CISA Glossary
IS Audit Glossary
A
Access Control
Domain 5 — Protection of Information Assets
Access control encompasses the policies, procedures, and technical mechanisms that govern who can access what resources, under what conditions, and wi...
Audit Evidence
Domain 1 — Information Systems Auditing Process
Audit evidence is information collected by an auditor to support audit conclusions and opinions. It can be physical (documents, reports), testimonial ...
Audit Risk
Domain 1 — Information Systems Auditing Process
Audit risk is the risk that the auditor may issue an incorrect opinion or conclusion. It is composed of inherent risk (the susceptibility of a process...
Audit Sampling
Domain 1 — Information Systems Auditing Process
Audit sampling is the application of audit procedures to less than 100% of items in a population, with the expectation that the sample is representati...
B
Backup Strategy
Domain 4 — Information Systems Operations and Business Resilience
A backup strategy defines what data is backed up, how frequently, to what media type, and how backups are stored and retained. Common approaches inclu...
Business Continuity Plan (BCP)
Domain 4 — Information Systems Operations and Business Resilience
A Business Continuity Plan (BCP) is a documented set of procedures and information that enables an organisation to continue critical operations during...
C
Change Management
Domain 3 — Information Systems Acquisition, Development and Implementation
Change management is the formal process for controlling modifications to IT systems, infrastructure, and applications. It includes change request subm...
Cloud Security / Shared Responsibility Model
Domain 5 — Protection of Information Assets
The shared responsibility model defines which security controls are managed by the cloud provider and which are managed by the customer. Generally, th...
Compensating Control
Domain 5 — Protection of Information Assets
A compensating control is an alternative control implemented when a primary control cannot be applied due to technical or business constraints. It mit...
I
Identity and Access Management (IAM)
Domain 5 — Protection of Information Assets
Identity and Access Management (IAM) is the framework of policies, processes, and technologies that ensures the right individuals access the right res...
Internal Control
Domain 1 — Information Systems Auditing Process
Internal controls are the policies, procedures, practices, and organisational structures designed to provide reasonable assurance that business object...
R
Recovery Time Objective (RTO) & Recovery Point Objective (RPO)
Domain 4 — Information Systems Operations and Business Resilience
RTO is the maximum acceptable time a system can be unavailable after a disruption before the impact becomes unacceptable. RPO is the maximum acceptabl...
Risk Assessment
Domain 2 — Governance and Management of IT
Risk assessment is the systematic process of identifying, analysing, and evaluating risks to an organisation's objectives. It involves determining the...
Role-Based Access Control (RBAC)
Domain 5 — Protection of Information Assets
RBAC is an access control model where permissions are assigned to roles rather than individuals, and users are assigned to roles based on their job fu...
S
Segregation of Duties (SoD)
Domain 5 — Protection of Information Assets
Segregation of Duties is an internal control principle that requires no single individual to have control over all phases of a critical transaction or...
Systems Development Lifecycle (SDLC)
Domain 3 — Information Systems Acquisition, Development and Implementation
SDLC is a structured framework for planning, designing, developing, testing, and deploying information systems. Common methodologies include waterfall...