CHAPTER 1 – CONCEPTS OF GOVERNANCE AND MANAGEMENT OF INFORMATION SYSTEMS

Exam Year Questions Asked

May 19  Benefits of Governance
 Key Management Practices of IT Compliance
Nov 18  1.12.5 Evaluating and Assessing the System of Internal Controls - key management practices for assessing and evaluating the system of internal
controls in an enterprise
 1.8.4 Key Management Practices for Aligning IT Strategy with Enterprise Strategy
 1.10.10 Using COBIT 5 Best Practices for GRC - Specific success of a Governance, Risk and Compliance (GRC) program using COBIT 5 can be
measured by using the following goals and metrics:
May 18  1.9.7 Metrics of Risk Management
 1.9.6 Key Management Practices of Risk Management
 1.10.4 Benefits of COBIT 5
 (b) Internal Controls as per COSO: Internal Control is comprised of following five interrelated components:

CHAPTER 2 – INFORMATION SYSTEMS CONCEPTS

Exam Year Questions Asked
May 19  The Executive Decision-Making Environment - The characteristics of the types of information used in executive decision-making:
 Overview of Underlying IT Technologies - (iv) Business Intelligence short note
Nov 18  (f) Limitations of MIS
 (b) Benefits of Expert Systems
 characteristics of Computer Based Information Systems (CBIS)
May 18  Misconceptions about MIS
 To operate Information Systems (IS) effectively and efficiently a business manager should have following knowledge about it:
 Some of the business application areas of Expert Systems are as follows:

CHAPTER 3 – PROTECTION OF INFORMATION SYSTEMS

Exam Year Questions Asked
May 19  Phases of Program Development Life Cycle
 Controls over Data Integrity and Security - Classification of Information are as follows:
Nov 18  (c) Asynchronous Attacks: + Subversive Threats:
 3.13.1 Cyber Attacks
 Table 3.6.2: Logical Access Controls - Network Access Control can be achieved through following means.
May 18  Technical Exposures: Trojan Horse:
 3.10.2 Data Integrity Policies
 (iii) Issues and Revelations related to Logical Access – (d) Remote and distributed data processing applications can be controlled in many ways.
Some of these are given as follows:
CHAPTER 4 – BUSINESS CONTINUITY PLANNING AND DISASTER RECOVERY PLANNING
Exam Year Questions Asked
May 19  Components of BCM Process
Nov 18  4.15 Alternate Processing Facility Arrangements - If a third-party site is to be used for backup and recovery purposes, security administrators must
ensure that a contract is written to cover issues such as
 4.12 BCM Training Process
May 18  4.11.1 BCM Testing - In case of Development of BCP, the objectives of performing BCP tests are to ensure that:
 advantages and disadvantages of Full Backup type.
 4.11.3 Reviewing BCM Arrangements

CHAPTER 5 – ACQUISITION, DEVELOPMENT AND IMPLEMENTATION OF INFORMATION SYSTEMS

Exam Year Questions Asked
May 19  System Acquisition - (c) Other Acquisition Aspects and Practices: (v) Methods of Validating the proposal:
 (v) Systems Specification: Systems Requirement Specifications (SRS). A well documented SRS contains the following sections:
 5.4.6 Agile Model - (a) Strengths:
Nov 18  5.5.5 System Development : Programming Techniques and Languages - A good coded application and programs should have the following
characteristics:
 (ii) System Maintenance can be categorized in the following ways:
 5.2 Business Process Design involves a sequence of the steps described briefly below - (i) Present Process Documentation: (ii) Proposed Process
Documentation: (iii) Implementation of New Process:
May 18  Different types of System Testing are as follows:
 (b) Acquiring Systems Components from Vendors: The following considerations are valid for acquisition of both hardware and software when
Request for Proposal (RFP) is called from vendors:
 5.5.8 Post Implementation Review and Systems Maintenance - Various evaluation methods in post-implementation review in respect to user
satisfaction with the Information System include the following:

CHAPTER 6 – AUDITING OF INFORMATION SYSTEMS

Exam Year Questions Asked
May 19  Effect of Computers on Audit - Changes to Evidence Collection;
 Advantages and Disadvantages of Continuous Auditing: - Disadvantages of Continuous Audit
 Understanding the Layers and Related Audit Issues - Tactical Layer of the Application Security Layer:
 Categories of Information Systems Audits
 6.7.5 Quality Assurance Management Controls
Nov 18  6.6.1 Role of IS Auditor in Physical Access Controls
 6.5.1 Inherent Limitations of Audit - Information Systems (IS) Audit
 6.2.1 Need for Audit of Information Systems - Factors influencing an organization toward controls and audit of computers
 6.4.2 Preliminary Review - (ii) Understanding the Technology: An important task for the auditor as a part of his preliminary evaluation is to gain a
good understanding of the technology environment and related control issues.
 (iii) System Control Audit Review File (SCARF): - Auditors might use SCARF to collect the following types of information:
May 18  (c) Audit of Environmental Controls: Audit of environmental controls requires the IS auditor to conduct physical inspections and observe practices.
The Auditor should verifythat:
 6.9.2 Understanding the Layers and Related Audit Issues - (i) Operational Layer: The operational layer audit issues include:
 Integrated Test Facility - Following are the ways through which an auditor may use Integrated Test Facility (ITF) as a continuous audit tool:
 6.3.4 Steps in Information System Audit

CHAPTER 7 – INFORMATION TECHNOLOGY REGULATORY ISSUES

Exam Year Questions Asked
May 19  Define the following terms with reference to Information Technology Act. - (i) Electronic Form
(ii) Information (iii) Key Pair
 Requirements of IRDA for System Controls & Audit - System Audit:
 [Section 76] Confiscation - Some key steps for ensuring compliance with cyber laws are given below:
Nov 18  define the term Electronic Signature
 Section 3A (2) of IT Act, 2000] Electronic Signature - (2) For the purposes of this section any electronic signature or electronic authentication
technique shall be considered reliable if-
 The objectives of the Information Technology Act, 2000 are as follows:
May 18  A company may adopt ISO 27001 for the following reasons:
 [Section 43A] Compensation for failure to protect data
 [Section 44] Penalty for failure to furnish information return etc.

CHAPTER 8 – EMERGING TECHNOLOGIES

Exam Year Questions Asked
May 19  Characteristics of Software as a Service (SaaS) are as follows:
Nov 18  8.6.1 Advantages of BYOD
 The Advantages of Public Cloud
 The advantages of Private Clouds
 8.4.4 Benefits of Mobile Computing
May 18  Characteristics of Public Cloud
 Mobile Computing & Components of Mobile Computing