8/4/2019 ISACA Certifications 21 Jul 11

1/3

Page 1 of3

CERTIFIED INFORMATION SYSTEMS AUDITOR

The CISA exam is offered each year and consists of 200 multiple-choice questions that cover the

five job practice domains created from the most recent CISA job practice analysis. The practice

domains and percentages below indicate the emphasis of questions that will appear on the

exam. The job practice analysis was developed and validated using prominent industry leaders,

subject matter experts and industry practitioners.

Job Practice Domains; The domains and their definitions are as follows:

1. T he Process of Auditing Information Systems (14 percent)Provide audit services inaccordance with IT audit standards to assist the organization with protecting and

controlling information systems.

2. Governance and Management of IT (14 percent)Provide assurance that the necessaryleadership and organizational structures and processes are in place to achieve objectives

and to support the organizations strategy.

3. Information Systems Acquisition, Development and Implementation (19 percent)Provide assurance that the practices for the acquisition, development, testing, and

implementation of information systems meet the organizations strategies and

objectives.

4. Information Systems Operations, Maintenance and Support (23 percent)Provideassurance that the processes for information systems operations, maintenance and

support meet the organizations strategies and objectives.

5. Protection of Information Assets (30 percent)Provide assurance that theorganizations security policies, standards, procedures and controls ensure the

confidentiality, integrity and availability of information assets.

CERTIFIED INFORMATION SECURITY MANAGER

The CISM exam is offered each year and consists of 200 multiple-choice questions that cover the

five information security management job practice domains created from the most recent CISM

job practice analysis. The percentages below indicate the emphasis of questions that will appear

on the exam from each domain. The job practice analysis was developed and validated using

prominent industry leaders, subject matter experts and industry practitioners.

Notice: The current CISM job practice is in the process of being updated to capture the changes

that have occurred within the ever evolving field of information security management. Please be

aware that the December 2011 CISM exam administration will be the last time that the current

CISM job practice (identified below) will be tested as the revised job practice will be tested

beginning in June 2012.

Job Practice Domains; The domains and their definitions are as follows:

1.

Information security governance (23 percent)

Establish and maintain a framework toprovide assurance that information security strategies are aligned with the business

objectives and consistent with applicable laws and regulations.

8/4/2019 ISACA Certifications 21 Jul 11

2/3

Page 2 of3

2. Information risk management (22 percent)Identify and manage information securityrisks to achieve business objectives.

3. Information security program development (17 percent)Create and maintain aprogram to implement the information security strategy.

4. Information security program management (24 percent)Oversee and directinformation security activities to execute the information security program.

5. Incident management and response (14 percent)Plan, develop and manage acapability to detect, respond to and recover from information security incidents.

CERTIFIED IN THE GOVERNANCE OF ENTERPRISE IT

Supported by the IT Governance Institute (ITGITM) and built on ITGIs intellectual property and

input from subject-matter experts from around the world, the CGEIT designation is designed for

professionals who have a significant management, advisory or assurance role relating to the

governance of IT.

The CGEIT exam consists of 120 multiple-choice questions that cover six job practice domains.

The task and knowledge statements within each domain are intended to depict the tasks

performed by individuals who have a significant management, advisory, or assurance role

relating to the governance of IT and the knowledge requirements to perform these tasks. They

are also intended to define the roles and responsibilities of the professionals performing IT

governance work. The job practice domains and percentages below indicate the emphasis of

questions that will appear on the exam.

Job Practice Domains; The job practice consists of task and knowledge statements, organized bydomains. The domains and their definitions are as follows:

1. IT Governance Framework (25 percent)Define, establish and maintain an ITgovernance framework (leadership, organizational structures and processes) to: ensure

alignment with enterprise governance; control the business information and information

technology environment through the implementation of good practices; and ensure

compliance with external requirements.

2. Strategic Alignment (15 percent)Ensure that IT enables and supports the achievementof business objectives through the integration of IT strategic plans with business strategicplans and the alignment of IT services with enterprise operations to optimize business

processes.

3. Value Delivery (15 percent)Ensure that IT and the business fulfill their valuemanagement responsibilities: IT-enabled business investments achieve the benefits as

promised and deliver measurable business value both individually and collectively, that

required capabilities (solutions and services) are delivered on time and within budget,

and that IT services and other IT assets continue to contribute to business value.

4.

Risk Management (20 percent)Ensure that appropriate frameworks exist and arealigned with relevant standards to identify, assess, mitigate, manage, communicate and

monitor IT-related business risks as an integral part of an enterprises governance

environment.

8/4/2019 ISACA Certifications 21 Jul 11

3/3

Page 3 of3

5. Resource Management (13 percent)Ensure that IT has sufficient, competent andcapable resources to execute current and future strategic objectives, and keep up with

business demands by optimizing the investment, use and allocation of IT assets.

6. Performance Measurement (12 percent)Ensure that business-supporting ITgoals/objectives and measures are established in collaboration with key stakeholders,

and that measurable targets are set, monitored and evaluated.

CERTIFIED IN RISK AND INFORMATION SYSTEMS CONTROL

CRISC exam is offered twice each year and consists of 200 multiple-choice questions that cover

five domains defined by the CRISC job practice. The domains and percentages below indicate

content and the emphasis of questions that will appear on the exam. The job practice is based

on ISACAs global research and frameworks including Risk IT and COBIT 4.1, independent

market research, and input from thousands of subject matter experts (SMEs) from around the

world. The statements within each domain are intended to define the roles and responsibilities

of the CRISC professional.

Domains: The job practice consists of task and knowledge statements, organized by domains.

These statements and domains were the result of extensive research and feedback from risk and

control SMEs around the world. The domains and their definitions are as follows:

1. Domain 1Risk Identification, Assessment and Evaluation (31 percent): Identify, assessand evaluate risk factors to enable the execution of the enterprise risk management

strategy.

2. Domain 2Risk Response (17 percent): Develop and implement risk responses to ensurethat risk factors and events are addressed in a cost-effective manner and in line with

business objectives.

3. Domain 3Risk Monitoring (17 percent): Monitor risk and communicate information tothe relevant stakeholders to ensure the continued effectiveness of the enterprises risk

management strategy.

4. Domain 4Information Systems Control Design and Implementation (17 percent):Design and implement information systems controls in alignment with the organizations

risk appetite and tolerance levels to support business objectives.

5. Domain 5Information Systems Control Monitoring and Maintenance (18 percent):Monitor and maintain information systems controls to ensure that they function

effectively and efficiently.