ISACA CISA Job Practice Update 2019

In November 2018, ISACA announced their intentions to update job practice areas of the CISA. The domains, sub-domains and task statements representing the work performed in information systems audit, assurance and control, will all be updated and their systems improved.

The changes in the CISA Job Practice are the results developed after extensive research, feedback, and validation from subject matter experts and prominent industry leaders. According to ISACA, the CISA Practice Analysis Task Force was composed of 9 expert members and more than 4,000 CISA-certified professionals from around the world.

Regarding the domains of the new CISA Job Practice, the number will remain the same but changes will be made to the exam content and the importance of each criteria. Two subdomains will also be added to each of the five job practice areas. 

In new job practice areas, knowledge statements are rewritten to make sure they are current with modern technologies and used properly to refrain from any losses or redundancies. 

The new task statements 

The CISA 2019 Job Practice areas are made of 39 task statements. Of these, 35 remain the same but have been rewritten in order to remain relevant, five are new to deal with changes within the IT audit and security profession, and one has been completely removed.

The five new task statements comprise of:

1. Perform technical security testing to identify potential threats and vulnerabilities
2. Utilise data analytics tools to streamline audit processes
3. Utilise data analytics tools to streamline audit processes
4. Identify opportunities for process improvement in the organisation’s IT policies and practices
5. Evaluate potential opportunities and threats associated with emerging technologies, regulations, and industry practices

The five domains of the CISA Job Practice

1. The Process of Auditing Information Systems

In this domain, you’ll learn how the CISA certification offers standardised audit services to help organisations in controlling and safeguarding Information Systems. You’ll also learn how to help find business’ current IT security, potential risks, and control solutions.

There are multiple subdomains here, the two main ones being Planning and Execution. Planning involves risk-based audit planning, control types, business process and information system audit standards, code of ethics and guidelines.

Execution incorporates audit project management, sampling methodologies, data analytics, audit evidence, collection techniques and reporting and communication techniques.

This domain is still weighted the same as before at 21%.

2. Governance and Management of IT

This domain is split into two subdomains: IT Governance and IT Management. The weighting of Domain 2 has increased from 1% to 17%. It ensures that essential processes and structures are available to accomplish the organisations' objectives and strategies.

This domain also makes sure you can identify issues and provide recommendations for supporting and protecting the governance of information and associated technology.

3. Information Systems Acquisition, Development and Implementation

This domain has been reduced from 18% to 12% weighting and has been split into Information Systems Acquisition and Development and Information Systems Implementation. You’ll learn about Information Systems Acquisition, Development and Implementation to meet organisational objectives. 

4. Information Systems Operations and Business Resilience

This domain confirms that you have learnt about IT principles such as asset management, system interfaces, data governance and end-user computing, to name a few.

This domain is divided into Information Systems Operations and Business Resilience and holds a weight of 23%. Business resilience involves the understanding of Disaster Recovery Plan (DRP), Business Continuity Plan (BCP), Business Impact Analysis (BIA), System Resiliency and Data Backup, Storage and Restoration.