This content aids in identifying key issues and proposing tailored practices to enhance and protect the governance of information and associated technologies.
We learn how to ensure that new IT systems and business processes are built or acquired in ways that align with the organisation's strategic objectives and security requirements. It moves away from day-to-day operations and focuses on the project lifecycle.
This domain requires an auditor to evaluate project governance, the rigour of the System Development Life Cycle (SDLC), and the effectiveness of controls designed during the development phase. By focusing on areas such as feasibility studies, testing, and post-implementation reviews, Domain 3 ensures that when a company rolls out a new system, it is reliable and secure and delivers the expected value to the business without introducing unmanaged risks.
Information asset security has evolved from being a static, perimeter-based approach to a more adaptive model influenced by identity-focused architectures, cloud dependencies, software supply-chain risks, artificial intelligence, and post-quantum threats. From an audit standpoint, Part A now goes beyond merely checking for existing policies, firewalls, encryption, and access controls. The key question has shifted to whether these controls are effectively designed and operated to withstand modern attack methods. Therefore, the IS auditor assesses not just the presence of controls but also their relevance, resilience, and alignment with the organization's risk appetite.