CERTIFIED INFORMATION SYSTEMS AUDITOR The CISA exam is offered each year and consists of 200 multiple-choice questions

that cover the five job practice domains created from the most recent CISA job practice analysis. The practice domains and percentages below indicate the emphasis of questions that will appear on the exam. The job practice analysis was developed and validated using prominent industry leaders, subject matter experts and industry practitioners. Job Practice Domains; The domains and their definitions are as follows: 1. T he Process of Auditing Information Systems (14 percent)Provide audit services in accordance with IT audit standards to assist the organization with protecting and controlling information systems. 2. Governance and Management of IT (14 percent)Provide assurance that the necessary leadership and organizational structures and processes are in place to achieve objectives and to support the organizations strategy. 3. Information Systems Acquisition, Development and Implementation (19 percent) Provide assurance that the practices for the acquisition, development, testing, and implementation of information systems meet the organizations strategies and objectives. 4. Information Systems Operations, Maintenance and Support (23 percent)Provide assurance that the processes for information systems operations, maintenance and support meet the organizations strategies and objectives. 5. Protection of Information Assets (30 percent)Provide assurance that the organizations security policies, standards, procedures and controls ensure the confidentiality, integrity and availability of information assets. CERTIFIED INFORMATION SECURITY MANAGER The CISM exam is offered each year and consists of 200 multiple-choice questions that cover the five information security management job practice domains created from the most recent CISM job practice analysis. The percentages below indicate the emphasis of questions that will appear on the exam from each domain. The job practice analysis was developed and validated using prominent industry leaders, subject matter experts and industry practitioners. Notice: The current CISM job practice is in the process of being updated to capture the changes that have occurred within the ever evolving field of information security management. Please be aware that the December 2011 CISM exam administration will be the last time that the current CISM job practice (identified below) will be tested as the revised job practice will be tested beginning in June 2012. Job Practice Domains; The domains and their definitions are as follows: 1. Information security governance (23 percent)Establish and maintain a framework to provide assurance that information security strategies are aligned with the business objectives and consistent with applicable laws and regulations.
Page 1 of 3

2. Information risk management (22 percent)Identify and manage information security risks to achieve business objectives. 3. Information security program development (17 percent)Create and maintain a program to implement the information security strategy. 4. Information security program management (24 percent)Oversee and direct information security activities to execute the information security program. 5. Incident management and response (14 percent)Plan, develop and manage a capability to detect, respond to and recover from information security incidents. CERTIFIED IN THE GOVERNANCE OF ENTERPRISE IT Supported by the IT Governance Institute (ITGITM) and built on ITGIs intellectual property and input from subject-matter experts from around the world, the CGEIT designation is designed for professionals who have a significant management, advisory or assurance role relating to the governance of IT. The CGEIT exam consists of 120 multiple-choice questions that cover six job practice domains. The task and knowledge statements within each domain are intended to depict the tasks performed by individuals who have a significant management, advisory, or assurance role relating to the governance of IT and the knowledge requirements to perform these tasks. They are also intended to define the roles and responsibilities of the professionals performing IT governance work. The job practice domains and percentages below indicate the emphasis of questions that will appear on the exam. Job Practice Domains; The job practice consists of task and knowledge statements, organized by domains. The domains and their definitions are as follows: 1. IT Governance Framework (25 percent)Define, establish and maintain an IT governance framework (leadership, organizational structures and processes) to: ensure alignment with enterprise governance; control the business information and information technology environment through the implementation of good practices; and ensure compliance with external requirements. 2. Strategic Alignment (15 percent)Ensure that IT enables and supports the achievement of business objectives through the integration of IT strategic plans with business strategic plans and the alignment of IT services with enterprise operations to optimize business processes. 3. Value Delivery (15 percent)Ensure that IT and the business fulfill their value management responsibilities: IT-enabled business investments achieve the benefits as promised and deliver measurable business value both individually and collectively, that required capabilities (solutions and services) are delivered on time and within budget, and that IT services and other IT assets continue to contribute to business value. 4. Risk Management (20 percent)Ensure that appropriate frameworks exist and are aligned with relevant standards to identify, assess, mitigate, manage, communicate and monitor IT-related business risks as an integral part of an enterprises governance environment.
Page 2 of 3

5. Resource Management (13 percent)Ensure that IT has sufficient, competent and capable resources to execute current and future strategic objectives, and keep up with business demands by optimizing the investment, use and allocation of IT assets. 6. Performance Measurement (12 percent)Ensure that business-supporting IT goals/objectives and measures are established in collaboration with key stakeholders, and that measurable targets are set, monitored and evaluated. CERTIFIED IN RISK AND INFORMATION SYSTEMS CONTROL CRISC exam is offered twice each year and consists of 200 multiple-choice questions that cover five domains defined by the CRISC job practice. The domains and percentages below indicate content and the emphasis of questions that will appear on the exam. The job practice is based on ISACAs global research and frameworks including Risk IT and COBIT 4.1, independent market research, and input from thousands of subject matter experts (SMEs) from around the world. The statements within each domain are intended to define the roles and responsibilities of the CRISC professional. Domains: The job practice consists of task and knowledge statements, organized by domains. These statements and domains were the result of extensive research and feedback from risk and control SMEs around the world. The domains and their definitions are as follows: 1. Domain 1Risk Identification, Assessment and Evaluation (31 percent): Identify, assess and evaluate risk factors to enable the execution of the enterprise risk management strategy. 2. Domain 2Risk Response (17 percent): Develop and implement risk responses to ensure that risk factors and events are addressed in a cost-effective manner and in line with business objectives. 3. Domain 3Risk Monitoring (17 percent): Monitor risk and communicate information to the relevant stakeholders to ensure the continued effectiveness of the enterprises risk management strategy. 4. Domain 4Information Systems Control Design and Implementation (17 percent): Design and implement information systems controls in alignment with the organizations risk appetite and tolerance levels to support business objectives. 5. Domain 5Information Systems Control Monitoring and Maintenance (18 percent): Monitor and maintain information systems controls to ensure that they function effectively and efficiently.

Page 3 of 3