InfoSec Reviews – Certified Information Systems Auditor Study Guide

Reviewer Name: Jim McGhie

Reviewer Qualifications: MBA, CEng, MBCS, CITP

Book Title: Certified Information Systems Auditor Study Guide

Subtitle: Third Edition

Author: David L. Cannon

Publisher: Wiley Publishing Inc.

Date of Publishing: 2011

ISBN(13): 9780470610107

Price (UK&US full price, not discounted price): £39.99,  $69.99

URL of Publisher Site: Wiley Publishing Inc.

URL of Amazon UK web page: CISA: Certified Information Systems Auditor Study Guide

URL of Amazon UK web page (Kindle Edition): (Kindle)

URL of Amazon US web page:

URL of Amazon US web page (Kindle Edition): (Kindle)

Cannon has produced a well-documented coverage of all the knowledge requirements necessary to pass the CISA examination in this book. It consists of a 605 page volume with the following layout:IntroductionChapter 1: Secrets of a Successful AuditorChapter 2: Managing IT GovernanceChapter 3: Audit ProcessChapter 4: Networking Technology BasicsChapter 5: Information Systems Life CycleChapter 6: Systems Implementation and OperationsChapter 7: Protecting Information Assets Chapter 8: Business Continuity and Disaster RecoveryAppendix: Companion CDThe introductory chapter deals with the practical aspects of how to achieve CISA accreditation. It then discusses the dos and don’ts of how to approach the examination together with what is expected of exam candidates by the ICSA. This chapter ends by elaborating on the CISA Domain areas, the exam weightings for these, and the task and knowledge statements required of candidates in respect of each of the Domains. I liked the fact that the introduction ends with a self-assessment quiz allowing candidates to determine their weakest areas of knowledge and therefore where they should concentrate their learning efforts. However, the book was published prior to the change in the Domain structure, which took place in 2011, resulting in five Domains and not six. Consequently, each Domain now has an altered exam weighting and a new number of questions from those stated here.The remaining eight chapters focus on the Domain knowledge, covering tools and processes that must be learned and understood in order to be successful in the CISA examination.I found the early chapters on auditing to be among the more interesting ones. For example, Chapter 1 deals in-depth with the requirements to be a successful Auditor, including the standards that must be observed, and the different types of audit that an Auditor might be called upon to perform. Chapter 2 moves on to consider the topic of IT Governance, starting with a clear definition of the term and how go about identifying the responsible individuals in the organization. The way internal controls are managed in organizations is also covered in this section along with how dependencies critical to the organization are protected. Chapter 3 covers the audit process in considerable detail. It includes a variety of topics associated with auditing, for example, how to structure an audit, analyzing the conduct of audits in accordance with standards as well as dealing with conflict and risks and stakeholder communications. The next few chapters are more technically orientated and would be considered light reading for anyone with a technical background in computing and communications. Chapter 4 is devoted to bringing exam candidates up to speed with the auditing environment by covering the basics of networking technology. The fundamentals of computer architectures and data networking are covered together with the OSI 7-Layer model and network services. Chapter 5 moves on to consider the fundamentals of IT system development through discussion of the development lifecycle as well as system design and implementation. The topic of Chapter 6 is IT system implementation and operations. This includes service-level management together with physical security and performance monitoring. Change control, along with problem and incident management reporting, are also covered here.The final chapters deal with two topics, which are increasingly becoming the focus of management attention. Chapter 7 deals with the protection of information assets through security design, encryption techniques and appropriate controls. Chapter 8 considers the topic of business continuity and disaster recovery in some considerable depth, discussing at length the important topics, amongst others, of risk analysis, developing a BC plan (along with testing strategies) and how to form a media and communications plan.Each chapter starts with a checklist of concepts to be covered and ends with a list of exam-related knowledge essentials. This is followed by a set of review questions and model answers. The chapters also contain a considerable number of notes, warnings and tips regarding the interpretation of the information in the context of the exam. The reader can test their understanding of the material before moving onto another topic, or, if necessary, return to a specific area of weakness within that Domain.

I found all the topics in the guide to be well researched and highly relevant to the CISA exam. They are presented in a comprehensive, easy to read format. Diagrams spread throughout the book are particularly helpful in explaining and expanding on the more complex topics such as those in Chapter 4 on data networking. The book represents excellent value for money particularly since it also includes a CD containing a searchable PDF copy of the book along with the initial assessment test, the book chapter review questions, flashcards and two full-length examinations. A tear out card listing the Domains, task statements and Chapter listings is also provided at the front of the book.

The CISA Study Guide is a well-researched and detailed treatment of the CISA exam topics. The information is presented in an easy to follow format and includes a variety of study aids and learning pointers. It is accompanied by .PDF copy of the guide as well as flashcards and two full-length practice exams. It is highly recommended as an accompaniment to the official ISACA Guide for the exam. However, the author does need to revise and reissue the book in order to bring it into line with the 2011 CISA domain structure.

Marks: 3 out of 5