Flashcards · Cybersecurity
CISA Flashcards
Free flashcards for CISA: flip each card to reveal the definition. Built from the CISA glossary as a study aid, these are concept checks, not real exam questions.
1 / 33
Click the card (or press Space) to flip · use Prev/Next to move
All 33 terms
- IS audit
- An independent examination of information systems and their controls.
- Audit independence
- Freedom from relationships that could bias the auditor; you do not audit your own work.
- Objectivity
- An unbiased attitude that lets the auditor reach fair conclusions.
- Audit charter
- The document that grants the audit function its authority and scope.
- Risk-based auditing
- Planning and scoping audits by where the risk of control failure is greatest.
- Audit evidence
- The information used to support audit findings and conclusions.
- Sufficient and appropriate
- Evidence that is enough in quantity and relevant + reliable in quality.
- Sampling
- Selecting a subset of items to test, statistically or by judgement.
- Materiality
- Whether an error or weakness is significant enough to affect conclusions.
- Audit finding
- A gap between the condition observed and the expected control criterion.
- Control
- A measure that reduces risk by preventing, detecting or correcting an event.
- Preventive control
- A control that stops an undesirable event from occurring.
- Detective control
- A control that identifies an event after it has occurred.
- Corrective control
- A control that fixes or restores after an event.
- Compensating control
- An alternative control used when the primary control is impractical.
- General controls
- Controls over the whole IT environment (e.g., access, change, operations).
- Application controls
- Controls within a specific application (e.g., input validation, totals).
- Segregation of duties
- Splitting a task so no one person controls an entire sensitive process.
- IT governance
- The structures and processes that direct and control the IT function.
- SDLC
- Systems Development Life Cycle - the stages of building or acquiring a system.
- Post-implementation review
- A check after go-live that the system delivered the intended benefits and controls.
- Change management
- The controlled approval, testing and release of changes to systems.
- BIA
- Business Impact Analysis - identifies critical functions and the impact of disruption.
- RTO
- Recovery Time Objective - target time to restore a process after disruption.
- RPO
- Recovery Point Objective - the acceptable amount of data loss.
- BCP
- Business Continuity Plan - how the business keeps operating through disruption.
- DRP
- Disaster Recovery Plan - how IT services are restored after a disaster.
- Logical access control
- Technical controls that restrict who can use systems and data.
- Encryption
- Converting data so only authorised parties can read it.
- Data classification
- Labelling data by sensitivity to apply the right level of protection.
- Residual risk
- The risk that remains after controls have been applied.
- Inherent risk
- The risk that exists before any controls are applied.
- Control self-assessment
- A method where process owners assess their own controls, reviewed by audit.