@ISACA Volume 7: 27 March 2013 

@ISACA Relevant, Timely News

Certification Exam Language Changes—Register Now for the June Administration

ISACA currently translates the Certified Information System Auditor (CISA) exam into 10 languages and the Certified Information Security Manager (CISM) exam into 3 languages. Good practice dictates that a minimum of 100 exam takers is recommended for each administration. Thus, languages that had fewer than 100 candidates per administration in 2012 have been reviewed with the respective chapter(s).

As a result of this review, ISACA’s Credentialing and Career Management Board, the CISA Certification Committee and each respective chapter approved the following changes:

  • The German and the Italian translations of the CISA exam will be offered annually during the June administration, effective 2013.
  • The Hebrew translated CISA exam will be offered annually during the December administration, effective 2014.

Please note that for the additional September 2013 exam administration, ISACA will offer the CISA and CISM exams. For this additional administration, ISACA will offer all languages available for the respective exam.

The final registration for the June exams is 12 April. For more information and to register for the June exam administration, visit the Certification page of the ISACA web site.


Aligning Risk Perception and Priority Setting in the Boardroom

To be effective from an audit or supervisory perspective, it is essential to align to risk perception and priority setting in the boardroom. Merely drawing the conclusion that control measures do not have sufficient effect is not the essence of supervision or audit activities. The key factor is to ensure that both management and board members devote sufficient attention to improvement and commit themselves to pursuing it. Simply applying frameworks and standards is not enough.

In their recent article, “Using Standards to Create Effect in the Boardroom,” Evert Koning and Hans Bikker provide the following six recommendations to achieve and maintain the necessary involvement at the management board level:

  • Ensuring a transparent assessment framework—A transparent assessment framework promotes transparent communications and creates clear expectations.
  • Understanding good points and points for improvement—Strong points as well as shortcomings must be explained.
  • Ensuring direct involvement—Signing off on a completed assessment framework by a board member responsible for IT increases involvement and prevents a lack of engagement.
  • Benchmarking—Benchmark information shows the organization’s performance relative to its peers.
  • Translating IT risk factors—IT risk factors must be linked to the institution’s risk appetite or operational strategy.
  • Monitoring improvement actions—Active and regular monitoring ensures permanent attention for points for improvement and follow-up thereof.

Read about how these were applied in the Dutch Central Bank (DNB)’s IT Supervision Department in the full article in volume 2, 2013, of the ISACA Journal.


How to Become a Successful and Effective CISO
By Lisa Young, CISA, CISM

The role of a chief information security officer (CISO) is not for those who lack conviction or courage. The position can be demanding and unforgiving, while at the same time, intellectually challenging and stimulating. The profile of a modern CISO requires both technical expertise and business acumen. As you aim your career path toward the role of CISO, keep these tips in mind to increase your chance of success. A good starting point is to evaluate your current skills and expertise against the following Certified Information Security Manager (CISM) job practice areas:

  1. Information security governance—There is a difference between governance and management, and your ability to distinguish between them will assist in developing the business intelligence necessary for the role of CISO. Governance provides the framework, principles, structure, processes and practices used to set the organization’s direction to ensure that performance aligns with its mission, vision, values and objectives. Management entails the thoughtful use of resources, people, processes and practices to achieve an identified goal. Both governance and management are required to be a successful CISO; the CISO is often the person who provides information to senior management to make governance decisions. Management is responsible for deliverable execution within the direction set by the guiding body or board of directors. Management of information increases senior management decision-making capabilities with information security issues and assists them in aligning information security with the enterprise’s objectives.
  2. Information risk management and compliance—Can you articulate the business risk factors that your information security program is managing on behalf of the enterprise? In other words, are you able to connect the mission, goals and objectives of the enterprise with what your program does to prevent and avoid risk? Mapping the enterprise’s key performance indicators to the risk factors that are actively being managed by the information security program increases senior management’s commitment to information security initiatives.
  3. Information security program development and management—Do you know how the information security program protects and sustains the high-value assets used to deliver the critical products and services of the enterprise? For example, the ability to communicate that the security program is directly responsible for protecting and sustaining the web server that accepts your customers’ payments increases the connection between business objectives and information security value.

An information security manager is an individual who has progressed beyond the practitioner focus, whose emphasis goes beyond technical or specialist skills and who has moved to the position of management of an enterprise’s information security program. Attending CISM review classes provided by many local ISACA chapters can lead you to the steps needed to achieve the next milestone on your journey to the CISO position.

Lisa R. Young, CISA, CISM, is the past president of the ISACA West Florida (Tampa, Florida, USA) Chapter and a frequent speaker at information security conferences worldwide. Young was also a member of the ISACA task force that developed Risk IT, which is now incorporated into COBIT 5.


CISA Certification Leads to Personal and Professional Growth
Rafael Fabius, CISA, CRISC, Montevideo (Uruguay) Chapter, Shares His Experiences as a CISA

Rafael FabiusRafael Fabius became a Certified Information Systems Auditor (CISA) to improve his professional knowledge, maintain his practical knowledge, and gain recognition for achieving his goals and aspirations. He has found that what he’s gained from attaining the CISA certification and being involved with ISACA has far surpassed his original aspirations. “While reaching my original goals, attaining the CISA designation has also helped me understand the structure and thought behind best practices and standards, their evolution through changing conditions, and as a result, I have been able to contribute toward their improvement.”

Fabius finds that the CISA certification has opened many doors and opportunities for him both personally and professionally. “The recognition provided by the CISA certification has directly or indirectly helped me to become a member of several different boards, committees and subcommittees; to get involved in organizing several international conferences and delivering presentations; and to become an expert reviewer of industry-related publications,” Fabius explains. “Attaining my CISA has also provided me the opportunity to meet and relate to colleagues I would have never known otherwise from all over the world—far beyond my horizon. Meeting and learning from these different people from different cultures has improved me not just as a professional but as a person.

“One of my great interests in life is understanding other people and what motivates them. As a CISA, I have had the opportunity to meet lots of interesting people from whom I have learned a lot.

“My CISA certification, along with the Certified in Risk and Information Systems Control (CRISC), has helped me place myself in interesting work groups and positions, supporting the organization I work for in different matters, not always obviously related to my job,” he continues. “As a result, I have gained much recognition as a problem solver, which I find very satisfying personally.”

Learn more about CISA and other ISACA certifications on the Certification page of the ISACA web site.


Read More Articles in Our Archives