CISA CISM - Hellenic American · PDF fileCertified Information Systems Auditor - CISA® Earning the CISA designation helps assure a positive reputation as a qualified IS audit, control

CISA® Prep Course, 19-21/3/2012

CISM® Prep Course, 22-24/3/2012

What you will learn:

• Introduction to the CISA & CISM Exam

• Overview of the content areas as determined by ISACA

• Determine the level of knowledge required for the content areas to meet the examination’s expectations

• Particular topics which are popular exam questions

• Analyze the “philosophy” of the examinations’ questions

• What the testing conditions will be, after having discussed “model” answers to sample questions

• Reference tools

Course Leader: Dr. Derek Oliver, CISA, CISM, CRISC, CFE, FBCS, FIAP

The CISA Examination

The exams consist of tasks that are routinely performed by a CISA and the required knowledge to perform these tasks.

You are given four hours to complete a 200 multiple-choice question exam that cover the following areas:

1. The Process of Auditing Information Systems (14%)

2. Governance and Management of IT (14%)

3. Information Systems Acquisition, Development and Implementation (19%)

4. Information Systems Operations, Maintenance and Support (23%)

5. Protection of Information Assets (30%)

The CISM Examination

The exams consist of tasks that are routinely performed by an Information Security Manager and the required knowledge to perform these tasks. A

candidate is given four hours to complete a 200 multiple-choice question exam that covers the following areas:

1. Information Security Governance (24%)

2. Risk Management and Compliance (33%)

3. Information Security Program Development and Management (25%)

4. Information Security Incident Management (18%)

You can register on-line at www.isaca.org, provided you meet above eligibility requirements for each certificate.

The exams are hosted at the Hellenic American Union’s Conference Center. For more information on ISACA, you may also contact the ISACA

Athens Chapter, Mr. Anestis Demopoulos, Tel: 210-2886041 or visit www.isaca.gr.

Course LeaderDr Derek J. Oliver, CISA, CISM, CRISC, CFE, FBCS, FIAP an Information Audit & Security specialist with over 25 years experience. He is a Chartered Fellow of the

British Computer Society, a Fellow of the Institute of IT Service Management and a Fellow of the Institute of Analysts & Programmers. In 1996 he was made a Freeman of the City of London. An MSc in information technology was followed by a PhD in Information Security Management and a DBA in Risk & Security Management. He is internationally regarded as an expert in Information Security and ISO27001 and has spoken at international conferences and seminars from Oslo to Cape Town by way of Orlando and Canberra on various information security and audit topics. He is past President of the Information Systems Audit & Control Association in London (ISACA), current member of CISA Test Enhancement committee and a member of the Institute of Internal Auditors and the Information Systems Security Association. Having been a member of the ISACA Credentialing Task Force that created the CISM designation, he was appointed the founding Chair of the CISM Examination Enhancement Committee in 2004 and currently chairs the Working Party developing an international Business Model for Information Security (BMIS); in addition to this and his appointment as co-chair of the CobiT5 Task Force he is a member of ISACA’s Future Framework Committee. As a member of the CISA Certification Board he was jointly responsible for setting the annual, international CISA examination. Following his early years in the “Travel Trade” with Thos. Cooks and Trans World Airlines, 15 years’ service with H.M. Customs &

Excise, Mr. Oliver became head of the UK internal audit team of First Data Corporation, the world’s largest third-party processor of credit and debit transactions.

Since 1985 he has conducted both high level and in-depth audit and security reviews across the information processing spectrum, including :

- ISO17799 “Information Security Guidelines” Compliance auditing & consultancy

- All aspects of LAN and WAN security from strategies through access control to infrastructure

- Physical security & risk analysis

- General Controls Reviews, including information security strategies & policies

- Physical and logical security penetration/invasion testing

- Disaster Recovery and Business Continuity, both auditing and plan development

- Various aspects of PC security including the use of illegal/pirate software

- PICK systems security, AS400 security

- IBM Mainframe security, specific application security and access control, including financial, stock control etc.

As a member of the BS7799 working group in 1995/96, Derek was partly responsible for the development of the BS7799 “Code of Practice for the Management of

Information Security”; he has since given advice on implementing the Standards to banking and government organisations in Hungary, Slovakia and Slovenia. He

also worked on the revised version, issued April, 1999, and was a member of the c:cure (BS7799 compliance certification scheme) steering group, which was directed

by the department of Trade and Industry. He has written several articles for various national and international magazines, including auditing software piracy,

BS7799 and the c:cure scheme and physical security.

CISA & CISMExaminations 2012

Exam Date Early Registration Date Final Registration Date

9 June 2012 8 December 2012

8 February 201215 August 2012

4 April 20123 October 2012

REGISTRATION FORM

In order to guarantee a place in the event, participants are kindly requested to register the latest by by 15 working days prior the course(s) start. Fees include all seminar material,

hands-on tools, coffee and lunch breaks. No extra tax charges.

Contact details:

Ms Eleni Tsirigoti, Tel: 210-3680907, Fax: 210-3633174, e-mail: [email protected]

Ms Vasiliki Zafiri: Tel: 210-3680927, www.hau.gr/management

Delegate’s Personal Details (please print clearly)

First Name Family Name

Company Position/Title

Address City/Postal Code

Tel Fax. e-mail

Invoice DetailsCompany Name

Area of Business

Address City/Postal code

Tel Fax.

Tax Id. Nr . Tax Registration Office

I/We understand and accept the registration and cancellation policies and procedures, and the protection of personal and credit card data policy.

Signature/Company seal Date

Payment DetailsPayments are made to the Hellenic American Union. For bank deposit/transfer information please contact the Hellenic American Union. Please always quote your company’s name or the delegate’s name in the transfer instructions.Please invoice my company Cheque Bank Deposit/Transfer Please charge my credit card: Visa Mastercard Diners

Cancellation PolicyPayment is due upon registration. Delegates who cancel after registration, or who don’t attend, are liable to pay the full course fee and no refunds can be given. A replacement is always welcome.Disclaimer: Hellenic American Union reserves the right to change or cancel any part of its published programme due to unforeseen circumstances.Confidentiality: Confidentiality: The information you provide will be safeguarded by the Hellenic American Union, who may use it to keep you informed of relevant products and services. If you do not wish to receive this information from the Hellenic American Union by telephone fax e-mail or mail .Please check the appropriate box and send this form to the Hellenic American Union, fax nr: 210-3633174 or notify us at tel: 210-3680927, or notify the person in charge of sending this information. We will ensure that you do not receive any further information, unless you instruct us otherwise.

Course Title Standard Delegate Fee Company discount (3+persons) ISACA (ISC)2 Member

CISA 2012 Prep Course19-21/3/2012

€850 €800 each €800

CISM 2012 Prep Course22-24/3/2012

€850 €800 each €800

Complete and send this registration form to HAU Office, fax: 210-3633174, the LATEST by 15 working days prior the course(s) start.

I wish to register for the following course(s):

Certified Information Systems Auditor - CISA® Earning the CISA designation helps assure a positive reputation as a

qualified IS audit, control and/or security professional.

Today, CISA is a powerful career tool for more than 90,000 designated

professionals, and has been globally recognized as a symbol of

achievement.

CISA Certification Requirements

The CISA designation is awarded to those individuals with an interest in

Information Systems auditing, control, and security who have met and

continue to meet the following requirements regarding:

• Successful completion of the CISA® examination on the 5 content

areas which represent the tasks and knowledge required of today’s and

tomorrow’s information systems audit professional:

1. IS Audit Process

2. Governance and Management of IT

3. Information systems aquisition, development and Implementation

4. Information Operations, Maintenance and Support

5. Protection of Information Assets

• At least 5 years of IS auditing, control or security experience

• Adherence to the Code of Professional Ethics

• Compliance with the CISA Continuing Professional Education Policy

CISA Prep Course – 24 hours

Our three-day seminar focuses on the essential areas covered in the new

CISA exam, as designed and developed by the ISACA Certification Board.

CISA is an exam that tests experience and experience cannot be taught.

However this course, which is based upon ISACA’s research project as

evidence by the CISA Syllabus, will give you specific guidelines in your

study by providing an overview of the core knowledge bases included in

the examination ‘Common Body of Knowledge’. Following each section,

you will work through a series of sample questions to give you a “feel”

for the format and the types of questions you will encounter.

Who should attend: Information Security Auditors, IT Administrators,

Chief Information Security Officers, Risk managers and compliance

personnel; Executive and Operational Managers seeking an overall

understanding of essential IT Audit management, risks and controls.

Certified Information Security Manager - CISM®

CISM is a unique certification focusing on candidate’s information

security management experience rather than his/her technical knowledge

or platform, or product-specific knowledge.

More than 18000 professionals worldwide have earned the CISM with the

first two years since its initiation.

CISM Certification requirements

The CISM designation is awarded to those individuals with an interest in

Information security management, and who have met and continue to

meet the following requirements regarding:

• Successful completion of the CISM® examination on the 4 content



1. Information Security Governance

2. Risk Management and Compliance

3. Information Security Program Development and Management

4. Information Security Incident Management

• At least 5 years of information security experiences , with a

minimum of three years of information security management work

experience in three or more of the job practice analysis areas


• Compliance with CISM Continuing Professional Education Policy

CISM Prep Course – 24 hours

Our three day preparation seminar covers the core knowledge areas

included in the examination “Common Body of Knowledge”.

The course will help you discover possible areas of weaknesses in the

subjects covered in the test and also enable you to become familiar with

the testing conditions and question’s philosophy.

Who should attend: Information Security Managers and Administrators,

Chief Information Security Officers, Risk Managers and compliance


understanding of essential security management, risks and controls.

Why pursue an ISACA designationYou can use ISACA credentials worldwide, you can improve your career opportunities, and you can have a significant advantage in the selection process when personnel are being evaluated for information security and audit positions or promotions.

Employers who hire CISAs and CISMs gain a competitive advantage in implementing IT Governance, through properly and consistently trained IT Audit and Security personnel according to internationally accepted standards.

CISA and CISM are offered in more than 50 countries and have been awarded accreditation by The American National Standards Institute (ANSI) under ISO/IEC 17024, September 2005. ISACA (www.isaca.org), with more than 95,000 members worldwide, is a globally recognized leader in information governance, control, security and audit. ISACA strongly promotes the profession through research, standards, education and certification.

Day 1Introduction to CISA: Approaching the CISA Examination• Percentage of test questions and survey results• Definition of content, tasks questions, model answers

Domain 1: The Process of Auditing Information Systems—Provide audit services in accordance with IT audit standards to assist the organization with protecting and controlling information systems.• Develop and implement a risk-based IT audit strategy in compliance with

IT audit standards to ensure that key areas are included.• Plan specific audits to determine whether information systems are

protected, controlled and provide value to the organization.• Conduct audits in accordance with IT audit standards to achieve planned

audit objectives.• Report audit findings and make recommendations to key stakeholders to

communicate results and effect change when necessary.• Conduct follow-ups or prepare status reports to ensure that appropriate

actions have been taken by management in a timely manner.

Domain 2: Governance and Management of IT—Provide assurance that the necessary leadership and organizational structures and processes are in place to achieve objectives and to support the organization’s strategy.• Evaluate the effectiveness of the IT governance structure to determine

whether IT decisions, directions and performance support the organization’s strategies and objectives.

• Evaluate IT organizational structure and human resources (personnel) management to determine whether they support the organization’s strategies and objectives.

• Evaluate the IT strategy, including the IT direction, and the processes for the strategy’s development, approval, implementation and maintenance for alignment with the organization’s strategies and objectives.

• Evaluate the organization’s IT policies, standards, and procedures, and the processes for their development, approval, implementation, maintenance, and monitoring, to determine whether they support the IT strategy and comply with regulatory and legal requirements.

• Evaluate IT management and monitoring of controls (e.g., continuous monitoring, quality assurance [QA]) for compliance with the organization’s policies, standards and procedures.

• Evaluate IT resource investment, use and allocation practices, including prioritization criteria, for alignment with the organization’s strategies and objectives.

• Evaluate IT contracting strategies and policies, and contract management practices to determine whether they support the organization’s strategies and objectives.

• Evaluate risk management practices to determine whether the organization’s IT-related risks are properly managed.

• Evaluate monitoring and assurance practices to determine whether the board and executive management receive sufficient and timely information about IT performance.

• Evaluate the organization’s business continuity plan to determine the organization’s ability to continue essential business operations during the period of an IT disruption.

Day 2 Domain 3: Information Systems Acquisition, Development and Implementation—Provide assurance that the practices for the acquisition, development, testing, and implementation of information systems meet the organization’s strategies and objectives.• Evaluate the business case for proposed investments in information

systems acquisition, development, maintenance and subsequent retirement to determine whether it meets business objectives.

• Evaluate the project management practices and controls to determine whether business requirements are achieved in a cost-effective manner while managing risks to the organization.

• Conduct reviews to determine whether a project is progressing in

CISA Prep CourseAGENDA

accordance with project plans, is adequately supported by documentation and status reporting is accurate.

• Evaluate controls for information systems during the requirements, acquisition, development and testing phases for compliance with the organization’s policies, standards, procedures and applicable external requirements.

• Evaluate the readiness of information systems for implementation and migration into production to determine whether project deliverables controls and the organization’s requirements are met.

• Conduct post-implementation reviews of systems to determine whether project deliverables, controls and the organization’s requirements are met.

Domain 4: Information Systems Operations, Maintenance and Support—Provide assurance that the processes for information systems operations, maintenance and support meet the organization’s strategies and objectives.• Conduct periodic reviews of information systems to determine whether

they continue to meet the organization’s objectives.• Evaluate service level management practices to determine whether the

level of service from internal and external service providers is defined and managed.

• Evaluate third-party management practices to determine whether the levels of controls expected by the organization are being adhered to by the provider.

• Evaluate operations and end-user procedures to determine whether scheduled and non-scheduled processes are managed to completion.

• Evaluate the use of capacity and performance monitoring tools and techniques to determine whether IT services meet the organization’s objectives.

• Evaluate problem and incident management practices to determine whether incidents, problems or errors are recorded, analyzed and resolved in a timely manner.

• Evaluate change, configuration and release management practices to determine whether scheduled and nonscheduled changes made to the organization’s production environment are adequately controlled and documented.

• Evaluate the adequacy of backup and restore provisions to determine the availability of information required to resume processing.

• Evaluate the organization’s disaster recovery plan to determine whether it enables the recovery of IT processing capabilities in the event of a disaster.

Day 3 Domain 5: Protection of Information Assets—Provide assurance that the organization’s security policies, standards, procedures and controls ensure the confidentiality, integrity and availability of information assets.• Evaluate the information security policies, standards and procedures for

completeness and alignment with generally accepted practices.• Evaluate the design, implementation and monitoring of system and logical

security controls to verify the confidentiality, integrity and availability of information.

• Evaluate the design, implementation and monitoring of the data classification processes and procedures for alignment with the organization’s policies, standards, procedures and applicable external requirements.

• Evaluate the design, implementation and monitoring of physical access and environmental controls to determine whether information assets are adequately safeguarded.

• Evaluate the processes and procedures used to store, retrieve, transport and dispose of information assets (e.g., backup media, offsite storage, hard copy/print data and softcopy media) to determine whether information assets are adequately safeguarded.

The Anatomy of a CISA Question• How CISA questions are written• The process of writing the examination• Question writer rules• The best approach to the CISA exam

CISM Prep CourseAGENDA

Day 1

Information Security Governance• Develop the information security strategy in support of business strategy

and direction.• Obtain senior management commitment and support for information

security throughout the enterprise.• Ensure that definitions of roles and responsibilities throughout the

enterprise include information security governance activities.• Establish reporting and communication channels that support information

security governance activities• Identify current and potential legal and regulatory issues affecting

information security and access their impact on the enterprise.• Establish and maintain information security policies that support business

goals and objectives.• Ensure the development of procedures and guidelines that support

information security policies.• Develop business case and enterprise value analysis that support

information security program(me) investments.

Risk Management and Compliance• Develop a systematic, analytical, and continuous risk management

process.• Ensure that risk identification, analysis, and mitigation activities are

integrated into life cycle processes. • Apply risk identification and analysis methods.• Define strategies and prioritize options to mitigate risk to levels

acceptable to the enterprise.• Report significant changes in risk to appropriate levels of management on

both a periodic and event-driven basis.

Day 2

Information Security Program Management• Create and maintain plans to implement the information security

governance framework.• Develop information security baseline(s). • Develop procedures and guidelines to ensure business processes address

information security risk.• Develop procedures and guidelines for IT infrastructure activities to ensure

compliance with information security policies. • Integrate information security program requirements into the

organization’s life cycle activities.• Develop methods of meeting information security policy requirements that

recognize impact on end-users.• Promote accountability by business process owners and other stakeholders

in managing information security risks. • Establish metrics to manage the information security governance

framework.• Ensure that internal and external resources for information security are

identified, appropriated and managed.

Information Security Management• Ensure that the rules of use for information systems comply with the

enterprise’s information security policies. • Ensure that the administrative procedures for information systems comply

with the enterprise’s information security policies. • Ensure that services provided by other enterprises including outsourced

providers are consistent with established information security policies.• Use metrics to measure, monitor, and report on the effectiveness

and efficiency of information security controls and compliance with information security policies.

• Ensure that information security is not compromised throughout the change management process.

• Ensure that vulnerability assessments are performed to evaluate effectiveness of existing controls.

• Ensure that non-compliance issues and other variances are resolved in a timely manner.

• Ensure the development and delivery of the activities that can influence culture and behaviour of staff including information security education and awareness.

Day 3

Information Security Incident Management• Develop and implement processes for detecting, identifying and analyzing

security related events.• Develop response and recovery plans including organizing, training, and

equipping the teams. • Ensure periodic testing of the response and recovery plans where

appropriate. • Ensure the execution of response and recovery plans as required.• Establish procedures for documenting an event as a basis for subsequent

action including forensics when necessary.• Manage post event reviews to identify causes and corrective actions

The Anatomy of a CISM Question• How CISM questions are written & evaluated• The process of compiling the examination• Question writer style “rules”• The best approach to the CISM exam.





achievement.








1. IS Audit Process






































































































Day 1















Day 2



















Day 3











achievement.








1. IS Audit Process






































































































Day 1















Day 2



















Day 3
















• Reference tools











































REGISTRATION FORM



Contact details:







Tel Fax. e-mail


Area of Business


Tel Fax.








€850 €800 each €800


€850 €800 each €800












• Reference tools











































REGISTRATION FORM



Contact details:







Tel Fax. e-mail


Area of Business


Tel Fax.








€850 €800 each €800


€850 €800 each €800



Documents

CISA CISM - Hellenic American · PDF fileCertified Information Systems Auditor - CISA® Earning the CISA designation helps assure a positive reputation as a qualified IS audit, control