CISA Domain 2: Governance and Management of IT
Domain 1 readies the auditor for planning, performing and reporting an audit, and that knowledge is now put into practice by evaluating an organization’s governance and management controls.
ISACA describe the role of the auditor in this area as ‘Assuring that the necessary leadership and organizational structures and processes are in place to achieve the objectives and to support the enterprise strategy,’ and candidates to understand how to evaluate that:
- the IT strategy and delivery portfolio support the organization’s business objectives,
- resource allocation supports the IT strategy,
- an effective IT governance structure is being used, and
- a robust Business Continuity Plan (BCP) is in place
The domain is closely related to the ISACA CGEIT Certification, and candidates who have a working knowledge of its content will be a step ahead.
Candidates need to understand how an organization develops, implements and maintains an IT strategy that supports its strategic objectives. Doing so requires knowledge of the strategic planning process and how strategy, policy, processes, procedures, and standards are integrated to deliver business objectives.
The IT strategy is delivered through a portfolio of activities and IT portfolio management is an ongoing process that responds to continuous feedback from activities like risk assessments, revised business goals, new regulations and business improvement initiatives. Tools such as the IT Capability Management Framework provide a structured approach to the creation of an effective IT strategy and its decomposition into a delivery portfolio.
Direction must come from the top: board members and senior managers need to give clear direction and have an ongoing responsibility to ensure business objectives are defined, an IT strategy prepared, and its execution effectively governed. Typically, they will use a strategy committee to help shape its content and a steering committee to make decisions on portfolio content, prioritization, funding and issue management.
*** This is a Security Bloggers Network syndicated blog from InfoSec Resources authored by Brian Hickey. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/qGr5BhCvhaY/
