How I Passed My CISA Exam
The company I work for has been sold. Most of the technology associates expect to lose our jobs in the upcoming months. Fortunately, the companies are offering a generous severance package. As the days counted down towards business close, we were also offered in-house professional training on a variety of subjects, many of which included vouchers for certification tests. Due to low demand, CISA training was not available for in-house training but the company offered to pay for independent study classes. The company would reimburse us for the certification exam if we passed. I took several of the instructor led classes and was approved for an independent study class for the CISA.
CISA Training Classes
I selected the CISA class from Alan Keele at www.certifiedinfosec.com. The class is a self-paced 180 day subscription at a cost of $449.95. He does offer a free trial lesson consisting of a pre-assessment test, training class, and a post-assessment test. I found the trial was a good representation of the general courseware. Keele’s training consists of assessment tests and narrated slides. One of the nice things about the class is the instructor is available to answer questions via phone or email. The instructor promptly answered emails, and promptly responded to a voice-mail I left.
The class is broken down into the five CISA domains plus an extra series of lessons for “Consolidated Business Continuity and Disaster Recovery Topics”. Each domain consists of multiple lessons, each with assessment tests and a final assessment test for each domain. The class offers four final exams consisting of 150 questions each (As of this writing, the CISA exam is 150 questions). You can take the assessment tests more than once, but the order of the test questions will vary each time you take the test. The final exams are random questions from a pool – each time you take the final exam you will get different questions in a different order. The recommended passing score is 95%. I passed all my assessment tests with 95%+ but did need to take a few more than once. My final exam scores ranged from 85-93%.
The material seemed to be geared towards helping the student answer test questions. The slides are narrated and consist mostly of a bunch of test answers without the questions. When I spoke with Keele on the phone, he told me that was the strategy for helping students pass the exam. Since the exam is multiple choice, if the student could recognize the answers, the student will be able to recognize the answer even if the questions were unfamiliar. The CISA test is multiple choice – only one correct answer per question. The assessment questions from the class are in multiple formats including multiple choice, true-false, matching, and “select all that apply” (multiple answers for a question). Although not all class questions are multiple choice, the instructor told me his question/answer format is an easy way of combining multiple questions into one.
After the student answers an exam question, the instructor would provide text and narrated answers. In most cases, the instructor read the correct response, but did not provide much of an explanation. In some cases, the instructor would point out questions and answers that were plain silly and that ISACA’s answer is not always the same the way as an experienced professional would answer. I noticed this when I took the test and I’ve heard the same thing from other people who have taken the exam.
The wording on the narration and slides were quite formal. This format was useful for some of the test questions but not helpful for a true understanding of the material. I found myself going to Youtube to get a better understanding. In my search, I found a series of short lessons from Hemang Doshi. Doshi has a very thick accent and my first inclination was to stop watching and look for another video. I decided to watch his video and found his video very helpful for an understanding of the material. Doshi’s videos do an excellent job of explaining the concepts in very simple terms. He uses a keyword approach – “if you see this keyword”, then “look for this answer”. Doshi’s videos are simple – a question, keyword, answer approach compared to Keele’s formal approach. I found both classes together to be instrumental in my passing of the exam. I did find the practice tests and material from the two to be very similar, but the approach used in the lessons were quite different.
Doshi has quite a few videos, here is a nice sample of several of his videos:
Doshi also has a mostly free site. The site consists of videos, flash cards, study material with assessment test for each domain, and a final 150 question test covering all domains. The site also has a “30 day strategy for CISA Success”. The 30 day strategy is a series of 10-20 questions to be taken one test per day over a period of 30 days. He asks for $30 for the “30 Day Strategy” to be paid upon passing the exam. No credit card or registration is required to take the lessons. Just pay after you pass the exam. I opted for this training, but in hindsight the site offers so many practice tests, it probably wasn’t really necessary to take the 30 day strategy. Since I did use the material and passed my CISA, I did pay the $30 upon receiving my score.
WARNING, WARNING, WARNING, WARNING
The site is supported by pop-up ads and I received virus warnings when some of the ads displayed. The site itself seems to be fine but the pop-ups may not be. My recommendation is to have a good virus checker and close the pop-ups before they have a chance to populate. I would have recommended a pop-up blocker but the practice tests don’t work properly with a pop-up blocker on.
WARNING – Be careful when going to the site. I’m not going to provide a link but will tell you where it is. BE CAREFUL (I am providing the website because the information IS very helpful:
www—datainfosec–com
My total study time for the exam was about 1-3 hours per day over seven weeks. Although I did not use any of the ISACA study manuals or test dumps, after taking the exams, hindsight tells me they may have been helpful.
ISACA also has abbreviated assessment tests on their website which are free. I didn’t take those either but I think I probably should have. I used mostly Keele’s paid training Doshi’s mostly-free website. There are other sites that offer practice exams. Here are a couple I looked at but didn’t do much with. Use at your own risk:
https://www.auditscripts.com/free-resources/cisa-exam-references/
I also used Peter H Gregory’s All-in-One CISA Exam Guide for supplemental study. The book has practice exams on CD but I spent so much time on Keele’s and Doshi’s tests, I never got to try the exams included with the book.
Passing the CISA The Exam
The CISA tests are offered May-June, August-September, and November-December. Previously, the tests were paper tests only given three days per year. The new tests are now online at testing centers and can be scheduled any workday over the three two-month testing windows. If you fail to schedule your exam during the sign-up period, you will need to wait for the next window.
Scheduling and paying for the test are done through the ISACA web site – www.isaca.org. You can pay for the exam without membership or you can become a member and receive a discount for the exam fee. Either way the total cost is about the same. I opted for membership because if I failed the exam, I could get a discount on my second try. Membership also has its advantages such as discounts on training materials and access to free continuing education classes. When you sign up for membership, your membership immediately becomes active, so you can get a discounted test immediately after you sign up for membership. Note that all ISACA memberships run from January through December. Membership is not prorated but I did get a 50% discount off the International dues when I signed up in June (no discount on the local dues).
Exams are scheduled in advance. Pay attention to the sign-up and testing windows. If you sign-up early you can get a discount off the exam fee. If you wait too long, you may need to wait until the next testing window. I signed up in mid-June for a June 29 testing date. Many cities have multiple testing centers, each with its own schedule of available test start times. When I signed up, not all testing times were available at all the centers. My first-choice location and testing time was not available. Fortunately, there were several other reasonable alternatives available. ISACA does provide a link to the testing centers times and locations so you can see what’s available before you sign up for the exam. Paying for the exam and selecting the time/location are separate processes. You sign up and pay for the exam, THEN you select your exam time and location. Before you pay for the exam, make sure there is an open location and time slot that meets your needs.
Before I drove to the testing center, I walked my dog to get my daily exercise. I allowed plenty of time to reach the exam center. When I arrived, I drank a little water and grabbed a quick bite. Didn’t want to be dehydrated or have low blood sugar. When I signed in, they asked for identification and for me to remove my watch and empty my pockets. They provided a small locker to keep my stuff and reminded me to turn my phone off or keep it in silent mode. They took me to a small cubicle handed me a couple of sheets of blank scratch paper and a pencil (I didn’t need them). There was a short instructional video that explained how to take the test. Once I acknowledged I understood the video, the test and four-hour clock started. 150 multiple choice questions with four selections for each question. Only one correct answer per question. The process itself was pretty intuitive. Click on the bubble next to the correct answer then click the “Answer” button. You can change answers any time during the test until you signify you are finished. You can also flag questions for further review. Doing so will display a “flag” above the test question number.
A very common test taking advice for multiple-choice tests is “two choices can be readily eliminated”. Although I find this is rarely true in practice, it was true for most of the CISA exam questions. For most questions, I found choosing from the remaining two choices was quite difficult. This was compounded by the fact that many questions were poorly worded. Being a techie at heart, I found many of the questions to be quite technical and the choice was often between two “correct” answers. The test taker needs to know the answer ISACA wants.
I spent quite a bit of time preparing for the exam, and got decent scores on my practice tests. I was confident going into the exam. Then I discovered most of the real exam questions were not ones I studied for. I recognized only a dozen or so questions. Fortunately, there was enough time for me to go through the exam twice. The second time through, I changed a dozen or so responses. Testing taking advice often says “your first response is usually correct- don’t change your answers”. I did anyway. On some questions, I was quite confident in my new answer. On others, not so much.
When I finished my second pass, there was more than 30 minutes left on the clock. I was really worried. The questions on the test were not the ones I studied for. The exam asked me if I wanted to take a survey but warned me I wouldn’t be able to go back and change my answers. I took the survey. Then I got a preliminary score. The results were a little hard to find in all the text that followed the survey but it did tell me my preliminary assessment was a PASS but it didn’t give any scores. It said ISACA will review my test and provide me with the final result within 10 days. There was no-print-out I could show anyone. I clicked “Finish” and it asked me for a password to sign out. I informed the proctor, they did their stuff. I was relived the test was over and my preliminary result was a pass.
I think I passed the exam because as I was taking the classes and answering practice questions, I found myself thinking the “ISACA way” about auditing. Other websites will tell you the same thing – to “to pass the test, you need to think like an auditor”. Part of “thinking like and auditor” is to know the answer theme ISACA expects:
- An auditor reports, recommends, or ensures. An auditor rarely takes action to correct a situation.
- If an auditor discovers a control issue, the auditor will normally look for compensating controls before reporting. If something isn’t the way it should be, that’s not necessarily reportable if controls are in place to compensate for the irregularity.
- IT drives and supports the business, not the other way around.
- Know which level within the organization is responsible for what. Depending on the question, the answer could be the Board of Directors, Senior Management, user management, project management, project sponsor, data owners, systems administration.
Upon arriving home, I started to wonder when I would get would my “official” results. When the results didn’t immediately arrive, anxiety set in. Did they lose my results? Was my “official” score a fail? On a Sunday, exactly ten calendar days after taking the exam. I got an email with my official scores It gave me an overall “scaled” score and a sub-score for each of the testing domains. I had “officially” passed the CISA exam.
Passing the exam is not enough to get your CISA. There is an application process. Two-Five years work experience is required and needs to be verified, preferably by a supervisor. ISACA’s website says CISA applications can take up to eight weeks to process. I applied for my CISA on Monday and was expecting a long wait. I was pleasantly surprised when I received an email on Friday notifying me my CISA was awarded.
The email also notified me that I will be receiving an “Open Badge” from Acclaim. This is a logo and a site that verifies your credential. I received the Open Badge information the next day.
