This document provides an overview of Domain 5 - Protection of Information Assets, which covers 25% of the Certified Information Systems Auditor (CISA) exam. Domain 5 focuses on evaluating controls to protect information assets, including logical security controls, physical and environmental security controls, information management, and evaluating the overall effectiveness of the security system. Specific topics covered include data security principles, access control, encryption, security incident response, privacy laws, and risks of BYOD and cloud computing.

1. Domain 5 - Protection of
Information Assets
• If you want to be an IT auditor, or are one now
and don't have a certification, then why not consider
the Certified Information Systems Auditor (CISA)
credential?
• This is one of the key certifications employers look
for when considering candidates for IT auditor and
assurance positions worldwide.

2. • To earn CISA certification, candidates must pass a
comprehensive exam that covers five domains
focused on auditing processes, IT governance,
systems acquisition, operations, and information
asset protection.
• Here is how the CISA stacks up to other
certifications:

3. Page: 3 of 132

4. Page: 4 of 132

5. Domain 5: Protection of
Information Assets (25% of the
exam)
• This domain covers the critical aspects of
safeguarding information assets from unauthorized
access, use, disclosure, disruption, modification, or
destruction
• You'll gain expertise in data security, identity
management, and encryption technologies to protect
sensitive information and comply with relevant
regulations

6. Page: 6 of 132
Key topics and skills covered:
• Data security principles and best practices
• Access control mechanisms and identity management
• Encryption and data loss prevention technologies
• Security incident management and forensics
• Privacy and information security laws and regulations
• BYOD and cloud security risks and mitigation strategies

7. Page: 7 of 132
The focus of Domain 5 is the evaluation of controls for
protecting information assets. The syllabus covers:
• Logical security controls
• Physical and environmental security controls
• Information management
• Evaluating the effectiveness of the overall security system

8. Page: 8 of 132
Logical security controls
• Logical access is the ability to interact with computing
resources, through remote, direct or local network access.
Logical access controls are used to prevent unwarranted
access and cover all elements of the organization's
information systems.
• Auditors have a key role in ensuring the correct logical
access controls are in place and being applied.

9. Page: 9 of 132
Physical and environmental security controls
• Many organizations focus on logical security at the
expense of physical security, meaning it can be a soft
target for cybercriminals.
• Physical access controls restrict the entry and exit of
personnel to secure areas such as offices, data centers or
information storage facilities.
• Controls should extend to everyone: permanent and
temporary staff, third-party suppliers and occasional
visitors.

10. Page: 10 of 132
Information management
• Data leakage is the unapproved transfer of sensitive
information outside the organization and to prevent it there
needs to be controls on the storage, retrieval, transport,
and disposal of all data assets.
• Most organizations use a classification scheme that has
between 3 and 5 levels (e.g., public, sensitive, restricted)
to apply different degrees of control to their information
assets.

11. Evaluating overall effectiveness
In addition to looking at specific controls, they need to check
the other elements of an ISMS are in place, for example:
•Written policies, procedures, and standards
•Data custodians & owners
•A nominated security administrator and deputy
•Regular security awareness and training