ISACA

Last updated

Information Systems Audit and Control Association
AbbreviationISACA
Formation1969
Type501(c)(6)
23-7067291 [1]
PurposeTo advance the pursuit of digital trust and the positive potential of technology.
Headquarters Schaumburg, Illinois
Coordinates 42°3′10.9794″N88°2′11.9754″W / 42.053049833°N 88.036659833°W / 42.053049833; -88.036659833
Region
Global
Membership
169,000 (as of Dec 2022)
Official language
English
CEO
Erik Prusch
John De Santis
Revenue
Increase2.svg USD $100.36 million (2022)
ExpensesIncrease2.svg USD $107.80 million (2022)
Staff
300+ (2022)
Volunteers
2,400 (2023)
Website www.isaca.org
Formerly called
EDP Auditors Association
[2] [3] [4]

ISACA is an international professional association focused on IT (information technology) governance. On its IRS filings, it is known as the Information Systems Audit and Control Association, although ISACA now goes by its acronym only. [1] [5] [6] ISACA currently offers 8 certification programs, as well as other micro-certificates.

Contents

History

ISACA originated in United States in 1967, [5] when a group of individuals working on auditing controls in computer systems started to become increasingly critical of the operations of their organizations. They identified a need for a centralized source of information and guidance in the field. In 1969, Stuart Tyrnauer, an employee of the (later) Douglas Aircraft Company, incorporated the group as the EDP Auditors Association (EDPAA). [7] Tyrnauer served as the body's founding chairman for the first three years. In 1976 the association formed an education foundation to undertake large-scale research efforts to expand the knowledge of and value accorded to the fields of governance and control of information technology.

The association became the Information Systems Audit and Control Association in 1994. [8]

By 2008 the organization had dropped its long title and branded itself as ISACA. [9]

In March 2016, ISACA bought the CMMI Institute, which is behind the Capability Maturity Model Integration. [10]

In January 2020, ISACA updated and refreshed its look and digital presence, introducing a new logo. [11]

Current status

ISACA currently serves more than 170,000 constituents (members and professionals holding ISACA certifications) in more than 180 countries. [12] The job titles of members are such as IS auditor, consultant, educator, IS security professional, regulator, chief information officer, chief information security officer and internal auditor. They work in nearly all industry categories. There is a network of ISACA chapters with more than 225 chapters established in over 180 countries. Chapters provide education, resource sharing, advocacy, networking and other benefits. [13]

Major publications

Certifications

The CSX-P, ISACA's first cybersecurity certification, was introduced in the summer of 2015. It is one of the few certifications that require the individual to work in a live environment, with real problems, to obtain a certification. Specifically, the exam puts test takers in a live network with a real incident taking place. The student's efforts to respond to the incident and fix the problem results in the type of score awarded. [21]

Certificates

See also

Related Research Articles

<span class="mw-page-title-main">Audit</span> Systematic and independent examination of books, accounts, documents and vouchers of an organization

An audit is an "independent examination of financial information of any entity, whether profit oriented or not, irrespective of its size or legal form when such an examination is conducted with a view to express an opinion thereon." Auditing also attempts to ensure that the books of accounts are properly maintained by the concern as required by law. Auditors consider the propositions before them, obtain evidence, roll forward prior year working papers, and evaluate the propositions in their auditing report.

<span class="mw-page-title-main">Financial audit</span> Type of audit

A financial audit is conducted to provide an opinion whether "financial statements" are stated in accordance with specified criteria. Normally, the criteria are international accounting standards, although auditors may conduct audits of financial statements prepared using the cash basis or some other basis of accounting appropriate for the organization. In providing an opinion whether financial statements are fairly stated in accordance with accounting standards, the auditor gathers evidence to determine whether the statements contain material errors or other misstatements.

Information technology (IT)governance is a subset discipline of corporate governance, focused on information technology (IT) and its performance and risk management. The interest in IT governance is due to the ongoing need within organizations to focus value creation efforts on an organization's strategic objectives and to better manage the performance of those responsible for creating this value in the best interest of all stakeholders. It has evolved from The Principles of Scientific Management, Total Quality Management and ISO 9001 Quality management system.

COBIT is a framework created by ISACA for information technology (IT) management and IT governance.

An information technology audit, or information systems audit, is an examination of the management controls within an Information technology (IT) infrastructure and business applications. The evaluation of evidence obtained determines if the information systems are safeguarding assets, maintaining data integrity, and operating effectively to achieve the organization's goals or objectives. These reviews may be performed in conjunction with a financial statement audit, internal audit, or other form of attestation engagement.

Information Technology Auditing began as Electronic Data Process (EDP) Auditing and developed largely as a result of the rise in technology in accounting systems, the need for IT control, and the impact of computers on the ability to perform attestation services. The last few years have been an exciting time in the world of IT auditing as a result of the accounting scandals and increased regulation. IT auditing has had a relatively short yet rich history when compared to auditing as a whole and remains an ever-changing field.

In business and accounting, information technology controls are specific activities performed by persons or systems designed to ensure that business objectives are met. They are a subset of an enterprise's internal control. IT control objectives relate to the confidentiality, integrity, and availability of data and the overall management of the IT function of the business enterprise. IT controls are often described in two categories: IT general controls (ITGC) and IT application controls. ITGC includes controls over the Information Technology (IT) environment, computer operations, access to programs and data, program development and program changes. IT application controls refer to transaction processing controls, sometimes called "input-processing-output" controls. Information technology controls have been given increased prominence in corporations listed in the United States by the Sarbanes-Oxley Act. The COBIT Framework is a widely used framework promulgated by the IT Governance Institute, which defines a variety of ITGC and application control objectives and recommended evaluation approaches. IT departments in organizations are often led by a chief information officer (CIO), who is responsible for ensuring effective information technology controls are utilized.

An information security audit is an audit of the level of information security in an organization. It is an independent review and examination of system records, activities, and related documents. These audits are intended to improve the level of information security, avoid improper information security designs, and optimize the efficiency of the security safeguards and security processes. Within the broad scope of auditing information security there are multiple types of audits, multiple objectives for different audits, etc. Most commonly the controls being audited can be categorized as technical, physical and administrative. Auditing information security covers topics from auditing the physical security of data centers to auditing the logical security of databases, and highlights key components to look for and different methods for auditing these areas.

ISO/IEC 20000 is the international standard for IT service management. It was developed in 2005 by ISO/IEC JTC1/SC7 and revised in 2011 and 2018. It was originally based on the earlier BS 15000 that was developed by BSI Group.

CISA or Cisa may refer to:

Val IT is a governance framework that can be used to create business value from IT investments. It consists of a set of guiding principles and a number of processes and best practices that are further defined as a set of key management practices to support and help executive management and boards at an enterprise level. The latest release of the framework, published by IT Governance Institute (ITGI), based on the experience of global practitioners and academics, practices and methodologies was named Enterprise Value: Governance of IT Investments, The Val IT Framework 2.0. It covers processes and key management practices for three specific domains and goes beyond new investments to include IT services, assets, other resources and principles and processes for IT portfolio management.

Security controls are safeguards or countermeasures to avoid, detect, counteract, or minimize security risks to physical property, information, computer systems, or other assets. In the field of information security, such controls protect the confidentiality, integrity and availability of information.

Information security management (ISM) defines and manages controls that an organization needs to implement to ensure that it is sensibly protecting the confidentiality, availability, and integrity of assets from threats and vulnerabilities. The core of ISM includes information risk management, a process that involves the assessment of the risks an organization must deal with in the management and protection of assets, as well as the dissemination of the risks to all appropriate stakeholders. This requires proper asset identification and valuation steps, including evaluating the value of confidentiality, integrity, availability, and replacement of assets. As part of information security management, an organization may implement an information security management system and other best practices found in the ISO/IEC 27001, ISO/IEC 27002, and ISO/IEC 27035 standards on information security.

The ISO/IEC 27000-series comprises information security standards published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).

<span class="mw-page-title-main">IT risk management</span>

IT risk management is the application of risk management methods to information technology in order to manage IT risk, i.e.:

ISC2 Non-profit IT cybersecurity organization

The International Information System Security Certification Consortium, or ISC2, is a non-profit organization which specializes in training and certifications for cybersecurity professionals. It has been described as the "world's largest IT security organization". The most widely known certification offered by ISC2 is the Certified Information Systems Security Professional (CISSP) certification.

ISO/IEC 27001 is an international standard to manage information security. The standard was originally published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) in 2005, revised in 2013, and again most recently in 2022. There are also numerous recognized national variants of the standard. It details requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS) – the aim of which is to help organizations make the information assets they hold more secure. Organizations that meet the standard's requirements can choose to be certified by an accredited certification body following successful completion of an audit. The effectiveness of the ISO/IEC 27001 certification process and the overall standard has been addressed in a large-scale study conducted in 2020.

The Center for Internet Security (CIS) is a US 501(c)(3) nonprofit organization, formed in October 2000. Its mission statement professes that the function of CIS is to " help people, businesses, and governments protect themselves against pervasive cyber threats."

Statement on Standards for Attestation Engagements no. 18 is a Generally Accepted Auditing Standard produced and published by the American Institute of Certified Public Accountants (AICPA) Auditing Standards Board. Though it states that it could be applied to almost any subject matter, its focus is reporting on the quality of financial reporting. It pays particular attention to internal control, extending into the controls over information systems involved in financial reporting. It is intended for use by Certified Public Accountants performing attestation engagements, the preparation of a written opinion about a subject, and the client organizations preparing the reports that are the subject of the attestation engagement. It prescribes three levels of service: examination, review, and agreed-upon procedures. It also prescribes two types of reports: Type 1, which includes an assessment of internal control design, and Type 2, which additionally includes an assessment of the operating effectiveness of controls. Published April 2016, SSAE 18 and all previous standards it supersedes are represented in section AT-C of the AICPA Professional Standards, with most sections becoming effective on May 1, 2017.

References

  1. 1 2 "INFORMATION SYSTEMS AUDIT AND CONTROL ASSOCIATION INC Form 990 2015". ProPublica. 9 May 2013. Retrieved 19 September 2017.
  2. "About us". About ISACA. ISACA. Retrieved 13 July 2020.
  3. "ISACA's Annual Reports". Annual Report. ISACA. Retrieved 4 May 2022.
  4. "Board of Directors". Board of Directors. ISACA. Retrieved 21 July 2020.
  5. 1 2 Archived 2 October 2007 at the Wayback Machine
  6. Vacca, John (2009). Computer and Information Security Handbook. Morgan Kaufmann Publications. Elsevier Inc. p. 600. ISBN   978-0-12-374354-1.
  7. Katsikas, Sokratis K. (2000). "A Postgraduate Programme on Information and Communication Systems Security". In Qing, Sihan; Eloff, Jan H. P. (eds.). Information Security for Global Information Infrastructures. IFIP Advances in Information and Communication Technology. Vol. 47. Springer. p. 50. ISBN   9780792379140. [...] the Information Systems Audit and Control Association (ISACA - formerly EDPAA) [...]
  8. Gleim, Irvin N.; Hillison, William A.; Irwin, Grady M. (June 1995). Auditing & systems: objective questions and explanations. 1. Vol. 6 (6 ed.). Gainesville, Florida: Accounting Publications. p. 37. ISBN   9780917537745. In 1994, the association changed its name to the Information Systems Audit and Control Association.
  9. Verschoor, Curtis C. (2008). Audit Committee Essentials. John Wiley & Sons. p. 205. ISBN   9780470337073. [...] ISACA - previously known as the Information Systems Audit and Control Association [...]
  10. Loeb, Matt. "ISACA Acquires CMMI Institute". ISACA. Archived from the original on 8 November 2019. Retrieved 1 June 2017.
  11. Samuelson, David. "New Look Marks a New Era for ISACA". ISACA. Retrieved 9 June 2020.
  12. "History of ISACA". ISACA. Retrieved 9 June 2020.
  13. "About Our Chapter – Isaca" . Retrieved 8 December 2020.
  14. 1 2 3 4 https://www.isaca50.org/files/images/ISACA50_Story_Gallery_Making_the_Mark-Importance_of_Certifications_website%20version.pdf Archived 15 June 2020 at the Wayback Machine [ bare URL PDF ]
  15. "CSX-P | Cybersecurity Practitioner".
  16. "Certified Data Privacy Solutions Engineer".
  17. "Shift Your Career into Higher and Higher Gear". Information Technology Certified Associate. ISACA. Retrieved 4 May 2021.
  18. "New ISACA certification to help upskill IT professionals". Technology Decisions. Westwick-Farrow Pty Ltd. Retrieved 4 May 2021.
  19. "Fast Track Your Career in Emerging Technology". Certified in Emerging Technology. ISACA. Retrieved 4 May 2021.
  20. Barth, Bradley (21 April 2021). "New certification program trains cyber pros in cloud, IoT and other emerging tech". SC. CyberRisk Alliance, LLC. Retrieved 4 May 2021.
  21. "ISACA is First to Combine Skills-based Cybersecurity Training with per". 16 April 2015.