ISACA UPDATE
Presented By: Brian O’Brien, CISA
Melissa Justice, CISA
Jotham Nyamari
Board Members of the
Central Ohio ISACA Chapter
Central Ohio Chapter Goals
Educational Programs
Local Training Opportunities
Professional Networking
Central Ohio Happenings
 Monthly luncheons on 2nd Thursday of month.
• Board meets monthly (10 CPEs for chapter involvement).
 Two (fall and spring) training seminars per year.
• Oracle Database Auditing on October 28-29.
 CISA / CISM Training Courses.
 Local Job Postings.
• Website / Newsletter ($35 per month).
 Golf outing.
• Just occurred in August.
 Holiday Party / Beulah Park.
• Scheduled for Saturday, November 1st.
 Student Reduced Fees.
Central Ohio Chapter
Who’s Who?
International Update
Membership Benefits
Membership
K-NET
COBIT
Val IT
ITAF
Publication
Knowledge
Community of Peers
Downloads
Career Center
Access to ISACA International’s website: http://www.isaca.org
Membership
 Total ISACA membership worldwide: 77,093
3%
21%
4%
47%
25%
Asia
Latin America
Europe/Africa
North America
Oceania
K-NET
ISACA’s Knowledge Network
 Online database
 Peer reviewed
 More than 6,000 links
 Member access to 200+ topics
in 13 subject areas
 Fully searchable
 Personalized tracking
www.isaca.org/knet
COBIT
COBIT Family of Products
 COBIT 4.1
 COBIT Online
 COBIT Quickstart
 COBIT Foundation Course
www.isaca.org/cobit
COBIT
COBIT Downloads
 IT Assurance Guide: Using COBIT
 IT Governance Implementation
Guide: Using COBIT and Val IT,
2nd Edition
 COBIT Security Baseline
www.isaca.org/downloads
COBIT® Foundation
Course
 Case Studies
 Real-world Examples
 Overview of COBIT Control Objectives, Control
Practices, Management Guidelines, and Audit
Guidelines
 40 Sample Questions to Prepare for COBIT
Foundation Exam
 8 Hours; $499
COBIT® Foundation
Course
Consists of 5 Modules:
 Responding to IT Challenges
 Introducing COBIT
 What COBIT Provides
 Applying COBIT in Practice
 Products and Support Available from ITGI
Val IT
Provides guidance to:
 Define relationships between IT and other
functions with governance responsibilities
 Manage an organization’s portfolio of IT
investments
 Maximize the quality of business cases for IT
investments
www.isaca.org/valit
ITAF
 ITAFTM: A Professional Practices Framework for IT Assurance
 Provides guidance on the design, conduct and reporting of IT audit
and assurance assignments
 Defines terms and concepts specific to IT assurance
 Establishes standards that address IT audit and assurance
professional roles and responsibilities, knowledge, skills and
diligence, conduct, and reporting requirements
www.isaca.org/downloads
Publications
 Information Systems Control Journal
 Print and online versions
 www.isaca.org/journal
 Journal Online
 Articles that supplement the journal
 Online only
 www.isaca.org/JOnline
 Global Communiqué
 Member newsletter
 Online only
 www.isaca.org/gcomm
Knowledge
 ISACA Bookstore Discounts
 Listservs Discussion Forums
 Sarbanes-Oxley
 COBIT
 IT Governance
 Information Security Management
 General Topics
www.isaca.org/bookstore
Community of Peers
The Local Level: Your Chapter
 Why you should get involved:
 More than 170 chapters in 140
countries
 Leadership opportunities
 Networking
 Professional growth
 Positive impact on the local
business community
www.isaca.org/chapters
Community of Peers
The International Level: ISACA/ITGI
 Why you should get involved:
 Impressive global network of peer contacts
 Shared expertise and learning
 A personal role in the future of the association, as well as the
IT assurance, security and governance professions.
www.isaca.org/leadership
Downloads
 Standards, Statements and Guidelines for IS
audit and control
 Audit Programs and Internal Control
Questionnaires on more than 20 topics
 IT Governance Institute research documents
and presentations
 Free ITGI research publication downloads
including:
 COBIT Security Baseline
 Securing the Network Perimeter
Career Centre
 ISACA Members Can Search for Jobs by
• Geography
• Professional Certification
• Experience Level
 ISACA Members Can Store Resume or/and Post for
Employers
 Receive E-mail When New Jobs Post
Career Centre
 Employers Can Post Jobs
30 Day Listing for $295
60 Day Listing for $395
Posting is Immediate
 Employers Can Search Resumes
http://jobs.isaca.org/
Comprehensive Student
Program
 Reduction of student dues
$25
New member fee waived
All benefits delivered electronically
Many chapters reduce or waive chapter dues for
students
 Student area of the web site
Student membership application
Eligibility and dues
Benefits of membership
IT Audit Basics articles
Education Around the World
CISA, CISM, and CGEIT
Certifications
CISA Certification
Current Facts
 Certified the 60,000th CISA earlier this year
 More than 45,000 current CISAs
 A 2007 survey of ISACA members who hold the CISA
designation revealed:
94% value their CISA certification
72% agreed that CISA has advanced their career
Current CISAs by ISACA
Geographical Area
Oceania
3%
Asia/Mid-East
25%
Central/South
America
4%
North America
48%
Europe/Africa
21%
Current CISAs (more than 500) by Country
19,396
2,369
2,291
2,205
1,794
1,719
1,442
USA
Canada
India
Korea
Japan
UK
Hong Kong
573
Netherlands
1,044 Australia
898
Germany
883
Singapore
870
Spain
597
China
541
South Africa
Exam Registrations
Past 12 Months
CISA Exam Registration
TOTAL
Asia
C/S America
Europe/Africa
N. America
Oceania
11,700
750
6,600
7,100
300
CISAs in the Workplace
 More than:
 9,000 serve as IT audit practitioners
 9,000 serve as IS/IT audit directors, managers, or hold senior
positions
 2,200 serve as chief audit executives (CAEs), audit partners
or audit heads
 More than:
 11,000 hold managerial or consulting positions in IT
operations or compliance
 3,800 serve as CIOs, CISOs, security directors, security
managers
 1,400 serve as the CEO or CFO of their organizations
Recent CISA Program
Recognition
 CIO Magazine, SC Magazine and Foote Partners
research continually cite CISA as a credential that
earns top pay compared with other credentials
 Certification Magazine’s 2007 salary survey ranked
CISA in the top five highest paying certifications
 Salary for auditing certifications such as CISA
continue to be boosted by compliance requirements
and independent auditor control provisions
Recent Significant
CISA Certification Board Actions
Moved to Item Response Theory (IRT) method
of classifying and selecting exam items,
beginning with the June 2008 exam (see next
slide)
Reduced the administrative exam to 170 items
(graded) with additional blocks of 30 new
items (ungraded) used to gather performance
statistics
Recent Significant
CISA Certification Board Actions (continued)
 Approved to discontinue any exam language that
averages less than 100 candidates annually over any
successive three-year period
 Approved to allow a 1 year educational waiver for
achievement of a Master’s degree in Information
Systems or IT from an accredited university
 Motion pending on approval of Polish as new CISA
exam language
Item Response
Theory (IRT) method
The IRT method of classifying exam items
allows the CISA Certification Board to:
 Accumulate better statistics on item
performance
 Score the exam more quickly
 Select items to produce a desired level of
difficulty
 Move to computer-based testing in the future
ANSI Accreditation
The American National Standards Institute
(ANSI) has awarded accreditation under
ISO/IEC 17024 to the CISA certification
program in 2005.
Accreditation by ANSI signifies that ISACA’s
procedures meet ANSI’s requirements for
openness, balance, consensus and due process.
Reaccredited in 2006 and 2007.
Currently being assessed for 2008.
CISA Preparation
Related Education Activities
 Updated CISA Review instructor-led-training (ILT)
course provided to ISACA chapters
 Updated topics and notes
 Added a course training guide
 Added 100 question sample exam (sorted by domain and
scrambled)
 Introduced new CISA Online Review Course
 Serves both for exam preparation and as continuing
professional education
 Chapter incentive program offered
 Converted sample questions on ISACA web site to
on-line CISA self-assessment
Item Writing Program
 US$50 per accepted question
 Earn 1 CPE hour for each accepted question
 US$100 per accepted question offered when
questions are accepted in areas of need for the
exam
Continuing Education
 Did you know…Active participation on an ISACA
and/or ITGI board, committee, task force or active
participation as an officer of an ISACA chapter earns
one continuing professional education hour for each
hour of active participation. (10-hour annual
limitation)
CISM
Certification Facts
 9,145 CISM Certifications have been awarded
since 2003
 Currently there are more than 8,000 active
CISM members of ISACA
 This year the total number of CISMs awarded
will exceed 10,000
Who are the CISMs?
Most CISMs are consultants (37%) or work in
financial services (19%).
As expected most CISMs are directors(32%)
or managers (22%).
16% of CISMs have a “C” level title.
Where CISMs Work
CISMs primarily work in large organizations
(34%) with 15,000 or more employees.
30% of CISMs manage organizations whose
security staff is larger than 25 individuals.
61% work in organizations having a security
staff larger than 5 individuals.
Years of Professional
Experience
A large number of CISMs have more than 14
years of professional experience (63%). 84%
report having 10 or more years of experience.
Geographic
Representation
Member CISMs by ISACA Region
Asia
Central / South America
Europe / Africa
North America
Oceania
14.4%
3.4%
24.7%
54.2%
3.3%
CISM Exam
Registration by
Region
December 07
June 08
Total
Asia
527
556
1083
Central
South America
152
124
276
Europe
Africa
686
801
1487
North
America
825
838
1663
Oceania
64
65
129
Countries with more
than 40 CISM Exam
Takers (June 08)
Asia
•India
•Singapore
•United Arab Emirates
North America
Central / South America
Oceania
•Mexico
•Australia
Europe / Africa
•Germany
•Spain
•Nigeria
•United Kingdom
•Canada
•USA
CISM Languages
June 08
This June the CISM Exam was offered in four
languages. For the first time it was available in
Korean.
English
Spanish
Japanese
Korean
90.7%
6.0%
3.0%
0.3%
CISM in the News
IT professionals who obtained ISACA's information security managers
certification (CISM) are in a better position to deal with the growing emphasis on
business needs over technology, according to a recent survey of more than
1,400 CISMs in 83 countries. (CSO Magazine)
A report shows that formally certified security professionals on average are
commanding about 10% to 15% higher salaries than noncertified individuals in
comparable roles. Among the certification programs commanding the highest
premiums were Certified Information Systems Auditor (CISA) and Certified
Information Security Manager (CISM). (Computerworld)
CISM was listed as the 2nd highest paid certification in Certification
Magazine’s 2007 salary survey.
Recent Significant
CISM Certification Board Actions
Approved to certify professors who pass the
CISM Exam and who have a minimum of 6
years experience in security management
research and teaching.
ANSI Accreditation
 The American National Standards Institute (ANSI)
has awarded accreditation under ISO/IEC 17024 to
the Certified Information Security Manager (CISM)
in 2005.
 Accreditation by ANSI signifies that ISACA’s
procedures meet ANSI’s essential requirements for
openness, balance, consensus and due process.
 Reaccredited in 2006 and 2007. Currently being
assessed for 2008.
CISM Preparation
Related Education Activities
 Updated CISM Review instructor-led-training (ILT)
course provided to ISACA chapters
 Updated topics and notes
 Added a course training guide
 Added 100 question sample exam (sorted by domain and
scrambled)
 Recruited more than 100 CISM subject matter
experts to participate in the development of the 2009
CISM Review Manual
 Converted sample questions on ISACA web site to
on-line CISM self-assessment
CISM Preparation
Related Education
Activities
Modified the manner in which the CISM
Questions, Answers and Explanations Manual
and Supplement are developed to be more
consistent with how the CISM Test
Enhancement Committee develops questions
Recruited experienced CISM TEC members to
participate in QAE development
CGEIT
Certification Current Facts
 364 CGEITs as of 26 June 2008
 All certified via the grandfathering
provision
 Grandfathering provision ends 31 October
2008
Requirements to Become a
CGEIT under the Grandfathering Provision
Until 31 October 2008, can apply for certification as a CGEIT without being required to
pass the CGEIT examination. Requires:
 1. Submit evidence of appropriate work experience
 2. Agree to adhere to the ISACA Code of Professional Ethics
 3. Agree to comply with the CGEIT Continuing Professional Education Policy
Work Experience
In order to qualify for the CGEIT certification under the grandfathering provision an
applicant must provide evidence of management, advisory or oversight experience
associated with the governance of the IT-related contribution to an enterprise. Eight (8)
years of such experience is required and is defined and described specifically by the
CGEIT job practice domains and task statements. Specifically, an applicant must have:
 a minimum of one year experience related to the development and/or maintenance
of an IT governance framework (CGEIT domain one (1) see page V1) and;
 additional broad experience directly related to any two or more of the remaining
domains (CGEIT domains two (2) through six (6) see page V2)
Requirements to Become a
CGEIT under the Grandfathering Provision
Advanced (post-graduate) degrees and certificates, up to three (3) of the eight years of required experience can be substituted as
follows:
 Two-Year Substitution—Other Management Experience: Up to two (2) years of experience may be substituted for other
management experience gained that is not specific to IT governance (e.g. consulting, auditing, assurance or security
management role that is unrelated to the CGEIT domains).
 One-Year Substitution—Credentials, Advanced (post-graduate) Degrees and Certificates: One (1) year of experience may be
substituted for each credential held (in good standing), advanced (post-graduate) degree or certificate program which includes
an IT governance and/or management component or are specific to one or more of the CGEIT domains. These include:
 Certified Information Systems Auditor (CISA) issued by ISACA
 Certified Information Security Manager (CISM) issued by ISACA
 Implementing IT Governance Using COBIT certificate issued by ISACA (available in 2008)
 ITIL Service Manager certification program
 Chartered Information Technology Professional (CITP) issued by the British Computer Society
 Certified Information Technology Professional (CITP) issued by the American Institute of CPAs
 Project Management Professional (PMP) issued by the Project Management Institute
 Information Systems Professional (I.S.P.) issued by the Canadian Information Processing Society
 Certified Internal Auditor (CIA) issued by the Institute of Internal Auditors
 Certified Business Manager (CBM) issued by The Association of Professionals in Business Management
 Advanced (post-graduate) degree from an accredited university in governance, information technology, information
management or business administration
 Prince2—Registered Practitioner certificate from the Office of Government Commerce
 Applicants who have earned/acquired other credentials, advanced degrees and/or certificates that include a significant IT
governance and/or information management component and are not listed above are welcome to submit them to the CGEIT
Certification Board for consideration.
Current CGEITs in the
Workplace
16%
21%
C-Suite
IT Dir/Man/Cons
9%
12%
28%
14%
IT Audit
Dir/Man/Cons
Sec
Dir/Man/Cons
Compl/Risk
Dir/Man/Cons
Other
CGEIT Job Roles
CONSTITUENT ROLES
KEY RESPONSIBILITY
BUSINESS and IT MANAGEMENT
Oversee the development & maintenance of
the IT strategic plan and develop control
frameworks.
PROJECT MANAGEMENT
Controlling the delivery of IT
programs/projects to the business
AUDIT & ASSURANCE RELATED
POSITIONS
Monitor & review the enforcement of policy
compliance, both internal and external.
SECURITY RELATED POSITIONS
Oversee the development & maintenance of
the information security strategy, plan and
program
IS/IT RELATED POSITIONS
Managing enterprise architecture including
infrastructure and applications.
RISK MANAGEMENT
Oversee the development & maintenance of
the risk strategy, plan & program.
Current CGEITs
by ISACA Geographical Area
Oceania
1%
North America
58%
Asia/Mid-East
15% Cen/South
America
5%
Europe/Africa
21%
Current CGEITs
(10 or more) by
Country
188
20
USA
Canada
14
Japan
10
Belgium
10
UK
10
Spain
Current CGEITs –
Other Demographics
 41% of CGEITs come from the technology
services/consulting field
 23% of CGEITs work in the financial services industry
 82% of CGEITs have an Advanced Education Degree
44% have an Masters Degree
5% are Ph.D’s
CGEIT
Grandfather Applications and Process
740 applications received as of 26 June 2008
Approval rate is 94%
Approvals require review and approval of
CGEIT Certification Board members
Takes approximately 6-10 weeks to review
CGEIT Exam
 Exam will be 120 multiple choice questions. Many
questions will be scenario based.
 Exam question emphasis based on CGEIT “job
practice” survey”
 Four hours provided to complete
 Offered at the same time and same test locations as
CISA and CISM
CGEIT Exam
Domain Percentages
25%
12%
IT Gov Framework
Strategic
Alignment
Value Delivery
13%
Risk Management
15%
20%
15%
Resource
Management
Performance
Measurement
CGEIT Preparation
Materials
 Initially there will not be a CGEIT Review Manual
or sample questions for exam preparation.
 Reference list of key publications and periodicals is
available at www.isaca.org/cgeitreferences
 References divided into primary and other
 Primary references (should be used for study)
• publications that address the CGEIT domains and the
use of an IT governance framework
 Other references (can be used for study)
• Often address an aspect or approach to IT governance
Trivia
ISACA is recognized as a
worldwide leader in what three
areas?
ISACA is recognized as a worldwide
leader in what areas?
IT Governance
Information Security
IT Assurance
What year was ISACA founded?
What year was ISACA founded?
1969
What was the original name of
ISACA?
What was the original name of
ISACA?
EDP Auditors Association
What is the new ISACA slogan
listed on the new ISACA logo?
What is the new ISACA slogan
listed on the new ISACA logo?
Serving IT Governance Professionals.
What year was the Central Ohio
chapter founded?
What year was the Central Ohio
chapter founded?
1978
What is the name of the technical
journal ISACA publishes?
What is the name of the technical
journal ISACA publishes?
Information Systems Control Journal
What is the new ISACA certification and
what does the acronym stand for?
What is the new ISACA certification and what
does the acronym stand for?
CGEIT
CERTIFIED IN THE GOVERNANCE OF
ENTERPRISE IT
What is the name of the research
foundation that is funded by ISACA?
What is the name of the research
foundation that is funded by ISACA?
IT Governance Institute (ITGI)
What is the name of the membership
newsletter distributed by ISACA?
What is the name of the membership
newsletter distributed by ISACA?
Global Communiqué
How many members are currently on our
chapter’s board? (Extra for first names.)
How many members are currently on our chapter’s
board? (Extra for first names.)
11
Brian
Mike B
Chuck
Matt
Rich
Joseph
Melissa
Schlaine
Chris
Ryan
Mike K