The second round of CISA examination is around the corner and from my personal experience I know that this is the time when aspirants are on the hunt for good material and tips.
Given the value that CISA Certification holds, I would like to share my experience (as much as I can without violating the NDA) . I hope that those of you who are currently preparing for it or wish to pursue it in future may find something to take away from this article. For the benefit of the readers who have just started their careers in or are planning to enter the Information Systems Audit field I’ll start with a brief introduction of the Certification.
Editorial Note: Revised as per ISACA’s announcment regarding CISA Exam Update.
About the CISA Certification
Certified Information Systems Auditor (CISA), conducted by Information Systems Audit and Control Association (ISACA), is a must have for those who are in the field of Information Systems Auditing. It helps professionals from various segments like Information Security, CAs, Internal Auditors etc. to enhance their skills and gain an advantage over their peers. You can learn more about the certification from here.
What does it cover?
Note: Figures in red are effective beginning with the June 2016 CISA exam
Curriculum for CISA is divided into following five job practices:
- Domain 1—The Process of Auditing Information Systems (14%) (21%)
- Domain 2—Governance and Management of IT (14%) (16%)
- Domain 3—Information Systems Acquisition, Development and Implementation (19%) (18%)
- Domain 4—Information Systems Operations, Maintenance and Support (23%) (20%)
- Domain 5—Protection of Information Assets (30%) (25%)
The numbers in brackets indicate the weight-age given to each domain in the exam. The domains are further represented in terms of knowledge statements. While it’s important to understand the knowledge statements and the objective they serve, one doesn’t need to mug them.
How to prepare for the exam?
The only thing you need to pass the exam is ISACA’s CISA Review Manual (CRM). It’s around 430 pages priced at $105 (INR 6,615) for members and $135 (INR 8,505) for non-members. Compliment this with ISACA’s CISA Question Database for effective learning. It is essential to have a good understanding of concepts in order to clear the exam, mugging up won’t help. Though these two resources should be sufficient but candidates can also refer to following books and videos:
1. CISA All-in-One Exam Guide by Peter Gregory – It’s easy to read and understand but it’s not as extensive as CISA Review Manual. A good resource from knowledge perspective but must not be relied as a sole resource.
2. CISA Certified Information Systems Auditor Training (Career Academy) – If you’re facing difficulties in going through CISA Review Manual (it can be a bit dry), use this instructor led training as a companion. Topics are covered in order of CRM and explanation is good.
3. CISA CBT Nuggets by Steve Caseley – This version of nuggets has been updated as per CRM 2015. It’s a great resource for revision purpose. The explanation of concepts is crisp and clear. However, this shouldn’t be relied on as the primary or the only resource for preparation.
Once you’re through CRM, start with the question database and keep practicing until you consistently get a score of above 90%. In addition to Question db, ISACA also provides a free self-assessment test containing 50 questions. This test will help candidates in gauging the level and type of questions asked in CISA examination.
What’s the exam like?
CISA is a paper based examination. 200 questions need to be answered in a duration of 4 hours. ISACA uses a 200-800 point scale with 450 as the passing mark for the exam. A scaled score is a conversion of the raw score on an exam to a common scale. Candidates won’t find any questions from CRM or question db. Questions are application based, therefore, candidates need to make sure that they are clear with the concepts.
The exam fee may vary from $440 (INR 27,720) to $750 (INR 47,250) based on whether or not you’re an ISACA member. You can start the exam registration process from here. Same goes with the cost of exam preparation material. Candidates can opt for ISACA Memebership prior to taking the exam. ISACA has ton loads of wonderful materials, all free to members. In the unfortunate event of failing the exam, you need to pay the exam fee again to retake it. You can read more about the examination process here.
Once you’ve given the CISA examination, you’ll have to wait for 5 weeks to know the results. I didn’t mind the wait except at the end of the fifth week.
What’s next after clearing the exam?
- 5 years of professional experience in at least two of the five domains
- Adherence to the ISACA Code of Professional Ethics
- Comply with the CISA Continuing Professional Education (CPE) Policy
Once you’ve cleared the exam, ISACA requires you to fill a CISA Application for Certification. In this application you’ll need to list at least five years of cumulative work experience in at least three CISA domains. Candidates who do not meet the experience requirements have five years, from the date of clearing the exam, to gain the relevant experience. You can read more about the certification process here.
In order to maintain the certification certification holders must earn and submit certain number of CPE points annually and every three years. In addition to CPEs, Annual Maintenance Fees also needs to paid annually. Learn more about the credential maintenance requirements here.
If I have left out anything or if readers have any additional queries please leave them in the comments below. Please note that questions regarding sharing and distribution of pre-owned material will not be entertained as it amounts to piracy.
Uday Mittal is a cybersecurity professional with rich working experience working with various industries including telecom, publishing, consulting and finance. He holds internationally recognized certifications such as CRTP, OSCE, OSCP, CISSP, CISA, CISM, CRISC among others. He speaks on cybersecurity awareness, offensive security research etc. and has authored various articles on topics related to cyber security and software development for a leading magazine on open source software.