6.1 Protection of Information Assets Overview

What Domain 5 Covers

Protection of Information Assets is the single largest CISA domain, weighted at roughly 26% of the scored exam. ISACA splits it into two parts: Part A — Information Asset Security and Control (governance, frameworks, privacy, physical and environmental controls, identity and access management, network and endpoint security, data classification, cryptography, web and mobile security) and Part B — Security Event Management (security awareness, information system attack methods, security testing, monitoring tools, incident response, and digital forensics).

The domain's organizing idea is assurance: an IS auditor evaluates whether the organization's security policies, standards, procedures, and controls adequately protect the confidentiality, integrity, and availability (CIA) of information assets. You are not asked to be the security engineer who builds the firewall rule; you are asked whether the right control exists, operates effectively, and is supported by evidence.

The CIA triad as a scoring lens

Every Domain 5 control maps to one or more CIA objectives. When a stem describes a problem, name which leg of the triad is threatened first — that usually points at the control.

Classifying Controls the CISA Way

CISA expects you to classify any control along two axes. First by timing relative to an event: a preventive control stops an incident (access control lists, encryption, segregation of duties); a detective control identifies that one occurred (intrusion detection systems, audit logs, SIEM alerts, reconciliations); a corrective control restores normal operation after the fact (backups, incident response, BCP failover). A few questions test deterrent (warning banners, visible cameras) and compensating controls (a stand-in when the preferred control is impractical).

Second by nature: administrative/managerial (policies, training, background checks), technical/logical (passwords, firewalls, encryption), and physical (locks, guards, mantraps). The strongest answer almost always layers all three — defense in depth — rather than relying on a single control.

Governance and frameworks

Security governance sets the tone. The auditor confirms that an information security policy exists, is approved by senior management or the board, is communicated, and is reviewed periodically. Below the policy sit standards (mandatory, e.g., minimum password length), procedures (step-by-step), and guidelines (recommended). Common frameworks tested as context include ISO/IEC 27001/27002 (ISMS controls), the NIST Cybersecurity Framework (Identify, Protect, Detect, Respond, Recover), and ISACA's own COBIT for control objectives.

What the questions reward

Domain 5 stems are heavily applied. A typical item gives you a finding and asks for the auditor's primary concern, the most effective control, or the best recommendation. The winning answer is usually the one that (1) addresses the root cause rather than a symptom, (2) is preventive where prevention is feasible, and (3) preserves an audit trail. Watch for distractors that are technically real controls but solve the wrong CIA objective — for example, offering a backup (availability/integrity) when the stem describes a confidentiality breach.

The Auditor's Mandate and Evidence

Domain 5 is examined from the auditor's seat, not the engineer's. Your deliverable is assurance: confirming that controls are designed appropriately and operating effectively over the audit period. That distinction drives the evidence you seek. To test design, you read the policy, the configuration standard, and the access matrix. To test operating effectiveness, you sample real activity — log entries, access-review sign-offs, change tickets, and exception reports — because a control that exists on paper but is never executed provides no assurance.

Inherent risk, residual risk, and control strength

The exam expects you to reason in risk terms. Inherent risk is the exposure before any control. Controls reduce it, leaving residual risk, which management must formally accept if it cannot be reduced further economically. A control is only worth its cost when the reduction in expected loss exceeds the cost to operate it; the auditor flags both over-controlled (wasteful) and under-controlled (exposed) conditions.

Reading a Domain 5 stem

A disciplined reading method prevents most misses: identify the asset and its classification, the threat in the scenario, the CIA objective at stake, the control already present or missing, and the best next action for the auditor. When two answers survive, prefer the one that addresses the root cause, is preventive where feasible, and leaves an audit trail that a future reviewer could follow. Familiar-sounding answers that ignore the specific cue in the stem are almost always distractors.