CISA/CISM ProgramsDoD and Component OverviewJune 29, 2006

ISACA Facts

• Founded in 1969, as the EDP Auditors Association

• More than 53,000 members in over 140 countries

• More than 170 chapters in over 60 countries worldwide

CISA Certification CISA Certification ANSI AccreditationANSI Accreditation

• The American National Standards Institute (ANSI) has awarded accreditation under ISO/IEC 17024 to the Certified Information Systems Auditor (CISA) and Certified Information Security Manager (CISM) certification programs.

• Accreditation by ANSI signifies that ISACA’s procedures meet ANSI’s essential requirements for openness, balance, consensus and due process.

DoD Mandate

• 100% of the DoD IA workforce to be certified by 12/09.

How do ISACA’s CISA and CISM certifications apply to the mandate?

IAT Level I IAT Level II IAT Level III

CISA!

IAM Level I IAM Level II IAM Level III

CISM! CISM!

CISA Certification Details

Individuals with experience providing:• IT audit and assurance services • Assurance that:

– the organization can achieve corporate governance of IT

– systems and infrastructure life cycle management meets the organization’s objectives

– IT service management practices meet the organization’s objectives– an organization’s security architecture ensures confidentiality, integrity and

availability of information assets– disaster recovery and business continuity plans will ensure timely resumption of

IT services while minimizing the business impact

Who is the CISA Certification Intended for?

CERTIFIED PROFESSIONALS• More than 48,000 CISAs worldwide

EXAM• Offered twice annually in June and December

• Offered in 11 languages, in 220+ locations

• In 2005, more than 30,000 candidates registered for the exam

CISA Certification Current Facts

CISAs as our Current and Future Leaders

A current profile of CISAs demonstrates the increasing managerial influence and authority achieved by CISAs within their organizations:

• More than 1,000 CISAs are now employed in organizations as the chiefexecutive officer, chief financial officer or an equivalent executive position.• More than 2,300 serve as chief audit executives, audit partnersor audit heads.• More than 2,700 serve as chief information officers, chief informationsecurity officers, security directors, security managers or consultants.• More than 4,000 serve as audit directors, managers or consultants.• Nearly 8,000 additional CISAs are currently employed in managerial or consulting positions in IT operations or compliance.

CISA Record Growth – Number of CISA exam registrants by year

0

10000

20000

30000

40000

'98 '99 '00'010.02'03 '04 '05

For the eleventh consecutive year registration for the CISA exam reached a new high.

• Passing score on CISA Exam

• At least five years of IS audit, control , assurance and/or security experience (some substitutions available)

• Adherence to Code of Professional Ethics

• Minimum 120 contact hours of continuing education every three years

CISA CertificationRequirements

Why Become A CISA?

• To fulfill a requirement of employment

• To advance in your career

• To demonstrate your willingness to improve your technical knowledge and skills

• To demonstrate to management your commitment toward organizational excellence

• To obtain credentials that employers seek

• To enhance your professional image

• To be included with other professionals who have gained worldwide recognition

• U.S. Department of Defense approved obtaining a CISA among the four approved baseline certifications for IT Assurance professionals at Level III

• U.S. Federal Reserve System requires IT Examiners to obtain a CISA • Canadian Institute of Chartered Accountants (CICA) recognizes CISA as a IT

assurance specialty• The American Institute of CPAs waives all requirements to become a CITP to CPAs

and CISAs in “good standing”• Law in Korea requires that highly skilled professionals, such as CISAs, perform

information system audit and security services• The US Department of Veteran Affairs reimburses exam fees for the CISA exam • The National Stock Exchange (NSE) of India recognizes the CISA designation as an

integral facet of its system auditing guidelines. • India’s National Information Security Assurance Program recognizes the CISA

designation to assess the information security risks in public sector organizations• Microsoft recognizes CISA as a part of its Infrastructure Security and Security

Management specializations.

Other CISA Program Recognition

CISA Job Practice CISA Job Practice

• IS Audit Process – 10%Provide IS audit services in accordance with IS audit standards, guidelines, and best practices to assist the organization in ensuring that its information technology and business systems are protected and controlled.

• IT Governance – 15%To provide assurance that the organization has the structure, policies, accountability, mechanisms, and monitoring practices in place to achieve the requirements of corporate governance of IT.

• Systems and Infrastructure Lifecycle – 16%To provide assurance that the management practices for the development/acquisition, testing, implementation, maintenance, and disposal of systems and infrastructure will meet the organization’s objectives.

• IT Service Delivery and Support – 14%To provide assurance that the IT service management practices will ensure the delivery of the level of services required to meet the organization’s objectives.

• Protection of Information Assets – 31%To provide assurance that the security architecture (policies, standards, procedures, and controls) ensures the confidentiality, integrity, and availability of information assets.

• Business Continuity and Disaster Recovery – 14%To provide assurance that in the event of a disruption the business continuity and disaster recovery processes will ensure the timely resumption of IT services while minimizing the business impact.

CISM Certification Details

Who is the CISM Certification Intended for?

Individuals who design, implement and manage an enterprise’s information security program.

• Security managers

• Security directors

• Security officers

• Security consultants

CISM Uniqueness

What makes CISM Unique?

• Designed for information security managers exclusively

• Criteria and exam developed from job practice analysis validated by

information security managers

• Experience requirement includes information security management

CISM General Requirements

Certified Information Security Manager (CISM) Criteria

• Pass exam• Submit verified evidence of a minimum of five years of information

security work experience• Adhere to ISACA Code of Professional Ethics• Comply with continuing education policy

CISM Growth

• More than 6,000 CISMs worldwide• June 2006 exam offered, in 220+ locations• Exam also offered in Japanese and Spanish

CISM Recognition

• U.S. Department of Defense approves obtaining a CISM among the three approved baseline certifications for IT Assurance Managers at Level II and III

• The US Department of Veteran Affairs reimburses exam fees for the CISM exam

• Microsoft recognizes CISM as a part of its Infrastructure Security and Security Management specializations

CISM Exam Growth-Number of CISM registrants by year

0

500

1000

1500

2000

2500

3000

3500

2003 2004 2005

CISMs as our Current and Future Leaders

A current profile of CISMs demonstrates the managerial influence and authority achieved by CISMs within their organizations:• More than 800 serve as a chief information officer, chief executive officer or serve in another executive management position.• Nearly 2,000 serve as an information security director, manager or consultant.• More than 1,100 serve as an IT director, manager or consultant.

Summary of CISM Job Practice Areas

• Information Security Governance (21%)

Establish and maintain a framework to provide assurance that information security strategies are aligned with

business objectives and consistent with applicable laws and regulations.

• Risk Management (21%)

Identify and manage information security risks to achieve business objectives.

• Information Security Program Management (21%)

Design, develop and manage an information security program(me) to implement the information security

governance framework.

• Information Security Management (24%)Oversee and direct information security activities to execute the information security program(me).

• Response Management (13%)Develop and manage a capability to respond to and recover from disruptive and destructive information security events.

• New CISM “Practice” Analysis to be effective in 2007

CISM and CISA Exam Details

Types of Questions on the CISM and CISA Exams

• Each exam consists of 200 questions administered over a four-hour period

• Questions are designed to test practical knowledge and experience

• All questions are multiple choice

• Questions require the candidate to choose one best answer

• Every question or statement has four options (answer choices)

Administration of the CISA and CISM Exam

• More than 220 test sites offered

• June 2006 exam offered in every city where there is an ISACA chapter or a large interest in individuals sitting for the exam

• Passing mark of 75 (scaled score)

• 2006 exams - Saturday 10 June 2006

Saturday 9 December 2006

December 2006 Registration Fees

On or before 16 August 2006:

ISACA Member: US $340.00

Non-Member: US $460.00

DoD employee non-member: not determined

After 16 August , but on or before 27 September 2006:

ISACA Member: US $390.00

Non-Member: US $510.00

DoD employee non-member: not determined

Register Online

Online registration via the ISACA web site is encouraged, as candidates will save US $35. Non-members can join ISACA at the same time, which maximizes their savings.

Bulletin of Information and Registration Form

• Sent to potential candidates in ISACA database each year• Can be downloaded from ISACA web site – www.isaca.org/cisaboi

or www.isaca.org/cismboi • Additional copies provided to ISACA chapters

Requirements for certification

Exam description

Registration instructions

Test date procedures

Score reporting

Test center locations

Registration form

CISM and CISA Continuing Education Policy Details

Continuing Education Requirements

Certification is granted annually to those who:• annually report a minimum of 20 hours of continuing

professional education

• annually pay the continuing education maintenance fee

• comply with the ISACA Code of Professional Ethics

• report a minimum of 120 hours of continuing education for each fixed three-year period

What makes CISA and CISM unique?

• Experience based exams

• One of a kind certifications

• ISACA accredited by ANSI

• Unique matching of DoD job requirements to CISA and CISM

ISACA Certification Board Involvement

• CISA Board Membership

• CISM Board Membership

• Advisory Group

We need to hear from you!

• Frequency of exams

• Locations

• Self-assessment

• Training

• Payment

• Other

• Contact for questions:

Want to know more?

ISACA and ITGI

3701 Algonquin Road

Suite 1010

Rolling Meadows, IL USA 60008

Phone: +1.847.253.1545

Fax: +1.847.253.1443

Web site: www.isaca.org