I’ve been studying for the CISA (Certified Information Systems Auditor) exam recently, for several reasons (mostly just to pick up chicks, though). I started studying thinking that this certification was going to be highly examiner oriented. In other words, thinking that this certification was going to suggest I make tons of security recommendations that would not add any value to our clients and hindering operations with documentation or adding red tape to otherwise efficient processes.
So, I was very pleaed to discover that as a CISA you need to be able to add value with all recommendations, which is something Garland Groupers try to do everyday. This really makes us more consultants as outsiders looking in making considerate suggestions about how to do things better, rather than auditors.
What I’ve learned from my CISA studies….
1) Every recommendation needs to add value to THIS client.
2) Money saving and efficiency suggestions are everywhere, you just have to look for them.
3) Risk assessments really do work, even if it is just to document risks that will be accepted.
4) Encourage debate from the the auditee, it will really help all parties flesh out ideas.
5) If you have insomnia, read some COBIT guidelines…it’ll knock you out.
I sit for my test on December 13th, wish me luck and hopefully the next time you see me I’ll be Charles Heath Stanlely, CISA*