Current Projects 


Audit/Assurance Programs

ISACA is currently updating the audit/assurance programs for COBIT 5. The first group of programs to be released is a series of programs for the COBIT 5 processes, based on the generic structure developed in the COBIT 5 for Assurance publication. The new audit/assurance programs are fully aligned with COBIT 5, and explicitly reference all seven enablers. The programs below have been released.

DevOps Series

DevOps refers to the movement within IT to improve relationships between development and operations. It relies on agile-like development methods, allowing smaller code changes to be released more frequently (e.g., every 5 to 6 days) when compared with traditional development and release management (e.g., with long cycle times). These methods may be especially promising for new web-based applications (e.g., more than legacy applications). The first publication in this series is DevOps Overview. Additional papers in the series will follow in 2015..

Industrial Control Systems (ICS)

Industrial control systems (ICS) - a broad term capturing distributed control systems (DCS), programmable logic controllers (PLC) and supervisory control and data acquisition (SCADA) - have long existed in many industrial and manufacturing settings but were traditionally disjoined. Technological advances and convergence with traditional information systems necessitates unparalleled security for the critical services they provide. Headline stories such as Stuxnet, Duqu and Flame reveal their fallibility and serve as constant reminders for vigilance of vulnerabilities and attack vectors. This white paper is intended to be a primer capturing ICS evolution, comparison between ICS and traditional IT cybersecurity and the challenges facing the industry. It is scheduled to be available in the second quarter of 2015.

Internal Controls

This white paper will attempt to clarify the issue of using and implementing internal controls and using the COBIT framework. It will also address the move from having control objectives to governance and management practices in COBIT 5. This publication is scheduled to be available in the third quarter of 2015.

Operational Risk Management/Basel Using COBIT 5

This will provide an update of the existing publication “IT Control Objectives Basel II” to align it with COBIT 5 and related publications. Concepts will be updated to reflect the current state of the technology, challenges, risk and necessary assurance practices. Publication is on hold pending the release of the updated COSO Enterprise Risk Management — Integrated Framework.


The book will describe the importance of protecting credit card and customer data and the role that compliance with the PCI DSS requirements plays in helping organizations develop and implement a security model that ensures the protection of data used for credit card processing. It will provide practical guidance related to the PCI DSS compliance requirements to help members understand how to achieve and maintain compliance with the standard through a robust security program that covers all six domains described in the PCI DSS standard. This book is scheduled to be available in second quarter 2015.

Security, Audit and Control Features SAP ERP, 4th Edition

This publication updates the 2009 edition of this practical, how-to guide in the technical and risk management series. It enables assurance, security and risk professionals (both IT and non-IT) to evaluate risks and controls in existing ERP implementations and facilitates the design and building of better practice controls into system upgrades and enhancements. It is scheduled to be available in second quarter of 2015.