Cisa Cism Cgeit Crisc 2011 Overview

CISA/CISM/CGEIT/CRISCCISA/CISM/CGEIT/CRISCPrograms OverviewPrograms Overview

Kari Pohjola, CISA, CISM, CGEIT, CRISC

ISACA Finland Certification Coordinator

ANSIANSI Accreditation

• The American National Standards Institute (ANSI) has awardedaccreditation under ISO/IEC 17024 to the Certified InformationSystems Auditor (CISA) and Certified Information SecurityManager (CISM) certification programs. ANSI reaccreditedthese ISACA programs in 2008, and ISACA is currently underreview for recertification. ISACA is planning to pursue ANSIaccreditation for the CGEIT certification program in the future.

• Accreditation by ANSI signifies that ISACA’s procedures meetANSI’s essential requirements for openness, balance, consensusand due process.

CISA Certification DetailsCISA Certification Details

www.isaca.org/cisawww.isaca.org/cisa

Why Become A CISA?

• Enhanced Knowledge and Skills– To demonstrate your willingness to improve your

technical knowledge and skills– To demonstrate to management your proficiency and

commitment toward organizational excellence

• Career Advancement– To obtain credentials that employers seek– To enhance your professional image

• Worldwide Recognition– To be included with nearly 73,000 other professionals

who have gained the CISA designation worldwide

CISA in the Workplace

• Almost 2,400 are now employed in organizations as the CEO,CFO or equivalent executive position

• More than 2,000 serve as chief audit executives (CAEs), auditpartners or audit heads

• Nearly 6,000 serve as CIOs, CISOs, security directors, securitymanagers or consultants

• More than 10,500 serve as audit directors, managers orconsultants

• More than 15,400 are employed in managerial or consultingpositions in IT operations or compliance

• More than 14,400 auditors (IS/IT and non-IS/IT)

• SC Magazine has named CISA the winner of the Best ProfessionalCertification Program. With almost 700 entries submitted in 30categories, the 2009 SC Awards were the most competitive yet in theprogram’s 12-year history.

• The CISA certification program was awarded the “Best ProfessionalDevelopment Grand Award” and the “Best ProfessionalDevelopment (Scheme) Award” in the ‘Hong Kong ICT Awards2009’ presentation ceremony. The Hong Kong ICT Awards wereestablished in 2006 under a collaborative effort amongst the industry,the academia and the Government.

Recent CISA ProgramRecognition

• In a January 2010 study by Mile High Research, ISACA’s CISA andCISM certifications made the top 10 in-demand IT certifications fornew jobs posted over the last 14 days. The job descriptions specifiedone or more certifications as minimum or preferred credentials for thejob posting. ISACA and other organizations whose credentials madethe top 10 “obviously make a connection between their certificationsand employers – that connection is value," said Denny Schall, CLO ofMile High Research.

• The Payment Card Industry (PCI) data Security Standard (DSS)has named CISA and CISM certifications as validation requirementsfor qualified security assessors (OSA’s); organizations that validatean entity’s adherence to PCI DSS requirements.

Other CISA ProgramRecognition

CISAs by Area

Oceania

2% Asia/Mid-East

27%

Europe/Africa

22%

Central/South

America

3%North America

46%

CISA Job Practice Areas

Note: A CISA job practice analysis is underway to reflect the vital and evolvingresponsibilities of IT auditors and stay current with the market. Results of this analysis will beincorporated into the June 2011 exam. www.isaca.org/cisajpa

• IS Audit Process – 10%Provide IS audit services in accordance with IS audit standards, guidelines, and bestpractices to assist the organization in ensuring that its information technology and businesssystems are protected and controlled.

• IT Governance – 15%To provide assurance that the organization has the structure, policies, accountability,mechanisms, and monitoring practices in place to achieve the requirements of corporategovernance of IT.

• Systems and Infrastructure Lifecycle – 16%To provide assurance that the management practices for the development/acquisition,testing, implementation, maintenance, and disposal of systems and infrastructure will meetthe organization’s objectives.

CISA Job Practice Areas(continued)

• IT Service Delivery and Support – 14%To provide assurance that the IT service management practices will ensure the delivery ofthe level of services required to meet the organization’s objectives.

• Protection of Information Assets – 31%To provide assurance that the security architecture (policies, standards, procedures, andcontrols) ensures the confidentiality, integrity, and availability of information assets.

• Business Continuity and Disaster Recovery – 14%To provide assurance that in the event of a disruption the business continuity and disasterrecovery processes will ensure the timely resumption of IT services while minimizing thebusiness impact.

For complete details visit: www.isaca.org/cisajobpractice

• Earn a passing score on the CISA Exam

• Have a minimum of five years of verifiable IS audit,control or security experience (substitutions available)

• Submit the CISA application and receive approval

• Adhere to ISACA’s Code of Professional Ethics

• Abide by IS Auditing Standards as adopted by ISACA

• Comply with CISA Continuing Professional EducationPolicy

CISA CertificationRequirements

CISM Certification DetailsCISM Certification Details

www.isaca.org/cismwww.isaca.org/cism

CISM CertificationCurrent Facts

• More than 12,500 CISMs worldwide

• The CISM exam is offered in 4 languages(English, Japanese, Korean and Spanish) in240+ locations

CISM Uniqueness

What makes CISM Unique?

– Designed for information security managers

exclusively

– Criteria and exam developed from job practice

analysis validated by information security managers

– Experience requirement includes information

security management

CISM Target Market

What is the CISM Target Market?

Individuals who design, implement and manage anenterprise’s information security program.

• Security managers

• Security directors

• Security officers

• Security consultants

• Security staff

Recent CISM Recognition

• In a January 2010 study by Mile High Research, ISACA’s CISA andCISM certifications made the top 10 in-demand IT certifications fornew jobs posted over the last 14 days. The job descriptions specifiedone or more certifications as minimum or preferred credentials for thejob posting. ISACA and other organizations whose credentials madethe top 10 “obviously make a connection between their certificationsand employers – that connection is value," said Denny Schall, CLO ofMile High Research.

Recent CISM Recognition(continued)

• CIO Magazine, SC Magazine and Foote Partners research continuallycite CISM as a credential that earns top pay when compared to othercredentials.

– In April 2009, the Foote Partners “Salary Survey” ranked the CISMcertification as the highest paying IT Security certification. CISMwas also found to be the only security certification to gain valuewithin the past twelve months.

• Certification Magazine’s 2008 and 2009 salary survey ranked theCISM certification as the third highest paying certification.

CISMs by Job Title

Executive Level

17.4%

Other

4.4%

Compliance

& Risk

10%

IT Directors,

Managers,

Consultants

16.2%

IS Security

39%

IS/IT Audit

13%

CISMs by Geographic Area

Oceania

3% Central/South

America

6%

North America

50%

Asia/Mid-East

16%

Europe/Africa

25%

CISM Job Practice(Effective December 2007)

1. Information Security Governance (23%) - Establish and maintain aframework to provide assurance that information security strategies arealigned with the business objectives and consistent with applicable laws andregulations.

2. Information Risk Management (22%) - Identify and manage informationsecurity risks to achieve business objectives.

3. Information Security Program Development (17%) - Create and maintain aprogram to implement the information security strategy.

4. Information Security Program Management (24%) - Design, develop andmanage an information security program to implement the informationsecurity governance framework.

5. Incident Management and Response (14%) - Plan, develop and manage acapability to detect, respond to and recover from information securityincidents.

For complete details visit www.isaca.org/cismjobpractice

CISM General Requirements

• Earn a passing score on the exam

• Submit verified evidence of a minimum of fiveyears of information security work experience

• Submit the CISM application and receive approval

• Adhere to ISACA Code of Professional Ethics

• Comply with ISACA’s CISM ContinuingProfessional Education Policy

CGEIT Certification DetailsCGEIT Certification Details

www.isaca.org/cgeitwww.isaca.org/cgeit

Market Need for CGEIT

• Individual Defines the roles and responsibilities of professionals performing IT

governance work and recognizes their professional knowledge andcompetencies; skill-sets; abilities and experiences

• Enterprise Supports through the demonstration of a visible commitment to

excellence in IT governance practices

• Business Increases the awareness of IT governance good practices and issues

• Profession Supports those that provide IT governance management, advisory or

assurance direction and strategy

CGEITs by Job Category

Other

5% Executive Level

23%

IS Security

Professionals

14%

IT Directors, Managers

and Consultants

24%

Compliance

and Risk

12%

IS/IT Audit

22%

CGEITs by Geographical Area

Oceania

3%

North America

50% Europe/Africa

25%

South/Central America

6%

Asia/Middle East

16%

CGEIT: Who is it for?

The CGEIT certification is intended to recognize a widerange of professionals for their knowledge andapplication of IT governance principles and practices. Itis designed for professionals who have management,advisory, or assurance responsibilities as defined by theCGEIT Job Practice consisting of IT governance relatedtask and knowledge statements.

CGEIT Job Practice

1. IT Governance Framework - Develop, or be part of the development of, anIT governance framework that includes the following responsibilities andtasks.

2. Strategic Alignment - Develop, or be part of the development of, anenterprise’s IT strategy that includes the following responsibilities and tasks.

3. Value Delivery - Develop, or be part of the development of, a systematic,analytical and continuous value governance process that includes thefollowing responsibilities and tasks.

CGEIT Job Practice(continued)

4. Risk Management - Develop, enhance and maintain a systematic, analyticaland continuous enterprise risk management process across the enterprisethat includes the following responsibilities and tasks.

5. Resource Management - Develop, or assist in the development of systematicand continuous resource planning, management and evaluation processesthat include the following responsibilities and tasks.

6. Performance Measurement - Develop, or assist in the development of,systematic and continuous performance management and evaluationprocesses that include the following responsibilities and tasks.

For more complete details visit www.isaca.org/cgeitjobpractice

CGEIT ExperienceRequirements

• Earn a passing score on the CGEIT exam

• Submit verified evidence of the five year experiencerequirement as defined by the CGEIT Job Practice

• Submit the CGEIT application and receive approval

• Adhere to the ISACA Code of Professional Ethics

• Comply with the CGEIT Continuing Education Policy

• Comply with Information Systems Auditing Standards

CISA, CISM and CGEITCISA, CISM and CGEITExam DetailsExam Details

Administration of the CISA,CISM and CGEIT Exams

Key dates for June 2011 exam:

09 Feb Early Registration Deadline

06 Apr Final Registration Deadline

11 Jun Exam

– More than 240 test sites offered for each examadministration

– Offered in every city where there is an ISACA chapteror a large interest by individuals to sit for the exam

– Passing mark of 450 on a common scale of 200 to 800

2011 Registration Fees

Early Registration: On or before 9 February 2011:• ISACA Member: US $425.00

• Non-Member: US $565.00

Final Registration: After 9 February 2011, but on or before 6 April 2011:• ISACA Member: US $475.00

• Non-Member: US $615.00

Register Online at www.isaca.org/examregRegister Online at www.isaca.org/examreg• Online registration via the ISACA web site is encouraged, as candidates

will save US $50.

• Non-members can join ISACA at the same time, which maximizes theirsavings.

Exam registration fees must be paid in full to sit for the exams. Those whose examregistration fees are not paid will not be sent an exam admission ticket and their registrationwill be cancelled.

Bulletin of Informationand Registration Form

• There is a Bulletin of Information for each exam administration for eachexam.

• Can be downloaded from ISACA web site – www.isaca.org > certification

• Is available in the languages offered for CISA, CISM or CGEIT exam

Requirements for

certification

Exam description

Registration instructions

Test date procedures

Score reporting

Test center locations

Registration form

Bulletin Includes:

Types of Questionson the CISA, CISMand CGEIT Exams

• The CISA and CISM exam consists of 200 multiple choicequestions administered over a four-hour period.

• The CGEIT exam consists of 120 multiple choice questionsadministered over a four-hour period.

• Questions are designed to test practical knowledge andexperience

• Questions require the candidate to choose one best answer

• Every question or statement has four options (answer choices)

Quality of the ExamEnsured by:

• Job Analysis Study: determines content

• Test Development Standards: ensures high standards for thedevelopment and review of questions

• Review Process: provides two reviews of questions byindependent committees before acceptance into pool

• Periodic Pool Cleaning: ensures that questions in the pool areup-to-date by continuously reviewing questions

• Statistical Analysis of Questions: ensures quality questionsand grading by analyzing exam statistics for each language

Practice question:

• In performing a risk-based audit, which risk assessment iscompleted initially by the IS auditor?

– A. Detection risk assessment

– B. Control risk assessment

– C. Inherent risk assessment

– D. Fraud risk assessment

CISA, CISM and CGEITContinuing Professional

Education (CPE) Policy Details

Continuing ProfessionalEducation (CPE) Requirements

Certification is renewed annually to those who:

• Report a minimum of 120 hours of continuing professionaleducation (CPE) for each fixed three-year period, with aminimum of 20 hours in each year.

• Report hours annually, in they year they are earned. Hours arereported annually during the renewal process.

• Pay the continuing professional education maintenance fee

• Comply with the ISACA Code of Professional Ethics

ISACA Code ofProfessional Ethics

Members and ISACA certification holders shall:

1. Support the implementation of, and encourage compliance with,appropriate standards, procedures and controls for informationsystems.

2. Perform their duties with objectivity, due diligence and professionalcare, in accordance with professional standards and best practices.

3. Serve in the interest of stakeholders in a lawful and honest manner,while maintaining high standards of conduct and character, and notengage in acts discreditable to the profession.

4. Maintain the privacy and confidentiality of information obtained in thecourse of their duties unless disclosure is required by legal authority.Such information shall not be used for personal benefit or released toinappropriate parties.

ISACA Code ofProfessional Ethics (continued)

Members and ISACA certification holders shall:

5. Maintain competency in their respective fields and agree to undertakeonly those activities, which they can reasonably expect to completewith professional competence.

6. Inform appropriate parties of the results of work performed; revealingall significant facts known to them.

7. Support the professional education of stakeholders in enhancing theirunderstanding of information systems security and control.

©2010 ISACA. All rights reserved.

Certified in Risk andInformation Systems Control™

Kari Pohjola, CISA, CISM, CGEIT, CRISC

ISACA Finland Certification Coordinator


Background

Member needs survey

External, global market survey

Market verification survey

Development

SME feedback

External validation survey


Scope and Target Audience

IT and business professionals who:

Understand business and IT risk

Identify and analyze risk

Design, implement and maintain controls


Certification - Options

Grandfathering

Post-grandfathering (exam-based)


Certification - Grandfathering

Requirements• Submit evidence of appropriate work experience

• 8 years of IT or business experience

• 6 years of experience across all domains with aminimum of 3 years experience in risk- relateddomains

• Pay CRISC grandfathering application fee

• Agree to adhere to the CRISC Continuing EducationPolicy

• Agree to comply with the ISACA Code of ProfessionalEthics



Application Process:

In order to be considered for CRISC certification under thegrandfathering provision an applicant must:

– Obtain an ISACA identification (ID) number (this will be needed for yourapplication). To obtain an ID number and to create an online profilewith ISACA please go to: wwwisaca.org/profile.

– Remit (pay) the appropriate application fee

– Submit a completed CRISC application for certification under thegrandfathering provision

Please see additional guidance via online FAQs at www.isaca.org/CRISCfaq.



CRISC Grandfather Application FeeThe payment of an application fee is required to be considered for CRISC certificationunder the grandfathering provision. Your application will not be reviewed untilpayment in full is received. The amount of the fee is dependent on your ISACAmembership status and the date of application. The payment amount is as follows:

Member rate Nonmember rate

Application and payment received

by 31 October 2010 $495 $625

Application and payment received between

1 November 2010 and 31 March 2011 $595 $725

In order to take advantage of the ISACA member application fee you must become an ISACAmember prior to submitting your application. To join as an ISACA member please go to:www.isaca.org/membership.



Where can I download an CRISC grandfathering application?

www.isaca.org/criscapp

How long will the grandfathering period be open?

The grandfathering period will be open through 31 March 2011.

Can I make the grandfather application fee payment online?

Yes, you can make the payment online at www.isaca.org/criscpay


Certification – Exam-based

Requirements

• Pass exam

• 5 years of IT or business experience

• 3 years of experience across a minimum of 3of the 5 domains

• Compliance with CRISC Continuing EducationPolicy

• Compliance with the ISACA Code ofProfessional Ethics


Job Practice Domains

Domain 1—Risk Identification, Assessmentand Evaluation (31%)

Identify, assess and evaluate risk to enablethe execution of the enterprise riskmanagement strategy.



Domain 2—Risk Response (17%)

Develop and implement risk responses toensure that risk issues, opportunities andevents are addressed in a cost-effectivemanner and in line with businessobjectives.



Domain 3—Risk Monitoring (17%)

Monitor risk and communicateinformation to the relevant stakeholdersto ensure the continued effectiveness ofthe enterprise’s risk management strategy.



Domain 4—IS Control Design andImplementation (17%)

Design and implement IS controls inalignment with the organization’s riskappetite and tolerance levels to supportbusiness objectives.



Domain 5—IS Control Monitoring andMaintenance (18%)

Monitor and maintain IS controls toensure they function effectively andefficiently.


CRISC complements otherISACA certifications:

Certified Information Systems Auditor (CISA)

Certified Information Security Manager (CISM)

Certified in the Governance of Enterprise IT (CGEIT)

Certified in Risk and Information Systems Control(CRISC)


Further Information

Visit www.isaca.org/certification

E-mail [email protected]

Call +1.847.660.5660

www.isaca.fi

[email protected]

0400 415 678

Documents

Cisa Cism Cgeit Crisc 2011 Overview