diff options
| author | Christian Cleberg <hello@cleberg.net> | 2024-01-08 20:11:17 -0600 |
|---|---|---|
| committer | Christian Cleberg <hello@cleberg.net> | 2024-01-08 20:11:17 -0600 |
| commit | 25945b8fead989cca09a23983623b63ce36dcc0c (patch) | |
| tree | 0dfc869ce8b028e04ce9da196af08779780915ce /content/blog/2021-12-04-cisa.md | |
| parent | 22b526be60bf4257c2a1d58a5fad59cf6b044375 (diff) | |
| download | cleberg.net-25945b8fead989cca09a23983623b63ce36dcc0c.tar.gz cleberg.net-25945b8fead989cca09a23983623b63ce36dcc0c.tar.bz2 cleberg.net-25945b8fead989cca09a23983623b63ce36dcc0c.zip | |
feat: total re-write from Emacs org-mode to Zola markdown
Diffstat (limited to 'content/blog/2021-12-04-cisa.md')
| -rw-r--r-- | content/blog/2021-12-04-cisa.md | 214 |
1 files changed, 214 insertions, 0 deletions
diff --git a/content/blog/2021-12-04-cisa.md b/content/blog/2021-12-04-cisa.md new file mode 100644 index 0000000..42b9d79 --- /dev/null +++ b/content/blog/2021-12-04-cisa.md @@ -0,0 +1,214 @@ ++++ +date = 2021-12-04 +title = "I Passed the CISA!" +description = "A recap of the CISA certification exam and my results." ++++ + +## What is the CISA? + +For those of you lucky enough not to be knee-deep in the world of IT/IS +Auditing, [CISA](https://www.isaca.org/credentialing/cisa) stands for +Certified Information Systems Auditor. This certification and exam are +part of ISACA's suite of certifications. As I often explain it to +people like my family, it basically means you're employed to use your +knowledge of information systems, regulations, common threats, risks, +etc. in order to assess an organization's current control of their +risk. If a risk isn't controlled (and the company doesn't want to +accept the risk), an IS auditor will suggest implementing a control to +address that risk. + +Now, the CISA certification itself is, in my opinion, the main +certification for this career. While certifications such as the CPA or +CISSP are beneficial, nothing matches the power of the CISA for an IS +auditor when it comes to getting hired, getting a raise/bonus, or +earning respect in the field. + +However, to be honest, I am a skeptic of most certifications. I +understand the value they hold in terms of how much you need to commit +to studying or learning on the job, as well as the market value for +certifications such as the CISA. But I also have known some very +~~incompetent~~ *less than stellar* auditors who have CPAs, CISAs, CIAs, +etc. + +The same goes for most industries: if a person is good at studying, they +can earn the certification. However, that knowledge means nothing unless +you're actually able to use it in real life and perform as expected of +a certification holder. The challenge comes when people are hired or +connected strictly because of their certifications or resume; you need +to see a person work before you can assume them having a CISA means +they're better than someone without the CISA. + +Okay, rant over. Certifications are generally accepted as a measuring +stick of commitment and quality of an employee, so I am accepting it +too. + +## Exam Content + +The CISA is broken down into five sections, each weighted with a +percentage of test questions that may appear. + + + +Since the exam contains 150 questions, here's how those sections break +down: + + Exam Section Percentage of Exam Questions + ----------------- -------------------- ----------- + 1 21% 32 + 2 17% 26 + 3 12% 18 + 4 23% 34 + 5 27% 40 + **Grand Total** **100%** **150** + +## My Studying Habits + +This part is a little hard for me to break down into specific detail due +to the craziness of the last year. While I officially purchased my +studying materials in December 2020 and opened them to "start +studying" in January 2021, I really wasn't able to study much due to +the demands of my job and personal life. + +Let me approach this from a few different viewpoints. + +### Study Materials + +Let's start by discussing the study materials I purchased. I'll be +referring to #1 as the CRM and #2 as the QAE. + +1. [CISA Review Manual, 27th Edition \| + Print](https://store.isaca.org/s/store#/store/browse/detail/a2S4w000004KoCbEAK) +2. [[<https://store.isaca.org/s/store#/store/browse/detail/a2S4w000004KoCcEAK>][CISA + Review Questions, Answers & Explanations Manual, 12th Edition \| + Print]] + +The CRM is an excellent source of information and could honestly be used +as a reference for most IS auditors as a learning reference during their +daily audit responsibilities. However, it is **full** of information and +can be overloading if you're not good at filtering out useless +information while studying. + +The QAE is the real star of the show here. This book contains 1000 +questions, separated by exam section, and a practice exam. My only +complaint about the QAE is that each question is immediately followed +with the correct answer and explanations below it, which means I had to +use something to constantly cover the answers while I was studying. + +I didn't use the online database version of the QAE, but I've heard +that it's easier to use than the printed book. However, it is more +expensive (\$299 database vs \$129 book) which might be important if +you're paying for materials yourself. + +In terms of question difficulty, I felt that the QAE was a good +representation of the actual exam. I've seen a lot of people online say +it wasn't accurate to the exam or that it was much easier/harder, but I +disagree with all of those. The exam was fairly similar to the QAE, just +focusing on whichever topics they chose for my version of the exam. + +If you understand the concepts, skim the CRM (and read in-depth on +topics you struggle with), and use the QAE to continue practicing +exam-like questions, you should be fine. I didn't use any online +courses, videos, etc. - the ISACA materials are more than enough. + +### Studying Process + +While I was able to briefly read through sections 1 and 2 in early 2021, +I had to stop and take a break from February/March to September. I +switched jobs in September, which allowed me a lot more free time to +study. + +In September, I studied sections 3-5, took notes, and did a quick review +of the section topics. Once I felt comfortable with my notes, I took a +practice exam from the QAE manual and scored 70% (105/150). + +Here's a breakdown of my initial practice exam: + + Exam Section Incorrect Correct Grand Total Percent + ----------------- ----------- --------- ------------- --------- + 1 8 25 33 76% + 2 5 20 25 80% + 3 6 12 18 67% + 4 10 23 33 70% + 5 16 25 41 61% + **Grand Total** **45** **105** **150** **70%** + +As I expected, my toughest sections were related to project management, +development, implementation, and security. + +This just leaves October and November. For these months, I tried to +practice every few days, doing 10 questions for each section, until the +exam. This came out to 13 practice sessions, \~140 questions per +section, and \~700 questions total. + +While some practice sessions were worse and some were better, the final +results were similar to my practice exam results. As you can see below, +my averages were slightly worse than my practice exam. However, I got in +over 700 questions of practice and, most importantly, \*I read through +the explanations every time I answered incorrectly and learned from my +mistakes\*. + + Exam Section Incorrect Correct Grand Total Percent + ----------------- ----------- --------- ------------- --------- + 1 33 108 141 77% + 2 33 109 142 77% + 3 55 89 144 62% + 4 52 88 140 63% + 5 55 85 140 61% + **Grand Total** **228** **479** **707** **68%** + + + +## Results + +Now, how do the practice scores reflect my actual results? After all, +it's hard to tell how good a practice regimen is unless you see how it +turns out. + + Exam Section Section Name Score + -------------- ------------------------------------------------------------------ --------- + 1 Information Systems Auditing Process 678 + 2 Governance and Management of IT 590 + 3 Information Systems Acquisition, Development, and Implementation 721 + 4 Information Systems Operations and Business Resilience 643 + 5 Protection of Information Assets 511 + **TOTAL** **616** + +Now, in order to pass the CISA, you need at least 450 on a sliding scale +of 200-800. Personally, I really have no clue what an average CISA score +is. After a *very* brief look online, I can see that the high end is +usually in the low 700s. In addition, only about 50-60% of people pass +the exam. + +Given this information, I feel great about my scores. 616 may not be +phenomenal, and I wish I had done better on sections 2 & 5, but my +practicing seems to have worked very well overall. + +However, the practice results do not conform to the actual results. +Section 2 was one of my highest practice sections and was my +second-lowest score in the exam. Conversely, section 3 was my +second-lowest practice section and turned out to be my highest actual +score! + +After reflecting, it is obvious that if you have any background on the +CISA topics at all, the most important part of studying is doing +practice questions. You really need to understand how to read the +questions critically and pick the best answer. + +## Looking Forward + +I am extremely happy that I was finally able to pass the CISA. Looking +to the future, I'm not sure what's next in terms of professional +learning. My current company offers internal learning courses, so I will +most likely focus on that if I need to gain more knowledge in certain +areas. + +To be fair, even if you pass the CISA, it's hard to become an expert on +any specific topic found within. My career may take me in a different +direction, and I might need to focus more on security or networking +certifications (or possibly building a better analysis/visualization +portfolio if I want to go into data analysis/science). + +All I know is that I am content at the moment and extremely proud of my +accomplishment. |