resources.
Manage changes.
Install and accredit solutions and changes.
Deliver and Support
DS1
DS2
DS3
DS4
DS5
DS6
DS7
DS8
DS9
DS10
DS11
DS12
DS13
Define and manage service levels.
Manage third-party services.
Manage performance and capacity.
Ensure continuous service.
Ensure systems security.
Identify and allocate costs.
Educate and train users.
Manage service desk and Incidents.
Manage the configuration.
Manage problems.
Manage data.
Manage the physical environment.
Manage operations.
Monitor and Evaluate
ME1
ME2
ME3
ME4
Monitor and evaluate IT performance.
Monitor and evaluate internal control.
Ensure compliance with external requirements.
Provide IT governance.
CISA Review Manual 2010
431
Related documents
IT Governance and The 4 Cobit Domain Processes
IT Governance and The 4 Cobit Domain Processes
COBIT 5 Exec. Summary
COBIT 5 Exec. Summary
v DESIGN IT GOVERNANCE FOR PLANNING AND ORGANIZING
v DESIGN IT GOVERNANCE FOR PLANNING AND ORGANIZING
Chapter 8
Chapter 8
Application Form
Application Form
Information Systems Audit and Control Association
Information Systems Audit and Control Association
IT Security Officer - Student Loans Company
IT Security Officer - Student Loans Company
Chapter 15 Computer crime and information technology security
Chapter 15 Computer crime and information technology security
The bol.com approach to resource allocation and benefit
The bol.com approach to resource allocation and benefit
Introduction to COSO & COBIT®
Introduction to COSO & COBIT®
Download
advertisement