A. Information Asset Security and Control

• Information Asset Security Frameworks, Standards, and Guidelines
• Privacy Principles
• Physical Access and Environmental Controls
• Identity and Access Management
• Network and End-Point Security
• Data Classification
• Data Encryption and Encryption-Related Techniques
• Public Key Infrastructure (PKI)
• Web-Based Communication Techniques
• Virtualized Environments
• Mobile, Wireless, and Internet-of-Things (IoT) Devices

B. Security Event Management

• Security Awareness Training and Programs
• Information System Attack Methods and Techniques
• Security Testing Tools and Techniques
• Security Monitoring Tools and Techniques
• Incident Response Management
• Evidence Collection and Forensics

-Supporting Tasks

• Plan audit to determine whether information systems are protected, controlled, and provide value to the organization.
• Conduct audit in accordance with IS audit standards and a risk‐based IS audit strategy.
• Communicate audit progress, findings, results, and recommendations to stakeholders.
• Conduct audit follow‐up to evaluate whether risks have been sufficiently addressed.
• Evaluate the IT strategy for alignment with the organization’s strategies and objectives.
• Evaluate the effectiveness of IT governance structure and IT organizational structure.
• Evaluate the organization’s management of IT policies and practices.
• Evaluate the organization’s IT policies and practices for compliance with regulatory and legal requirements.
• Evaluate IT resource and portfolio management for alignment with the organization’s strategies and objectives.
• Evaluate the organization's risk management policies and practices.
• Evaluate IT management and monitoring of controls.
• Evaluate the monitoring and reporting of IT key performance indicators (KPIs).
• Evaluate the organization’s ability to continue business operations.
• Evaluate whether the business case for proposed changes to information systems meet business objectives.
• Evaluate whether IT supplier selection and contract management processes align with business requirements.
• Evaluate the organization's project management policies and practices.
• Evaluate controls at all stages of the information systems development lifecycle.
• Evaluate the readiness of information systems for implementation and migration into production.
• Conduct post‐implementation review of systems to determine whether project deliverables, controls, and requirements are met.
• Evaluate whether IT service management practices align with business requirements.
• Conduct periodic review of information systems and enterprise architecture.
• Evaluate IT operations to determine whether they are controlled effectively and continue to support the organization’s objectives.
• Evaluate IT maintenance practices to determine whether they are controlled effectively and continue to support the organization’s objectives.
• Evaluate database management practices.
• Evaluate data governance policies and practices.
• Evaluate problem and incident management policies and practices.
• Evaluate change, configuration, release, and patch management policies and practices.
• Evaluate end-user computing to determine whether the processes are effectively controlled.
• Evaluate the organization's information security and privacy policies and practices.
• Evaluate physical and environmental controls to determine whether information assets are adequately safeguarded.
• Evaluate logical security controls to verify the confidentiality, integrity, and availability of information.
• Evaluate data classification practices for alignment with the organization’s policies and applicable external requirements.
• Evaluate policies and practices related to asset lifecycle management.
• Evaluate the information security program to determine its effectiveness and alignment with the organization’s strategies and objectives.
• Perform technical security testing to identify potential threats and vulnerabilities.
• Utilize data analytics tools to streamline audit processes.
• Provide consulting services and guidance to the organization in order to improve the quality and control of information systems.
• Identify opportunities for process improvement in the organization's IT policies and practices.
• Evaluate potential opportunities and threats associated with emerging technologies, regulations, and industry practices.

A. Planning

• IS Audit Standards, Guidelines, and Codes of Ethics
• Business Processes
• Types of Controls
• Risk-Based Audit Planning
• Types of Audits and Assessments

B. Execution

• Audit Project Management
• Sampling Methodology
• Audit Evidence Collection Techniques
• Data Analytics
• Reporting and Communication Techniques
• Quality Assurance and Improvement of the Audit Process

• Project Governance and Management
• Business Case and Feasibility Analysis
• System Development Methodologies
• Control Identification and Design

B. Information Systems Implementation

• Testing Methodologies
• Configuration and Release Management
• System Migration, Infrastructure Deployment, and Data Conversion
• Post-implementation Review

A. IT Governance

• IT Governance and IT Strategy
• IT-Related Frameworks
• IT Standards, Policies, and Procedures
• Organizational Structure
• Enterprise Architecture
• Enterprise Risk Management
• Maturity Models
• Laws, Regulations, and Industry Standards affecting the Organization

B. IT Management

• IT Resource Management
• IT Service Provider Acquisition and Management
• IT Performance Monitoring and Reporting
• Quality Assurance and Quality Management of IT

A. Information Systems Operations

• Common Technology Components
• IT Asset Management
• Job Scheduling and Production Process Automation
• System Interfaces
• End-User Computing
• Data Governance
• Systems Performance Management
• Problem and Incident Management
• Change, Configuration, Release, and Patch Management
• IT Service Level Management
• Database Management

B. Business Resilience

• Business Impact Analysis (BIA)
• System Resiliency
• Data Backup, Storage, and Restoration
• Business Continuity Plan (BCP)
• Disaster Recovery Plans (DRP)