ISACA, who offer the well-known Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), Certified in the Governance of
Enterprise IT (CGEIT) and Certified in Risk and Information
Systems Control (CRISC) certifications, have announced the introduction of revised Information Systems (IS) Audit and Assurance Standards.
The new standards have been restructured in order to yield additional clarity, include the definition of key terms and to further align with other global auditing bodies. They will come into effect on the first of November this year.
The standards, first introduced in 1988, define certain mandatory requirements with regard to information systems auditing and reporting. They inform security professionals of the minimum performance level required and provide management with a good guideline as to the standard they should expect from a practitioner.
The updated standards are allocated into three categories:
1. General standards (1000 series)
The standards in this series focus upon the guiding principles under which the information systems assurance profession operates. The principles in this series apply to the conduct of all assignments and include topics such as ethics, independence, objectivity, due care, knowledge, competency and skill.
2. Performance standards (1200 series)
Standards in the 1200 series deal with the conduct of the assignment, such as planning and supervision, scoping, risk and materiality, resource mobilisation, supervision and assignment management, audit and assurance evidence, and the exercise of professional judgment and due care.
3. Reporting standards (1400 series)
The last group of standards address the types of reports, means of communication and the information communicated.
The full list of updated standards are as follows:
- 1001 Audit charter
- 1002 Organisational Independence
- 1003 Professional Independence
- 1004 Reasonable Expectation
- 1005 Due Professional Care
- 1006 Proficiency
- 1007 Assertions
- 1008 Criteria
- 1201 Engagement Planning
- 1202 Risk Assessment in Planning
- 1203 Performance And Supervision
- 1204 Materiality
- 1205 Evidence
- 1206 Using The Work Of Other Experts
- 1207 Irregularity And illegal Acts
- 1401 Reporting
- 1402 Follow-up Activities
Keeping abreast of changes to ISACA standards is especially important to security professionals who hold the Certified Information Systems Auditor (CISA) certification as their compliance to them is essential.