CISA-Item-Development-Guide

8/7/2019 CISA-Item-Development-Guide

1/20

CISA ITEM

DEVELOPMENT

GUIDE


2/20

CISA ITEM DEVELOPMENT GUIDE

2

TABLE OF CONTENTS

Content Page

Purpose of the CISA Item Development Guide 3

CISA Exam Structure 3

Item Writing Campaigns 3

Why Participate as a CISA Item Writer? 3

Writing Quality Items 3

Multiple-Choice Items 4

Developing an Item 4

General Item Writing Principles 6

Item Examples 7

What to Avoid when Constructing Items 8

Item Development Form 9

Item Submission & Review Process 9

Appendix A: CISA Job Practice Analysis 11

Appendix B: Item Development Form 18


3/20


3

PURPOSE OF THE CISA ITEM DEVELOPMENT GUIDE

The purpose of this CISA Item Development Guide (Guide) is to provide assistance toitem writers in their efforts to increase the quality of new exam items. This Guidethoroughly explains the structure of CISA exam questions and will assist item writers inbecoming more skilled in writing and critiquing items.

As you read through this Guide, please pay particular interest to the item writingprinciples appearing on page 6. Applying these principles will greatly enhance thechances of your items being accepted.

CISA EXAM STRUCTURE

ISACA and the CISA Certification Board periodically perform a CISA Job PracticeAnalysis study to determine the tasks and knowledge required of todays and tomorrowsIS audit professionals. The results of this analysis serve as the blueprint for the CISAexamination and the CISA item bank. Questions must be written to test a candidatesknowledge of established process and content areas defined by the CISA Job PracticeAnalysis (see Appendix A CISA Job Practice Analysis orhttp://www.isaca.org/cisacontentareas

ITEM WRITING CAMPAIGNS

ISACA conducts approximately two item writing campaigns per year (spring and fall).The purpose of a campaign is to instruct item writers of the specific areas within theCISA Job Practice to write items. A CISA Test Enhancement Committee (TEC) meetingis scheduled at the conclusion of each item writing campaign to review newly submitteditems. All items that are accepted by the CISA TEC are forwarded to the CISACertification Board for review and possible inclusion on future CISA exams.

WHY PARTCIPATE AS A CISA ITEM WRITER?

As a CISA item writer you will receive the satisfaction of helping to shape the IS auditprofession. In addition, both monetary and continuing education rewards can be gained.CISA item writers receive a US$100 honorarium and 1 continuing education credit hourfor each item that meets the item writing campaign requirements and accepted by theCISA TEC. A US $50 honorarium will be awarded for items accepted by the CISA TECbut written outside the campaign areas. Items that are not accepted by the CISA TEC arereturned to the item writer with constructive feedback on how to improve the item.

WRITING QUALITY ITEMS

The first thing to consider when writing an item is its target audience or the CISA

candidate. An item must be developed at the proper level of experience expected of asuccessful CISA candidate. This level of experience, as defined by the CISA CertificationBoard is as follows:A CISA should have the ability to autonomously perform thespecifics of their role as part of a team, seeking or taking direction where necessary, but

acting proactively otherwise. CISAs should have sufficient knowledge and experience to

be able to plan their work, make judgments about the relative importance of issues in

terms of the business environment, manage assignments and needs effectively, and

redevelop plans where necessary. A CISA would normally work for, take direction from


4/20


4

more proficient staff members or managers and would seek assistance on complex

technology issues from technical experts.

While writing items, one must take into consideration that IS audit and control is a globalprofession, and individual perceptions and experiences may not reflect the more global

position or circumstance. Since the examination and CISA items are developed for theinternational IS audit and control community, this will require the item writer to besomewhat flexible when determining a globally accepted practice.

MULTIPLE-CHOICE ITEMS

The CISA exam consists of multiple-choice items. The multiple-choice item is the mostcommonly used type of test question in certification exams.

Multiple-choice items consist of a stem and four possible options.

Item Stem

The item stem is the introductory statement or question that describesa situation or circumstance related to the knowledge being assessed. Itemstems can be written in the form of an incomplete statement as well as inquestion form.

Item OptionsThe options complete the introductory statement or answer thequestion and consist of one correct answer (key) and three incorrectanswers or distracters.

KeyThe key must reflect current practice. In some cases thekey will be the only correct choice, while in other cases the keywill be deemed to be the BEST choice when considered with theother choices provided.

DistractersDistracters are the incorrect options but should be plausible orpossible correct answers to candidates who are not knowledgeableenough to choose the key.

DEVELOPING AN ITEM

Item writers must use the Item Development Form included in Appendix B whendeveloping and submitting new items to ISACA. Become familiar with this form prior toitem development and make every attempt to complete all sections of the form for eachitem submitted.

Item writers can write items on any topic within the CISA Job Practice but areencouraged to concentrate the development of items within the areas specified in theCISA item writing campaign. For best results, items should be written on a knowledge


5/20


5

statement within a specific task area. Items should focus on a single topic or knowledgestatement.

Once a topic is chosen, follow the steps listed below. While writing your item, pleaserefer to the General Item Writing Principles appearing on page 6 for further guidance and

review your item using the Item Development Checklist found in Appendix C.

STEP 1 Write the item stem and keyable answer (Answer A on the Item DevelopmentForm).

STEP 2 Develop plausible distracters. The distracters should not be made up words orphrases, but may appear to be correct choices to an inexperienced professional. Thedevelopment of quality distracters is usually the most difficult task for an item writer. Ifyou have difficulty with this part of item development, consult with other staff membersor subject matter experts.

STEP 3 - Include a thorough explanation of why the keyable answer is correct as well aswhy each distracter is not a correct choice. It is not acceptable to simply state that thedistracters are incorrect.

STEP 4 - If reference texts are used for the development of an item the reference sourcesshould be noted on the Item Development Form. Refer to KNET on the ISACA websitefor applicable references http://www.isaca.org/knet

STEP 5 Review your item using the Item Development Checklist found in Appendix C.

STEP 6 - Have a peer or colleague review and critique your item.

STEP 7 Submit the item to ISACA. (Refer to Item Submission and Review Process onpage 9).


6/20


6

GENERAL ITEM WRITING PRINCIPLES

The DOs and DO NOTs of Item Writing

DO:1. DO test only one testing concept or knowledge statement per item. Knowledgestatements were developed for this purpose and items written from a knowledgestatement will most likely result in higher quality, practically based items. For a listing ofknowledge statements, refer to Appendix A CISA Job Practice Analysis orhttp://www.isaca.org/cisacontentareas2. DO ensure that the stem and all options are compatible with each other. For example,if your stem reads, Which of the following audit procedures , then all options mustbe audit procedures.

3. DO keep the stem and options as short as possible by avoiding the use of unnecessarytext or jargon. Do not attempt to teach the candidate a concept or theory by providing toomuch information before asking the question.4. DO include common words or phrases in the item stem rather than in the key anddistracters.5. DO write all options the same approximate length and format.6. DO write options that are grammatically consistent with the item stem and maintain aparallel grammatical format. For example if the key begins with a verb ending with ing,then all distracters must begin with a verb ending with ing.7. DO use only professionally acceptable or technical terminology in the item stem andoptions. If in doubt, refer to the CISA terminology list for acceptable terminologyhttp://www.isaca.org/examterm

DO NOT:1. DO NOT use a key word or phrase in the item key that appears in the stem.Experienced test takers will look for clues such as this that often identify the key.2. DO NOT use words such as frequently, often, common, or rarely as theyintroduce subjectivity into the item. If an item is subjective, it can be argued that morethan one option is keyable.3. DO NOT use terms in the stem such as always, never, or all since very little isabsolute and thus it makes it easier for candidates to eliminate distracters.4. DO NOT use terms such as least, not or except as they are negative and requirea candidate to choose an incorrect or least preferred choice, rather than a correct orpreferred choice. These questions will be returned to the item writer without TECreview.5. DO NOT use gender pronouns such as he, she, his, or her. Refer to individuals by theirtitle, such as the IS auditor.6. DO NOT use all of the above, none of the above, as options. These questions willbe returned to the item writer without TEC review.


7/20


7

7. DO NOT test knowledge regarding vendor specific products. These questions will bereturned to the item writer without TEC review.

ITEM EXAMPLES

Direct vs Incomplete Statement Items

Items can either be direct questions, incomplete statements, or issue/scenariodescriptions.

Direct question

Stem: Which of the following concerns would BEST be addressed by the comparison ofproduction application systems source code with an archive copy?

Options:A. File maintenance errorsB. Unauthorized modificationsC. Software version currencyD. Documentation discrepancies

Incomplete statement

Stem: The comparison of production application systems source code with an archivecopy wouldBEST address:

Options:A. file maintenance errors.B. unauthorized modifications.C. software version currency.D. documentation discrepancies.

Note that the responses for this item are followed by a period, as the response serves tocomplete the sentence started in the stem.

It is wise to draft an item first as a direct question, and then revise it to an incomplete

sentence if this offers a smoother, less repetitive wording.

Scenario Questions

When writing this type of item, there are a number of considerations that must be kept inmind. This type of item consists of introductory information or the scenario for the itemsto follow. There should be a set of two to five items that pertain to this introductory


8/20


8

information. The introductory material must be related to a particular field, be relevant,and practical, and it must contain all the information necessary for the candidate to draw

correct conclusions do not force the candidate to make assumptions. The associated

items should be in some sort of sequence and follow a logical progression. Also, eachitem should be independent of the other items so that missing one item does not causemissing another item of the set. Care should be taken to ensure that one item does notpoint to the key of another item.

WHAT TO AVOID WHEN CONSTRUCTING ITEMS

Following are examples of what to avoid when constructing quality items. Please notethat these items will not appear on future exams.

Example 1

Stem: Which of the following methods of providing telecommunication continuityinvolves routing traffic through split or duplicate cable facilities?

Options:A. Diverse routingB. Alternative routingC. RedundancyD. Long haul network diversity

Key: A

Notice that a key word from the stem routing is in the answer. Avoid using importantwords in the stem and the answer or any of the distracters.

Example 2

Stem: A manager in the loan department of a financial institution performs unauthorizedchanges to the interest rate of several loans in the financial system. Which type ofcontrol could BEST have prevented this fraud?

Options:A. Functional access controlsB. Logging of changes to loan informationC. Senior management supervisionD. Change management controls

Key: A


9/20


9

The stem assumes functional responsibility. The CISA test is global and it is difficult todefine functional responsibilities between countries and organizations. In someorganizations, the loan department manager may have access.

Example 3

Stem: Spreadsheets are used to calculate project cost estimates. Totals for each costcategory are then keyed into the job costing system. What is the BEST control to ensurethat data entered into the job costing system is accurate?

Options:A. Reconciliation of total amounts by project.B.

Reasonableness of total amounts by project.C. Validity checks, preventing entry of character data.

D. Display back of project detail after entryKey: A

Can a non-IS auditor answer this question? Does this question test an IS audit concept?There are some questions that IS auditors need to be tested on. This is a borderlineconcept. For the most part, we encourage strictly IS audit concepts.

ITEM DEVELOPMENT FORM

All items must be submitted on an Item Development Form (see Appendix B) and mustbe written in English. The Form includes:

Name (Item Writers name) Domain/Task (Refer to Appendix A Job Practice Analysis) Knowledge Statement (Refer to Appendix A Job Practice Analysis) Item Stem Item Options Key (always have option A be the key for processing purposes) Justification (Reasons why the key is correct and the other three options are

incorrect) Reference Source (Refer to KNET on the ISACA website at

http://www.isaca.org/knet

ITEM SUBMISSION AND REVIEW PROCESS


10/20


10

Each item submitted must include all fields listed on the Item Development Form. Pleaseuse Microsoft Word when submitting items. Multiple items should be included in onedocument. All items MUST be submitted in English.

Submit completed forms to ISACA for initial review. These can be e-mailed to

[email protected], or mailed to the Exam Development Coordinator at ISACA headquarters,3701 Algonquin Road, Suite 1010, Rolling Meadows, Illinois 60008 USA.

An initial review will be performed by the Exam Development Coordinator to ensurecompleteness and compliance with the item writing principles. Items that are judged tobe flawed in any significant way will be sent back to you with appropriate andconstructive feedback by the CISA TEC. In some cases an item will be judged to be inneed of some revision and will be recommended for later resubmission after suggestedchanges are made. In other cases an item may be considered to be too flawed to beconsidered for rewrite and resubmission.

Items that pass the initial review will be forwarded for review and critique by the fullmembership of the CISA TEC. At this point your item(s) may again be accepted orreturned for further work. If returned, the item will include appropriate and constructivefeedback. If accepted, the item will become the property of ISACA and you will receivethe appropriate payment and continuing credit hours for each item accepted.


11/20


11


12/20


12

Appendix A

CISA Job Practice Analysis

Content Area 1: IS Audit Process Provide IS audit services in accordance with ISaudit standards, guidelines, and best practices to assist the organization in ensuring thatits information technology and business systems are protected and controlled.

Task Statements

1.1 Develop and implement a risk-based IS audit strategy for the organization incompliance with IS audit standards, guidelines and best practices.1.2 Plan specific audits to ensure that IT and business systems are protected andcontrolled.1.3 Conduct audits in accordance with IS audit standards, guidelines and best practices tomeet planned audit objectives.

1.4 Communicate emerging issues, potential risks, and audit results to key stakeholders.1.5 Advise on the implementation of risk management and control practices within theorganization while maintaining independence.

Knowledge Statements

1.1 Knowledge of ISACA IS Auditing Standards, Guidelines and Procedures and Code ofProfessional Ethics1.2 Knowledge of IS auditing practices and techniques1.3 Knowledge of techniques to gather information and preserve evidence (e.g.,observation, inquiry, interview, CAATs, electronic media)1.4 Knowledge of the evidence life cycle (e.g., the collection, protection, chain ofcustody)1.5 Knowledge of control objectives and controls related to IS (e.g., CobiT)1.6 Knowledge of risk assessment in an audit context1.7 Knowledge of audit planning and management techniques1.8 Knowledge of reporting and communication techniques (e.g., facilitation, negotiation,conflict resolution)1.9 Knowledge of control self-assessment (CSA)1.10 Knowledge of continuous audit techniques


13/20


13

Content Area 2: IT Governance To provide assurance that the organization has thestructure, policies, accountability, mechanisms, and monitoring practices in place toachieve the requirements of corporate governance of IT.

Task Statements

2.1 Evaluate the effectiveness of IT governance structure to ensure adequate boardcontrol over the decisions, directions, and performance of IT so that it supports theorganizations strategies and objectives.2.2 Evaluate IT organizational structure and human resources (personnel) management toensure that they support the organizations strategies and objectives.2.3 Evaluate the IT strategy and the process for its development, approval,implementation, and maintenance to ensure that it supports the organizations strategiesand objectives.2.4 Evaluate the organizations IT policies, standards, and procedures; and the processesfor their development, approval, implementation, and maintenance to ensure that theysupport the IT strategy and comply with regulatory and legal requirements.

2.5 Evaluate management practices to ensure compliance with the organizations ITstrategy, policies, standards, and procedures.2.6 Evaluate IT resource investment, use, and allocation practices to ensure alignmentwith the organizations strategies and objectives.2.7 Evaluate IT contracting strategies and policies, and contract management practices toensure that they support the organizations strategies and objectives.2.8 Evaluate risk management practices to ensure that the organizations IT related risksare properly managed.2.9 Evaluate monitoring and assurance practices to ensure that the board and executivemanagement receive sufficient and timely information about IT performance.


2.1 Knowledge of the purpose of IT strategies, policies, standards and procedures for anorganization and the essential elements of each2.2 Knowledge of IT governance frameworks2.3 Knowledge of the processes for the development, implementation and maintenance ofIT strategies, policies, standards and procedures (e.g., protection of information assets,business continuity and disaster recovery, systems and infrastructure lifecyclemanagement, IT service delivery and support)2.4 Knowledge of quality management strategies and policies2.5 Knowledge of organizational structure, roles and responsibilities related to the useand management of IT2.6 Knowledge of generally accepted international IT standards and guidelines2.7 Knowledge of enterprise IT architecture and its implications for setting long-termstrategic directions2.8 Knowledge of risk management methodologies and tools2.9 Knowledge of the use of control frameworks (e.g., CobiT, COSO, ISO 17799)2.10 Knowledge of the use of maturity and process improvement models (e.g., CMM,CobiT)


14/20


14

2.11 Knowledge of contracting strategies, processes and contract management practices2.12 Knowledge of practices for monitoring and reporting of IT performance (e.g.,balanced scorecards, key performance indicators [KPI])2.13 Knowledge of relevant legislative and regulatory issues (e.g., privacy, intellectualproperty, corporate governance requirements)

2.14 Knowledge of IT human resources (personnel) management2.15 Knowledge of IT resource investment and allocation practices (e.g., portfoliomanagement return on investment (ROI))

Content Area 3: Systems and Infrastructure Lifecycle To provide assurance that themanagement practices for the development/acquisition, testing, implementation,maintenance, and disposal of systems and infrastructure will meet the organizationsobjectives.

Task Statements

3.1 Evaluate the business case for the proposed system development/acquisition to ensure

that it meets the organizations business goals.3.2 Evaluate the project management framework and project governance practices toensure that business objectives are achieved in a cost-effective manner while managingrisks to the organization.3.3 Perform reviews to ensure that a project is progressing in accordance with projectplans, is adequately supported by documentation and status reporting is accurate.3.4 Evaluate proposed control mechanisms for systems and/or infrastructure duringspecification, development/acquisition, and testing to ensure that they will providesafeguards and comply with the organizations policies and other requirements.3.5 Evaluate the processes by which systems and/or infrastructure are developed/acquiredand tested to ensure that the deliverables meet the organizations objectives.3.6 Evaluate the readiness of the system and/or infrastructure for implementation andmigration into production.3.7 Perform post-implementation review of systems and/or infrastructure to ensure thatthey meet the organizations objectives and are subject to effective internal control.3.8 Perform periodic reviews of systems and/or infrastructure to ensure that they continueto meet the organizations objectives and are subject to effective internal control.3.9 Evaluate the process by which systems and/or infrastructure are maintained to ensurethe continued support of the organizations objectives and are subject to effective internalcontrol.3.10 Evaluate the process by which systems and/or infrastructure are disposed of toensure that they comply with the organizations policies and procedures.


3.1 Knowledge of benefits management practices, (e.g., feasibility studies, businesscases)3.2 Knowledge of project governance mechanisms (e.g., steering committee, projectoversight board)3.3 Knowledge of project management practices, tools, and control frameworks


15/20


15

3.4 Knowledge of risk management practices applied to projects3.5 Knowledge of project success criteria and risks3.6 Knowledge of configuration, change and release management in relation todevelopment and maintenance of systems and/or infrastructure3.7 Knowledge of control objectives and techniques that ensure the completeness,

accuracy, validity, and authorization of transactions and data within IT systemsapplications3.8 Knowledge of enterprise architecture related to data, applications, and technology(e.g., distributed applications, web-based applications, web services, n-tier applications)3.9 Knowledge of requirements analysis and management practices (e.g., requirementsverification, traceability, gap analysis)3.10 Knowledge of acquisition and contract management processes (e.g., evaluation ofvendors, preparation of contracts, vendor management, escrow)3.11 Knowledge of system development methodologies and tools and an understandingof their strengths and weaknesses (e.g., agile development practices, prototyping, rapidapplication development [RAD], object-oriented design techniques)

3.12 Knowledge of quality assurance methods3.13 Knowledge of the management of testing processes (e.g., test strategies, test plans,test environments, entry and exit criteria)3.14 Knowledge of data conversion tools, techniques, and procedures3.15 Knowledge of system and/or infrastructure disposal procedures3.16 Knowledge of software and hardware certification and accreditation practices3.17 Knowledge of post-implementation review objectives and methods (e.g., projectclosure, benefits realization, performance measurement)3.18 Knowledge of system migration and infrastructure deployment practices

Content Area 4: IT Service Delivery and Support To provide assurance that the ITservice management practices will ensure the delivery of the level of services required tomeet the organizations objectives.

Task Statements

4.1 Evaluate service level management practices to ensure that the level of service frominternal and external service providers is defined and managed.4.2 Evaluate operations management to ensure that IT support functions effectively meetbusiness needs.4.3 Evaluate data administration practices to ensure the integrity and optimization ofdatabases.4.4 Evaluate the use of capacity and performance monitoring tools and techniques toensure that IT services meet the organizations objectives.4.5 Evaluate change, configuration, and release management practices to ensure thatchanges made to the organizations production environment are adequately controlledand documented.4.6 Evaluate problem and incident management practices to ensure that incidents,problems, or errors are recorded, analyzed, and resolved in a timely manner.


16/20


16

4.7 Evaluate the functionality of the IT infrastructure (e.g., network components,hardware, system software) to ensure that it supports the organizations objectives.


4.1 Knowledge of service level management practices

4.2 Knowledge of operations management best practices (e.g., workload scheduling,network services management, preventive maintenance)4.3 Knowledge of systems performance monitoring processes, tools, and techniques (e.g.,network analyzers, system utilization reports, load balancing)4.4 Knowledge of the functionality of hardware and network components (e.g., routers,switches, firewalls, peripherals)4.5 Knowledge of database administration practices4.6 Knowledge of the functionality of system software including operating systems,utilities, and database management systems4.7 Knowledge of capacity planning and monitoring techniques4.8 Knowledge of processes for managing scheduled and emergency changes to the

production systems and/or infrastructure including change, configuration, release, andpatch management practices4.9 Knowledge of incident/problem management practices (e.g., help desk, escalationprocedures, tracking)4.10 Knowledge of software licensing and inventory practices4.11 Knowledge of system resiliency tools and techniques (e.g., fault tolerant hardware,elimination of single point of failure, clustering)

Content Area 5: Protection of Information Assets To provide assurance that thesecurity architecture (policies, standards, procedures, and controls) ensures theconfidentiality, integrity, and availability of information assets.

Task Statements

5.1 Evaluate the design, implementation, and monitoring of logical access controls toensure the confidentiality, integrity, availability and authorized use of information assets.5.2 Evaluate network infrastructure security to ensure confidentiality, integrity,availability and authorized use of the network and the information transmitted.5.3 Evaluate the design, implementation, and monitoring of environmental controls toprevent or minimize loss.5.4 Evaluate the design, implementation, and monitoring of physical access controls toensure that information assets are adequately safeguarded.5.5 Evaluate the processes and procedures used to store, retrieve, transport, and disposeof confidential information assets.

Knowledge Statement

5.1 Knowledge of the techniques for the design, implementation and monitoring ofsecurity (e.g., threat and risk assessment, sensitivity analysis, privacy impact assessment)


17/20


17

5.2 Knowledge of logical access controls for the identification, authentication, andrestriction of users to authorized functions and data (e.g., dynamic passwords,challenge/response, menus, profiles)5.3 Knowledge of logical access security architectures (e.g., single sign-on, useridentification strategies, identity management)

5.4 Knowledge of attack methods and techniques (e.g., hacking, spoofing, Trojan horses,denial of service, spamming)5.5 Knowledge of processes related to monitoring and responding to security incidents(e.g., escalation procedures, emergency incident response team)5.6 Knowledge of network and Internet security devices, protocols, and techniques (e.g.,SSL, SET, VPN, NAT)5.7 Knowledge of intrusion detection systems and firewall configuration,implementation, operation, and maintenance5.8 Knowledge of encryption algorithm techniques (e.g., AESRSA)5.9 Knowledge of public key infrastructure (PKI) components (e.g., certificationauthorities, registration authorities) and digital signature techniques

5.10 Knowledge of virus detection tools and control techniques5.11 Knowledge of security testing and assessment tools (e.g., penetration testing,vulnerability scanning)5.12 Knowledge of environmental protection practices and devices (e.g., fire suppression,cooling systems, water sensors)5.13 Knowledge of physical security systems and practices (e.g., biometrics, accesscards, cipher locks, tokens)5.14 Knowledge of data classification schemes (e.g., public, confidential, private, andsensitive data)5.15 Knowledge of voice communications security (e.g., voice over IP)5.16 Knowledge of the processes and procedures used to store, retrieve, transport, anddispose of confidential information assets5.17 Knowledge of controls and risks associated with the use of portable and wirelessdevices (e.g., PDAs, USB devices, Bluetooth devices)

Content Area 6: Business Continuity and Disaster Recovery To provide assurancethat in the event of a disruption the business continuity and disaster recovery processeswill ensure the timely resumption of IT services while minimizing the business impact.

Task Statements

6.1 Evaluate the adequacy of backup and restore provisions to ensure the availability ofinformation required to resume processing.6.2 Evaluate the organizations disaster recovery plan to ensure that it enables therecovery of IT processing capabilities in the event of a disaster.6.3 Evaluate the organizations business continuity plan to ensure its ability to continueessential business operations during the period of an IT disruption.


18/20


18


6.1 Knowledge of data backup, storage, maintenance, retention and restoration processes,and practices6.2 Knowledge of regulatory, legal, contractual, and insurance issues related to businesscontinuity and disaster recovery

6.3 Knowledge of business impact analysis (BIA)6.4 Knowledge of the development and maintenance of the business continuity anddisaster recovery plans6.5 Knowledge of business continuity and disaster recovery testing approaches andmethods6.6 Knowledge of human resources management practices as related to businesscontinuity and disaster recovery (e.g., evacuation planning, response teams)6.7 Knowledge of processes used to invoke the business continuity and disaster recoveryplans6.8 Knowledge of types of alternate processing sites and methods used to monitor thecontractual agreements (e.g., hot sites, warm sites, cold sites)


19/20


19

Appendix B

Item Development Form

Sample Question using the Item Development Form

Name: Joe Smith

Domain/Task: 0302Knowledge Statement: 0317

Item Stem:In order for a virus vaccine to be an effective preventive control which of the followingshould occur?

Item Options:A. The viruss signature must be known to the vaccine.B. The vaccine should be controlled by IS audit.C. Viral detection software must be used concurrently.D. The vaccines encryption key must be kept secret.

Key: A

Justification:A. A vaccine recognizes a virus by means of the viruss signature. If a signature isunknown the vaccine will not prevent a virus from entering a system.

B. This is neither preventive nor detective.C. This is a detective control.D. This is a security policy.

Reference Source: Refer to KNET on ISACAs website for a listing of applicablereference materials. http://www.isaca.org/knet


20/20


20

Appendix C

Item Development Checklist

Before submitting an item, you must be able to answer YES to all of the followingquestions.

1. Does the item test an IS audit, control or security concept at the appropriateexperience level of the test candidate (3 5 years IS audit)?

2. Does the item test only one IS audit, control or security concept?3. Is your item clear?4. Is there enough information (scenario) in the stem to allow for only one correct

answer? A candidate must not be able to interpret a distracter as correct based onassumptions due to a lack of information in the stem!

5. Is there only one answer to your stem for any situation, organization or culture?Many items are returned because there may be a situation when there is more thanone possible keys based on situations not addressed in the stem.

6. Are the stem and all options compatible with each other? For example: Whichof the following audit procedures? All options must be audit procedures.

7. Does your item have plausible distracters but only one correct answer?8. Have you avoided having words or phrases in the key that appear in the stem?9. Have you avoided unnecessary text or jargon from the stem or options?10.Have you avoided using subjective terms such as frequently, often,

common. in the stem and options?

11.Have you avoided using absolute terms such as all, never, always in thestem and options?

12.Have you avoided asking a negative question using such terms as least, not,except?

CISA-Item-Development-Guide

Documents

Transcript of CISA-Item-Development-Guide