Upgrade Your Career with Exciting Offers on our Career-defining Courses Upto 50% OFF | Offer ending in:
D H M S Grab Now

PART 1 – CISA Domain 2 – Governance and Management of IT

This article covers –

  • Overall understanding of the domain
  • Important concepts to focus on from exam point of view

  The article is split into 5 parts as below:

    • Part 1 – Corporate Governance, Governance of Enterprise IT (GEIT), Auditor’s role in GEIT
    • Part 2 – IT Balanced Score Card (BSC), IT Governing Committee (IT Strategy and Steering committee), Maturity and process improvement models
    • Part 3 – Risk Management, Human Resource Management, Sourcing Practices
    • Part 4 – Information Security – Roles and Responsibilities, Business Continuity Planning (BCP), Business Impact Analysis (BIA)
    • Part 5 – Classification of Systems and criticality analysis, Components of Business Continuity Planning (BCP), Plan Testing.

PART 1 – CISA Domain 2 – Governance and Management of IT

      • Overall understanding of the domain
      • What is Corporate Governance?
      • What is Governance of Enterprise IT (GEIT)?
      • What is the role of auditor in GEIT?
  • Knowledge of the organization’s technology direction and IT architecture and their implications for setting long-term strategic directions
  • Knowledge of the processes for the development, implementation and maintenance of IT strategy, policies, standards and procedures
  • Knowledge of the use of capability and maturity models
  • Knowledge of process optimization techniques
  • Knowledge of IT resource investment and allocation practices, including prioritization criteria (e.g., portfolio management, value management, personnel management
  • Knowledge of IT supplier selection, contract management, relationship management and performance monitoring processes including third party outsourcing relationships
  • Knowledge of enterprise risk management (ERM)
  • Knowledge of practices for monitoring and reporting of controls performance (e.g., continuous monitoring, quality assurance [QA])
  • Knowledge of quality management and quality assurance (QA) systems
  • Knowledge of practices for monitoring and reporting of IT performance (e.g., balanced scorecards [BSCs], key performance indicators [KPIs])
  • Knowledge of business impact analysis (BIA)
  • Knowledge of the standards and procedures for the development, maintenance and testing of the business continuity plan (BCP)
  • Knowledge of procedures used to invoke and execute the business continuity plan and return to normal operations
Important concepts from exam point of view:

1.Corporate Governance:

  • It is a system by which entity is controlled and directed
  • Set of responsibilities and practices who provide strategic directions, thereby ensuring that
    • Goals are achievable,
    • Risk are properly addressed and
    • Organizational resources are properly utilized
  • Involves a set of relationships between a company’s management, its board, its shareholders and other stakeholders
Points to remember:

  • To have an effective IT Governance, IT plan should be consistent with overall business plan
  • To improve information security alignment with business, the best practice is to involve top management to mediate between business and information systems.

2.Governance of Enterprise IT (GEIT):

  • GEIT is one of the domains of Corporate governance
  • GEIT is a system in which all stakeholders, including the board, senior management, internal customers and departments such as finance, provide input into the decision-making process.
  • GEIT is the responsibility of the board of directors and executive management.
  • Purposes of GEIT are:
    • to direct IT endeavors to ensure that IT performance meets the objectives of aligning IT with the enterprise’s objectives and the realization of promised benefits
    • enable the enterprise by exploiting opportunities and maximizing benefits
    • IT resources should be used responsibly, and IT-related risk should be managed Appropriately
  • Key element of GEIT is the alignment of business and IT, leading to the achievement of business value.
  • Examples of GEIT includes the following:
    • COBIT 5 is developed by ISACA, which includes five principles, five domains, 37 processes and 210 practices
    • The International Organization for Standardization (ISO)/International Electro-technical Commission (IEC) 27001 (ISO 27001) – provides guidance to organizations implementing and maintaining information security programs.
    • The Information Technology Infrastructure Library (ITIL) was developed by the UK Office of Government Commerce (OGC)
    • ISO/IEC 38500:2008 Corporate governance of information technology
    • ISO/IEC 20000 is a specification for service management that is aligned with ITIL’s service management framework
Points to remember:

  • Though ISACA does not test on ISO numbers, it is good to know the ISO numbers and standards and their scope/description, to understand the subject better
    • ISO 27001 (BS7799) – ISO for information security management system (ISMS) – (Requirements – 0 t 10; Controls – 114; Control objectives – 35; Domains -14)
    • ISO 38500 – Information technology – Security techniques – Code of practice for information security controls.
    • ISO 20000 – ISO for Information technology service management (ITSM) system. The standard was developed to mirror the best practices described – ITIL 
  • Relationship between COBIT and ITIL – COBIT defines IT goals, whereas ITIL provides the process-level steps on how to achieve them how to achieve them

3.Auditor’s Role in Governance of Enterprise IT (GEIT):

  • To provide leading practice recommendations to senior management to help improve the quality and effectiveness of the IT governance initiatives implemented.
  • Helps ensure compliance with GEIT initiatives implemented within an organization
  • continuous monitoring, analysis and evaluation of metrics associated with GEIT initiatives require an independent and balanced view to ensure a qualitative assessment that subsequently facilitates the qualitative improvement of IT processes and associated GEIT initiatives
  • To check on alignment of the IT function with the organization’s mission, vision, values, objectives and strategies
  • To ensure compliance with legal, environmental, information quality, fiduciary, security and privacy requirements

Part 1, Part 2, Part 3, Part 4, Part 5

Aswini Srinath ( )
Writer And Editor
I am a qualified Chartered Accountant based out of Chennai, with 8+ years of experience in various roles in finance domain including CA Practice, financial reporting and auditing. I have always been keen to challenge myself by exploring potential capabilities outside of my core competency. Picked up Information Security as one such thing. Cleared CISA with 2nd Rank in ISACA Chennai Chapter in 2019. Since then, i have been sharing my learning and experience to a small group of avid followers, helping them prepare for their CISA exams. This article is also one such attempt, where I summarize the key areas in each domain based on the importance and weightage from an exam point of view.