210 7.9 Auditing Standards and Groups
Generally accepted standards for IT security are available and should be
used where possible. The use of widely accepted standards can form a
strong base against which audit work can be carried out, and prospective
computer auditors are urged to read such standards. For example, policies
and standards are essential in the software systems development life cycle,
including:
Analysis and programming
Data structures
Security
Data controls
Documentation
User procedures
User programming
Policies and standards can quickly become outdated in a highly techni-
cal environment, so documenting change management is strongly recom-
mended. The cost of not implementing this change management process
should be considered in light of the fact that without strong policy and
standards statements, anarchy can quickly take hold of an organization. The
computer auditor must remember that policies should be relatively static,
while standards can change quickly, especially in areas such as client/
server applications, where developments are increasingly rapid.
7.9 Auditing Standards and Groups
There are many standards and groups available for you to consult. Several
large-body organizations exist to provide general guidance to auditors and
to enable certification of auditors for a standardized method of looking at
IT security issues in an organization. Certifications are available for profes-
sional auditors from many of these groups. For those who wish to learn
more about the field of auditing, we provide a brief overview of some of
these standards bodies and groups below.
7.9 Auditing Standards and Groups 211
Chapter 7
7.9.1 Information Systems Audit and Control
Association (ISACA)
ISACA provides information on generally applicable and accepted stan-
dards for good information technology security and control practices. The
association’s Web site also provides a global information repository to help
members keep pace with technological change. Additional details on
ISACA can be found on the Internet at http://www.isaca.org.
7.9.1.1 ISACA CISA Certification
The Certified Information Systems Auditor (CISA) is the primary ISACA
certification. The CISA exam tests applicants in the areas of IS auditing,
control, and security. CISA has grown to be a globally recognized and
widely adopted worldwide certification standard. According to the ISACA
Web site, there are more than 29,000 CISAs worldwide. More than 10,000
individuals took the CISA exam in 2002 alone! The CISA designation is
awarded to individuals with an interest in Information Systems auditing,
control, and security who have met and continue to meet stringent require-
ments, outlined below:
Candidates must demonstrate at least five years of experience work-
ing in the field of information systems auditing, control, or security.
Such experience must have been gained within the ten-year period
preceding the application date for certification or within five years
from the date of initially passing the examination. Retaking and suc-
cessfully passing the examination will be required if the application
for certification is not submitted within five years from the passing
date of the examination. All experience must be verified indepen-
dently with employers.
All candidates must agree to adhere to a Code of Professional Ethics
to guide professional and personal conduct.
Candidates must participate in continuing education programs. This
helps maintain an individual’s competency by requiring the update of
existing knowledge and skills in the areas of information systems
auditing, management, accounting, and business areas related to spe-
cific industries. It provides a means to differentiate between qualified
CISAs and those who have not met the requirements for continuation
of their certification, and it is a mechanism for monitoring informa-
tion systems audit, control, and security professionals’ maintenance of
Get Business Continuity and Disaster Recovery for InfoSec Managers now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
