Current Projects 


Audit/Assurance Programs

ISACA is currently updating the audit/assurance programs for COBIT 5. The first group of programs released was a series of programs for the COBIT 5 processes, based on the generic structure developed in the COBIT 5 for Assurance publication. The new audit/assurance programs are fully aligned with COBIT 5, and explicitly reference all seven enablers. The next group of programs below has been released.

This set of new audit/assurance programs and ICQs complements the book Security, Audit and Control Features SAP® ERP, 4th Edition. The set includes:

  • SAP ERP Revenue Business Cycle Audit/Assurance Program and ICQ
  • SAP ERP Expenditure Business Cycle Audit/Assurance Program and ICQ
  • SAP ERP Inventory Business Cycle Audit/Assurance Program and ICQ
  • SAP ERP Financial Accounting (FI) Audit/Assurance Program and ICQ
  • SAP ERP Managerial Accounting (CO) Audit/Assurance Program and ICQ
  • SAP ERP Human Capital Management Cycle Audit/Assurance Program and ICQ
  • SAP ERP BASIS Administration and Security Audit/Assurance Program and ICQ
  • SAP ERP Control Environment ICQ
  • Blank Audit/Assurance Program Template

View Programs >>

COBIT 5 for Business Benefits Realisation

ISACA is writing the COBIT 5 for Business Benefits Realisation professional guide, which will support and enhance the COBIT 5 family of products by focusing on governance and management dimensions of business benefits realisation and providing contextualized guidance for consultants, experts in governance, business management, IT professionals and other interested parties at all levels of the enterprise. Business benefits realisation is a requirement from stakeholders and governance bodies to ensure that IT-business activity achieves the benefits that are envisioned when key investment decisions are made. The COBIT 5 framework helps enterprises to create optimal value from information technology by maintaining a balance between realising benefits and optimising risk levels and resource use.

Critical Cyber Event Governance and Management: Board and Executive Guidance

This white paper will discuss the need for governance over critical cyber events as a necessary component of risk management, and will outline the benefits in terms of business reputation and incident cost reduction that result when cyber event management is effectively planned for.


DevOps refers to the movement within IT to improve relationships between development and operations. It relies on agile-like development methods, allowing smaller code changes to be released more frequently (e.g., every 5 to 6 days) when compared with traditional development and release management (e.g., with long cycle times). These methods may be especially promising for new web-based applications (e.g., more than legacy applications). The first publication is DevOps Overview. The next paper, DevOps: Practitioner Considerations, will follow in the third quarter of 2015.

Internal Controls

This white paper will attempt to clarify the issue of using and implementing internal controls and using the COBIT framework. It will also address the move from having control objectives to governance and management practices in COBIT 5. This publication is scheduled to be available in the fourth quarter of 2015.

Operational Risk Management/Basel Using COBIT 5

This will provide an update of the existing publication “IT Control Objectives Basel II” to align it with COBIT 5 and related publications. Concepts will be updated to reflect the current state of the technology, challenges, risk and necessary assurance practices. Publication is on hold pending the release of the updated COSO Enterprise Risk Management — Integrated Framework.


The book will describe the importance of protecting credit card and customer data and the role that compliance with the PCI DSS requirements plays in helping organizations develop and implement a security model that ensures the protection of data used for credit card processing. It will provide practical guidance related to the PCI DSS compliance requirements to help members understand how to achieve and maintain compliance with the standard through a robust security program that covers all six domains described in the latest PCI DSS standard, version 3.1. This book is scheduled to be available in the third quarter 2015.

Privacy Principles and Program Management Guidance

This publication will offer uniform privacy guidance based on COBIT 5, including guidance on planning, implementing, and maintaining a comprehensive privacy program in an enterprise. The publication is scheduled to be available in the fourth quarter of 2015.