我对CISA前景方向的看法和思考

yolanda

不过从完善自身知识体系以及帮助自己更好的处理工作内容的角度出发，cissp和cisa都还是不无裨益的。若纯粹从找工作或者待遇的角度讲，很遗憾，目前这个市场在国内还没起来

晴朗天

所言极是，所以我在想花这样的代价考这东西值不值得？

D99

学IT的，看些管理不无好处，我想CISA就是这样的一个切入点，配合种种已经标准化的文件，能从总体上对信息系统有很好的把握。对现状，为别人咨询的可能的确很小（因为很少有人需要那么系统的而且框架的东西），但从管理的角度，前景还是很广的。要知道，现实中的很多IT经理人并没有非常系统的管理思路和指导文件。

swordfz

wangderek说的好。真正的知识是要在实践中获得的，考试只不过给了你一个知识框架

cliffman

--------------------------

hfjpl

好，一定要考。

ITIL

我觉得很多人对CISA有一个认识的误区，CISA的责任不是建立一个安全完善的系统，他也没有能力做到这一点，他的责任应该是审核现有系统及应用的可靠性，安全性，可恢复性等，同时需要审核企业的IT管理流程。一个大型企业使用CISA的目的是确保自己IT系统的规范运作和维护，发现潜在的系统或者流程风险。

better

我认为说得挺对！

tttkoo

IT 审计不挣钱,但是忽略它会让你不光赔钱还会丢脸

ching

I just found out this thread and thought I would like to contribute some from my exprience. The followings are from a letter to a friend in china and from my old thread.

I am doing security and control management, which includes internal audit. I haven't stepped into audit management, which is also interesting to me. Because of my IT architect background, I just feel I am much better in IT audit than in management. In America, it is so far not a very good or promising area in IT audit however. I would like to start looking at mainland china to see if things could be different for IT audit.  I don't want to mislead you, but IT audit is always appended to financial or business audit and I doubt it will become a very profit business. So the effort and time spent to get into it from other IT areas may disappoint you. However, the audit management, including IT audit management or control management, is totally different.


We also have preventive control audit as regular practice in IT where we have found that strong technology background can help alot. However, I will still agree with you that audit is business oriented. For example, there are three types of internal IT audit in our company (I remember someone asked this question about what IT audit is). One is the business process audit with supported IT applications; another one is IT business process audit; the last one is IT applications audit. These kinds of audit will all require IT audit towards IT applications/systems. As for external audit, we use one of the big 4 and they are basically the business process audit with IT applications support. There are also IT business processes and/or applications that will likely be picked up by annual exteranl audit, but not as many as those from business side. Even if your company is IT business, like IBM, internal controls would not be too much different from others. On the other hand, IT has become widely used everywhere within the business and it's not very common for an audit without IT involvement.