CISA Series - Part 7 Exam Preparation

Transcript

1. CISA Series– Part 7 Exam Preparation & Strategy How to

   Think Like the Exam

2. CISA Series Overview Part 1 – Introduction & Overview Part

   2 – Domain 1: Information Systems Auditing Process Part 3 – Domain 2: Governance and Management of IT Part 4 – Domain 3: Information Systems Acquisition, Development, and Implementation Part 5 – Domain 4: Operations and Business Resilience Part 6 – Domain 5: Protection of Information Assets Part 7 – Exam Practice & Revision Covers all 5 CISA domains in a structured learning journey

3. What This Part Covers How the exam works Domain weightings

   Question approach techniques Common mistakes Exam strategy

4. How the CISA Exam Works 150 multiple-choice questions 4 hours

   duration One BEST answer per question No negative marking Focus on judgement, not memorisation

5. Scoring Model Score range: 200 – 800 Passing score: 450

   Scaled scoring model Total score determines pass or fail

6. Domain Weightings Weight Domain 18% 1: Information Systems Auditing Process

   18% 2: Governance and Management of IT 12% 3: Information Systems Acquisition, Development and Implementation 26% 4: Information Systems Operations and Business Resilience 26% 5: Protection of Information Assets

7. What This Means for You Domains 4 and 5 =

   52% of the exam Domains 1 and 2 provide foundation Domain 3 is lower weight but important Focus where the marks are

8. Think Like an Auditor Focus on Focus on risk, controls,

   and impact Avoid Avoid technical-first thinking Prioritise Prioritise governance and process Answer Answer as an auditor, not an engineer

9. Golden Rule Think Always think: Threat Threat → Risk →

   Control Map Map scenarios to controls logically

10. Exam Priorities GOVERNANCE OVER TECHNICAL SOLUTIONS PREVENTION OVER DETECTION PROCESS

    OVER REACTION RISK-BASED DECISIONS

11. What the Exam is Testing Risk-based thinking Control effectiveness Governance

    understanding Audit judgement Not technical depth

12. CISA Topics Tested in Detail (High-Impact Areas) Risk-Based Auditing (CRITICAL

    – Domain 1 & 2) Controls (Very heavily tested across ALL domains) Governance & Management of IT (Domain 2) Business Impact & Resilience (Domain 4) Identity & Access Management (Domain 5) Security Monitoring & Incident Response (Domain 5) Systems Development & Testing (Domain 3) Data Protection & Encryption (Domain 5) Audit Evidence & Techniques (Domain 1) Business Processes (Underlying EVERYTHING)

13. Risk-Based Auditing (Domain 1 & 2) •Foundation of the CISA

    exam •Audit approach driven by risk, not coverage or convenience •Focus on areas with highest business impact Core Concept •Inherent Risk → Risk without controls •Control Risk → Controls may fail •Detection Risk → Auditor may not detect issues •Risk-Based Audit Planning •Audit Coverage Decisions (where to focus) •Linking: •Risk → Control → Audit Procedure •Inherent Risk → Control Risk → Detection Risk Key Areas to Master •Scenario-based questions •Requires judgement, not memorisation •Focus on: •What should the auditor do FIRST •What is the BEST action •What is the MOST likely risk or control How It Is Tested •Understand the risk before evaluating controls •Always prioritise high-risk areas •Audit decisions must be risk-driven •Audit planning follows a specific risk assessment sequence •Understanding what is assessed FIRST, NEXT, and LAST is frequently tested. CISA Exam Focus (CRITICAL) •Audit is not about checking everything It is about focusing on what matters most — risk Key Takeaway

14. Controls (CRITICAL – All Domains) •Controls are not tested as

    definitions •Focus is on how controls are applied in real scenarios •Objective: Reduce risk to an acceptable level Core Concept Core Concept •Preventive Controls •Stop incidents before they occur •Examples: Access control, MFA, segregation of duties •Detective Controls •Identify incidents after they occur •Examples: Logs, monitoring, alerts, audits •Corrective Controls •Fix issues and restore systems •Examples: Backups, recovery plans, patching Types of Controls (You MUST know) Types of Controls (You MUST know) •Compensating Controls •Alternative control when primary control is not feasible •Must provide equivalent risk reduction Advanced Concepts Advanced Concepts •Design effectiveness → Is the control appropriate? •Operating effectiveness → Is it working consistently? Control Effectiveness Control Effectiveness •Match the RIGHT control to the RIGHT risk •Understand the risk first •Then select the most effective control •Not all controls are equal Key Skill (CRITICAL) Key Skill (CRITICAL) •Scenario-based questions •You are given: •A risk or weakness •You must choose: •The BEST control, not just a valid one How It Is Tested How It Is Tested •Choosing detective instead of preventive •Selecting a control that does not address the root risk •Ignoring compensating controls •Picking technically correct but less effective answers Common Exam Traps Common Exam Traps •Preventive controls are usually stronger than detective •Always choose the control that: •Reduces risk earliest •Has the greatest impact CISA Exam Focus (CRITICAL) CISA Exam Focus (CRITICAL) •The exam is not asking: “What is a control?” It is asking: “What is the BEST control in this situation?” Key Takeaway Key Takeaway

15. Governance & Management of IT (Domain 2) •Tested at a

    strategic and conceptual level •Focus is on who is responsible for WHAT •Emphasis on governance, not operations Core Concept Core Concept •Board vs Management Responsibilities •Board → Governance, direction, oversight •Management → Implementation, execution, operations Key Areas to Master Key Areas to Master •Policies must be based on risk assessment •Not driven by: •Technology •Tools •Convenience Policies Driven by Risk Policies Driven by Risk •IT must support business objectives •Ensures: •Value delivery •Strategic alignment •Business outcomes Alignment of IT with Business Alignment of IT with Business •Governance vs Management distinction •Focus on: •Value •Risk •Resources •Performance COBIT Principles (Implicitly Tested) COBIT Principles (Implicitly Tested) •Scenario-based questions •Focus on: •“Who is responsible?” •“What is the MOST important action?” •“What should happen FIRST?” How It Is Tested How It Is Tested •“What is the MOST important responsibility?” • Correct answer is usually: •Governance •Oversight •Alignment with business Common Exam Pattern Common Exam Pattern •Choosing operational actions instead of governance •Confusing management responsibilities with board responsibilities •Selecting technical solutions instead of strategic decisions Common Traps Common Traps •Governance is always: •Top-down •Strategic •Accountable to the board •Management is: •Execution-focused •Operational CISA Exam Focus (CRITICAL) CISA Exam Focus (CRITICAL) •Governance sets direction Management executes Key Takeaway Key Takeaway

16. Business Impact & Resilience (Domain 3) •One of the highest

    weighted domains •Focus is on business continuity, not technology recovery •Decisions must be driven by business impact Core Concept •Business Impact Analysis (BIA) •Identifies: •Critical business processes •Impact of disruption •Recovery priorities •Defines what matters most to the business •RTO vs RPO •RTO (Recovery Time Objective) → How quickly systems must be restored •RPO (Recovery Point Objective) → How much data loss is acceptable •DRP vs BCP •DRP (Disaster Recovery Plan) → Focus on IT system recovery •BCP (Business Continuity Plan) → Focus on maintaining business operations •Recovery Priorities •Based on: •Business impact •Not system importance alone •Determined during BIA Key Areas to Master •Scenario-based questions •Focus on: •“What is MOST important?” •“What should be done FIRST?” •“What determines recovery priority?” How It Is Tested •“What is MOST important?” •Correct answer is usually: •Business impact •Critical business process •BIA results Common Exam Pattern •Choosing technology over business needs •Confusing DRP with BCP •Selecting fastest recovery instead of most critical process •Ignoring BIA as the foundation Common Traps •Business drives: •Recovery priorities •RTO / RPO •Continuity planning •Technology supports the business — not the other way around CISA Exam Focus (CRITICAL) •Recovery is not about systems It is about restoring business operations Key Takeaway

17. Identity & Access Management •One of the most tested technical

    areas •Focus is on controlling who can access what, and how •Strong link between security, risk, and business impact Core Concept •Authentication vs Authorisation •Authentication → Verifies identity (who you are) •Authorisation → Determines access (what you can do) •Multi-Factor Authentication (MFA) & Single Sign-On (SSO) •MFA strengthens authentication •SSO improves usability but centralises risk •Least Privilege •Users should have only the access they need •Reduces risk of: •Data exposure •Insider threats •Segregation of Duties (SoD) •Prevents one user having end-to-end control •Reduces fraud and error risk Key Areas to Master •Scenario-based questions •Focus on: •Identifying access-related risks •Selecting the BEST control •Understanding impact of excessive access How It Is Tested •SSO = convenience BUT increased risk •Single point of compromise •Excessive access rights •One of the biggest risks in any environment Common Exam Traps •Authentication (identity) •Authorisation (permissions) Confusing: •Always prioritise: •Least privilege •Access control over convenience •Risk reduction over usability CISA Exam Focus (CRITICAL) •Strong authentication is important But controlling access is critical Key Takeaway

18. Security Monitoring & Incident Response Domain 5) •Frequently tested through

    real-world scenarios •Focus is on detecting, responding, and recovering from incidents •Assumes that not all attacks can be prevented Core Concept Core Concept •Detection vs Prevention •Preventive controls → Reduce likelihood of incidents •Detective controls → Identify incidents quickly •Detection is critical because prevention is never perfect •Logging & Monitoring (SIEM) •Centralised logging enables visibility •SIEM tools: •Correlate events •Detect anomalies •Generate alerts •Incident Lifecycle (CRITICAL) •Order matters and is heavily tested •Detect → Contain → Eradicate → Recover Key Areas to Master Key Areas to Master •Detect •Identify suspicious activity •Trigger alerts •Contain •Limit the spread of the incident •Isolate affected systems •Eradicate •Remove the root cause •Eliminate malware or vulnerabilities What Each Step Means What Each Step Means •Restore systems and operations •Validate normal functioning Recover Recover •Scenario-based questions •Focus on: •“What should be done FIRST?” •“What is the NEXT step?” •“What is the BEST response?” How It Is Tested How It Is Tested •Jumping straight to eradication without containment •Choosing prevention instead of detection in an active incident •Incorrect sequence of incident response steps •Ignoring the importance of logging and monitoring Common Exam Traps Common Exam Traps •Detection enables response •Containment comes before eradication •Recovery is the final step •Logging and monitoring are essential for visibility CISA Exam Focus (CRITICAL) CISA Exam Focus (CRITICAL) •You cannot respond to what you cannot detect And you must contain before you eliminate Key Takeaway Key Takeaway

19. Systems Development & Testing (Domain 3) •Tested less frequently, but

    in greater depth •Focus is on why systems fail, not just how they are built •Strong link between requirements, testing, and change control Core Concept Core Concept •Requirements (MOST CRITICAL) •Foundation of system success •Must be: •Clear •Complete •Aligned to business needs •If requirements are wrong → everything else fails Key Areas to Master Key Areas to Master •Unit Testing •Individual components tested •Performed by developers •Integration Testing •Components tested together •Ensures systems interact correctly •User Acceptance Testing (UAT) •Validates system meets business requirements •Performed by end users Types of Testing Types of Testing •Controls how changes are: •Requested •Approved •Tested •Implemented •Prevents: •Unauthorised changes •System instability Change Management Change Management •Scenario-based questions •Focus on: •Identifying root cause of system issues •Selecting the most effective control or fix How It Is Tested How It Is Tested •Development problem → answer = requirements issue •Common Exam Traps •Blaming testing instead of requirements •Choosing technical fixes instead of addressing root cause •Ignoring business involvement in UAT •Overlooking change management controls Exam Pattern (CRITICAL) Exam Pattern (CRITICAL) •Requirements drive: •Design •Development •Testing •Acceptance •If requirements are weak: •Controls and testing will not fix the problem CISA Exam Focus (CRITICAL) CISA Exam Focus (CRITICAL) •Most system failures are not technical They are requirement failures Key Takeaway Key Takeaway

20. Data Protection & Encryption (Domain 5) •Tested both conceptually and

    in application scenarios •Focus is on why a technology is used, not how it works technically •You must match the right control to the right objective Core Concept Core Concept •Encryption (Confidentiality) • Protects data from unauthorised access • Used for: •Data at rest •Data in transit •Hashing (Integrity) • Ensures data has not been altered • One-way process (cannot be reversed) •Digital Signatures • Provide: •Integrity (data unchanged) •Authentication (verified sender) •Non-repudiation (cannot deny origin) •Data States • Data at Rest •Stored data (databases, disks) •Protected using encryption • Data in Transit •Data being transmitted •Protected using secure protocols (e.g. TLS) Key Areas to Master Key Areas to Master •Scenario-based questions •Focus on: • Selecting the correct technology • Understanding what problem is being solved How It Is Tested How It Is Tested •Match the technology to the purpose •Confidentiality → Encryption •Integrity → Hashing •Authentication / Non-repudiation → Digital signatures Exam Trick (CRITICAL) Exam Trick (CRITICAL) •Confusing hashing with encryption •Selecting encryption when integrity is required •Ignoring data state (at rest vs in transit) •Choosing technically correct but less relevant controls Common Exam Traps Common Exam Traps •Understand purpose, not algorithms •Focus on: • What risk is being addressed • What control best mitigates it CISA Exam Focus (CRITICAL) CISA Exam Focus (CRITICAL) •The exam does not test how encryption works It tests when and why to use it Key Takeaway Key Takeaway

21. Audit Evidence & Techniques (Domain 1) •One of the most

    exam-heavy logic areas •Focus is on: •Quality of evidence •How it is obtained •The exam tests judgement, not definitions Core Concept Core Concept •Reliability of Evidence (CRITICAL) •Auditor > System > User •Most reliable •Evidence obtained directly by the auditor •Moderate reliability •System-generated reports •Least reliable •User statements / inquiry Key Areas to Master Key Areas to Master •Inquiry •Asking questions •Least reliable on its own •Observation •Watching processes being performed •More reliable than inquiry •Inspection (Documentation / Evidence Review) •Reviewing records, logs, reports •Stronger evidence Types of Evidence Types of Evidence •Risk that conclusions drawn from a sample are incorrect •Includes: •Detection risk •Incomplete coverage Sampling Risk Sampling Risk •Scenario-based questions •Focus on: •“Which evidence is MOST reliable?” •“What should the auditor do NEXT?” •“Is the evidence sufficient?” How It Is Tested How It Is Tested •Multiple evidence options → choose the MOST reliable •Weak evidence → auditor must perform additional procedures •Sampling scenarios → identify sampling limitations •Common Exam Traps •Choosing inquiry alone as sufficient evidence •Selecting system reports without validation •Ignoring need for independent verification •Confusing observation with proof of effectiveness Common Exam Patterns Common Exam Patterns •Evidence must be: •Sufficient •Reliable •Relevant •Always prefer: •Independent, direct evidence CISA Exam Focus (CRITICAL) CISA Exam Focus (CRITICAL) •The best evidence is not what you are told It is what you can verify Key Takeaway Key Takeaway

22. Business Processes (FOUNDATION – All Domains) •This is the hidden

    theme across the entire CISA exam •Everything revolves around how the business operates •Systems support processes — they are not the risk source Core Concept Core Concept •Risk exists in business processes, not in systems •Systems: •Enable processes •Support operations •Processes: •Create risk •Handle transactions •Drive business outcomes Key Idea (CRITICAL) Key Idea (CRITICAL) •Always start with: •Understanding the business process •Then identify: •Risks within the process •Then evaluate: •Controls within the process What This Means for the Auditor What This Means for the Auditor •Process → Risk → Control → Audit Procedure Audit Thinking Flow Audit Thinking Flow •Scenario-based questions •Focus on: •Identifying where the real risk is •Understanding business impact •Selecting controls aligned to process risk How It Is Tested How It Is Tested •Questions describe: •Systems or technical issues •But the answer relates to: •Process weakness Common Exam Patterns Common Exam Patterns •Focusing on technology instead of process •Selecting technical fixes without understanding the business •Ignoring process design and control flow Common Exam Traps Common Exam Traps •Business processes: •Drive risk •Determine control requirements •Define audit scope •Technology is: •A supporting layer CISA Exam Focus (CRITICAL) CISA Exam Focus (CRITICAL) •Do not audit systems in isolation Audit the process the system supports Key Takeaway Key Takeaway

23. Keywords That Change Answers MOST BEST FIRST PRIMARY Always identify

    these in questions

24. Question Approach Method Choose Choose the BEST answer Eliminate Eliminate

    weak answers Identify Identify the risk Identify Identify what is being asked Read Read carefully

25. Answer Elimination Strategy Focus on Focus on risk alignment Remove

    Remove answers not addressing root cause Remove Remove reactive answers Remove Remove overly technical answers

26. Common Exam Mistakes Rushing questions Ignoring keywords Choosing technical answers

    first Not reading all options

27. Technical vs Governance Thinking TECHNICAL: FIX SYSTEM AUDIT: UNDERSTAND RISK

    TECHNICAL: APPLY TOOL AUDIT: IMPROVE PROCESS AUDIT THINKING IS PREFERRED

28. Root Cause vs Symptom Best answers address root cause Best

    answers address root cause Weak answers fix symptoms only Weak answers fix symptoms only

29. Time Management Strategy 150 questions in 4 hours 150 questions

    in 4 hours About 1.5 minutes per question About 1.5 minutes per question Do not get stuck Do not get stuck Keep moving Keep moving

30. Next Step Practice questions Scenario- based thinking Full mock exams

31. Handling Difficult Questions Eliminate obvious wrong answers 1 Make best

    logical choice 2 Flag and return later 3

32. Final Exam Strategy READ CAREFULLY FOCUS ON KEYWORDS APPLY LOGIC,

    NOT MEMORY ANSWER EVERY QUESTION

33. Key Takeaway  The CISA exam is designed to test:

     Audit judgement  Risk-based thinking  Governance understanding  Control evaluation  Business alignment  Success comes from understanding:  Risk → Process → Control → Business Impact  Think like an auditor, not a technician.

34. Disclaimer This content is based on personal experience and interpretation

    For educational purposes only No official organisational affiliation