What is the importance and value of CISA? How relevant is CISA compared to other IT security certifications. Where does CISA derive its strength from? Interested in IT security? Interested in IT audit expertise and related opportunities? Listen to what Colman has to say.

Q

The Information Systems Audit and Control Association (ISACA)’s Certified Information Systems Auditor (CISA) certification program is a hugely popular certification in the IT security/IT audit field. Why is there a need for such a certification? Who is ISACA’s CISA certification intended for? What capabilities should one expect of a CISA certified professional in terms of specific knowledge and skills?

A. Thank you for having me. Certified Information Systems Auditor (CISA) has been a globally accepted standard of achievement among IS audit, control and security professionals. CISA is recognized worldwide, by all industries, as the preferred designation for IS audit, control and security. To present a little overview of this certification, CISA was established in 1978 by Information Systems Audit and Control Association (ISACA) and the first examination was administered in 1981. Today, over 50,000 candidates have earned the CISA designation. The relative importance of this certification, I guess stems from the fact that growing number of companies are coming to understand the importance of the certification. For example In the United States, assistant examiners employed by the US Federal Reserve Banks must pass the CISA examination before they are eligible for commissioning; The US Department of Defense's Information Assurance Workforce Improvement Program, has approved CISA and directed as many as 80,000 professionals to be required to earn one of 13 different certifications offered by some five different organizations (ISACA included).

In the same vein, the National Stock Exchange of India and CERT-IN, the Indian Computer Emergency Response Team, has recognized CISA as one of the requirements to conduct security audits in the Country. In Singapore, CISA was accredited under the Critical IT Resource Program of the National Infocomm Competency Centre (NICC), the national body that oversees accreditation of IT-related certifications. The same story goes in Hong Kong, ISACA members who have held a CISA certification for at least four years have the right to vote for the city’s legislative counselors as representatives of the IT category among the functional constituencies. In Romania, banks desiring to implement distance or electronic payment instruments are required by law to be certified by CISA-holding auditors.

To become a CISA, one must possess in addition to passing the CISA exam a solid ( a minimum of 5 years) knowledge and experience of (1) Information Systems audit process that ensure IS audits are conducted in accordance with standards, guidelines and best practices (2) Corporate Information Technology governance that demonstrates good knowledge of organization’s capability to govern IT investments; (3) Systems and infrastructure lifecycle that meets organization’s business objectives (4) Information Technology service delivery that meet organization’s business objectives (4) Protection of information assets that would ensure confidentiality, integrity and availability of business information systems and, (5) Business continuity and disaster recovery of IT services.

Q. Do Security Certifications really make a difference? Has security certification helped your career? What do you think the future for Security Certifications will look like; will they be more, or less important than they are today?

A. Yes, security certifications make a difference. Possession of CISA, CISM, CISSP e.t.c, as I mentioned earlier, is an indication of security authority in the IT industry. Also, IT professionals and managers need to have security certifications that would enhance their standing as generalists, who would be prudent in any security situation within their organizations. For example, Information Systems Audit and Control Association (ISACA) came up with following analysis: 1. More than 1,400 CISAs are now employed in organizations as the chief executive officer (CEO), chief financial officer (CFO) or an equivalent executive position. 2. More than 2,300 serve as chief audit executives, audit partners or audit heads. 3. More than 3,500 serve as chief information officers, chief information security officers, security directors, security managers or consultants. 4. More than 5,400 serve as audit directors, managers or consultants. 5. Nearly 13,000 additional CISAs are currently employed in managerial or consulting positions in IT operations or compliance. You can see with me that the statistics attests to the importance of the knowledge, skills and recognition achieved by IT security certified professionals.

For my career, the designation has not only made me an authority in the field but bestowed additional audit and security responsibilities and affording me an opportunity of being part of important IT assurance and consulting engagements. The future is bright for those with security certifications. They are the future business leaders – CEOs, CFOs, chief audit executives, audit partners or audit heads, chief information security officers, security directors, security managers or consultants. Definitely, there will be more certified professional in the future so long as the importance of enterprise IT security would not be ignored.

Q. Finally, what tips and advice would you have for students, who are working to get their ISACA CISA certification or interested in IT security and audit? What would you encourage them to do?

Studying for CISA examination is one step in achieving this Certification. There are a lot of study aids out there to prepare for the exam. CISA Review Manual is a great resource for this exam. The manual reflects a complete syllabus for the CISA examination. Like I said it is only for review purposes and does not preclude extensive study of related text books on information systems. Students should also visit ISACA website for an updated textbooks that covers CISA topics and exam question model. It is also important to attend review classes. Experience in IT audit, control and security is very relevant and emphasizes hands on. Students should seek for IT audit experience in order to understand what the issues are. In summary bear in mind that for you to be certified, you must pass the examination, agree to adhere to ISACA's Code of Professional Ethics, submit evidence of a minimum of five years of professional IS auditing, control, or security work, and abide by a program of continuing professional education.
Again, thank you for having me.