The Certified Information Systems Auditor certification isn't only for auditors, Peter Gregory advised. It is also instrumental for employees in companies that perform regular self-assessments or are under near-constant audit.
This makes the CISA exam an attractive option for IT or infosec pros, but newcomers need not apply. Gregory, author of CISA: Certified Information Systems Auditor Practice Exams, warned the certification should be considered by someone who already has years of experience in the field. Designed to demonstrate the certification holder's infosec and IT auditing, control and security expertise, CISA exam prerequisites include five years of professional information systems auditing, control or security work experience.
Here, Gregory discusses key portions of the exam and why test-takers should be ready to learn a new "language" during their CISA journey.
How difficult is the CISA certification exam?
Peter Gregory: It's certainly difficult, and this is by no means limited to the CISA. ISACA's other certifications follow the same methodology. The exam doesn't just ask questions where you have to remember a fact. Instead, a lot of questions on CISA and other ISACA exams describe a fictitious situation in a company and ask, for example, what the security manager or auditor or privacy specialist should do. These kinds of questions separate people who are merely memorizing facts and book knowledge from those who can draw on their real-world work experience.
An excerpt of Chapter 3, "The Audit Process," is available on SearchSecurity. As you noted in the book, the audit process is backed up by the ISACA Code of Professional Ethics and the Information Technology and Assurance Framework (ITAF). Can you explain how these relate?
Gregory: The Code of Ethics requires certified professionals work with absolute integrity. It's about integrity, honesty and transparency, but it's also about keeping secrets when appropriate. For example, an auditor needs to be transparent with his audit client in terms of how effective he thinks its controls are. But, in terms of nondisclosure, if an auditor is working for an audit firm, of course, he has to keep other client relationships confidential and not mention who they are.
The ITAF is a set of audit standards for IT auditors to ensure audits are performed correctly and consistently.
How does the ITAF help ensure the consistency required from auditors?
Gregory: ITAF standards ensure audits are performed properly and are repeatable. You want to have situations where, if two different auditors audited the same system or process, they could come up with the same results. Granted, there is the professional judgement every auditor brings that's unique because of different career experiences. But the ITAF helps ensure audit results would be the same no matter who does them.
The words that one auditor and a different auditor would write in terms of describing the effectiveness of a control might vary slightly because everyone has their own writing style. But, in general, the overall conclusions would be the same or very close because they are following the same framework. You wouldn't want to have one auditor audit a business process in a company, and a year later, a different auditor come in and have a completely different opinion. The CISA and ITAF aim to provide consistency and repeatability even if you have different people doing the work from one period to the next.
What area of planning for the CISA exam do you find most troubling for test-takers?
Gregory: When I earned my CISA 18 years ago, I had a bit of audit and controls background, and I've done a considerable amount of work since. One thing I've found is that IT auditors have a vocabulary all of their own -- a lexicon of terms that isn't often seen in infosec or IT, except in organizations that are frequently audited. In preparing for the CISA exam, test-takers should know there's a whole slate of vocabulary that is going to seem foreign to them. Two examples that stand out to me that are common in the audit profession but not heard in cybersecurity are reperformance and population. Reperformance is a specific audit technique, and population is a term used to describe a complete set of things to examine in an audit.
How do auditors clearly communicate with clients using this unique language?
Gregory: It's like in other professions -- for instance, if you're going to get your car fixed, the mechanic is going to explain things and avoid terms you might not understand. Or your doctor -- you're not going to just get med school talk. Part of the soft skills an auditor needs is being cognizant of who you're talking to and addressing the audience with an appropriate level of detail so as to not confuse the person you're talking with but also tell them what they need to know.
The results of an audit should be clear enough and avoid those audit terms, except where it makes sense. An audit report should be easily understood by the management being audited.
What other soft skills are required?
Gregory: Good conversational skills are critical because auditors spend a lot of time talking with people in an organization to ask questions about their business processes, controls and technologies. Good written skills are critical because auditors are writing reports and other artifacts.
To work well in this field, you also need to be comfortable having conversations with every potential person in the business -- executives and operational personnel alike.
About the author
Peter H. Gregory, CISM, CISA, CRISC, CISSP, CIPM, CCISO, CCSK, PCI-QSA, is a 30-year career technologist and an executive director at Optiv Security. He has been developing and managing information security management programs since 2002 and has been leading the development and testing of secure IT environments since 1990. In addition, he spent many years as a software engineer and architect, systems engineer, network engineer and security engineer. Throughout his career, he has written many articles, white papers, user manuals, processes and procedures and has conducted numerous lectures, training classes, seminars and university courses.
Gregory is the author of more than 40 books about information security and technology. He is an advisory board member at the University of Washington's certificate program in information security and risk management and the lead instructor (emeritus) and advisory board member for the University of Washington certificate program in cybersecurity. He is an advisory board member and instructor at the University of South Florida's Cybersecurity for Executives program, a former board member of the Washington State chapter of InfraGard and a founding member of the Pacific CISO Forum. He is a 2008 graduate of the FBI Citizens' Academy and a member of the FBI Citizens' Academy Alumni Association.
Gregory resides with his family in the Seattle area and can be contacted at www.peterhgregory.com.