diff options
Diffstat (limited to 'blog/2021-12-04-cisa.org')
| -rw-r--r-- | blog/2021-12-04-cisa.org | 391 |
1 files changed, 209 insertions, 182 deletions
diff --git a/blog/2021-12-04-cisa.org b/blog/2021-12-04-cisa.org index e67127f..7b70b80 100644 --- a/blog/2021-12-04-cisa.org +++ b/blog/2021-12-04-cisa.org @@ -1,197 +1,224 @@ -+++ -date = 2021-12-04 -title = "I Passed the CISA!" -description = "After nearly a year of on-and-off studying, I passed the CISA exam by ISACA." -draft = false -+++ - -## What is the CISA? +#+title: I Passed the CISA! +#+date: 2021-12-04 +** What is the CISA? +:PROPERTIES: +:CUSTOM_ID: what-is-the-cisa +:END: For those of you lucky enough not to be knee-deep in the world of IT/IS -Auditing, [CISA](https://www.isaca.org/credentialing/cisa) stands for Certified -Information Systems Auditor. This certification and exam are part of ISACA's -suite of certifications. As I often explain it to people like my family, it -basically means you're employed to use your knowledge of information systems, -regulations, common threats, risks, etc. in order to assess an organization's -current control of their risk. If a risk isn't controlled (and the company -doesn't want to accept the risk), an IS auditor will suggest implementing a -control to address that risk. - -Now, the CISA certification itself is, in my opinion, the main certification for -this career. While certifications such as the CPA or CISSP are beneficial, -nothing matches the power of the CISA for an IS auditor when it comes to getting -hired, getting a raise/bonus, or earning respect in the field. - -However, to be honest, I am a skeptic of most certifications. I understand the -value they hold in terms of how much you need to commit to studying or learning -on the job, as well as the market value for certifications such as the CISA. -But I also have known some very ~~incompetent~~ _less than stellar_ auditors -who have CPAs, CISAs, CIAs, etc. - -The same goes for most industries: if a person is good at studying, they can -earn the certification. However, that knowledge means nothing unless you're -actually able to use it in real life and perform as expected of a certification -holder. The challenge comes when people are hired or connected strictly because -of their certifications or resume; you need to see a person work before you can -assume them having a CISA means they're better than someone without the CISA. - -Okay, rant over. Certifications are generally accepted as a measuring stick of -commitment and quality of an employee, so I am accepting it too. - -## Exam Content - -The CISA is broken down into five sections, each weighted with a percentage of -test questions that may appear. - - - -Since the exam contains 150 questions, here's how those sections break down: - -| Exam Section | Percentage of Exam | Questions | -|:---------------:|:------------------:|:---------:| -| 1 | 21% | 32 | -| 2 | 17% | 26 | -| 3 | 12% | 18 | -| 4 | 23% | 34 | -| 5 | 27% | 40 | -| **Grand Total** | **100%** | **150** | - -## My Studying Habits - -This part is a little hard for me to break down into specific detail due to the -craziness of the last year. While I officially purchased my studying materials -in December 2020 and opened them to "start studying" in January 2021, I really -wasn't able to study much due to the demands of my job and personal life. +Auditing, [[https://www.isaca.org/credentialing/cisa][CISA]] stands for +Certified Information Systems Auditor. This certification and exam are +part of ISACA's suite of certifications. As I often explain it to people +like my family, it basically means you're employed to use your knowledge +of information systems, regulations, common threats, risks, etc. in +order to assess an organization's current control of their risk. If a +risk isn't controlled (and the company doesn't want to accept the risk), +an IS auditor will suggest implementing a control to address that risk. + +Now, the CISA certification itself is, in my opinion, the main +certification for this career. While certifications such as the CPA or +CISSP are beneficial, nothing matches the power of the CISA for an IS +auditor when it comes to getting hired, getting a raise/bonus, or +earning respect in the field. + +However, to be honest, I am a skeptic of most certifications. I +understand the value they hold in terms of how much you need to commit +to studying or learning on the job, as well as the market value for +certifications such as the CISA. But I also have known some very ++incompetent+ /less than stellar/ auditors who have CPAs, CISAs, CIAs, +etc. + +The same goes for most industries: if a person is good at studying, they +can earn the certification. However, that knowledge means nothing unless +you're actually able to use it in real life and perform as expected of a +certification holder. The challenge comes when people are hired or +connected strictly because of their certifications or resume; you need +to see a person work before you can assume them having a CISA means +they're better than someone without the CISA. + +Okay, rant over. Certifications are generally accepted as a measuring +stick of commitment and quality of an employee, so I am accepting it +too. + +** Exam Content +:PROPERTIES: +:CUSTOM_ID: exam-content +:END: +The CISA is broken down into five sections, each weighted with a +percentage of test questions that may appear. + +#+caption: CISA exam sections +[[https://img.cleberg.net/blog/20211204-i-passed-the-cisa/cisa-exam-sections.png]] + +Since the exam contains 150 questions, here's how those sections break +down: + +| Exam Section | Percentage of Exam | Questions | +|---------------+--------------------+-----------| +| 1 | 21% | 32 | +| 2 | 17% | 26 | +| 3 | 12% | 18 | +| 4 | 23% | 34 | +| 5 | 27% | 40 | +| *Grand Total* | *100%* | *150* | + +** My Studying Habits +:PROPERTIES: +:CUSTOM_ID: my-studying-habits +:END: +This part is a little hard for me to break down into specific detail due +to the craziness of the last year. While I officially purchased my +studying materials in December 2020 and opened them to "start studying" +in January 2021, I really wasn't able to study much due to the demands +of my job and personal life. Let me approach this from a few different viewpoints. -### Study Materials - -Let's start by discussing the study materials I purchased. I'll be referring to -#1 as the CRM and #2 as the QAE. - -1. [CISA Review Manual, 27th Edition | Print](https://store.isaca.org/s/store#/store/browse/detail/a2S4w000004KoCbEAK) -2. [CISA Review Questions, Answers & Explanations Manual, 12th Edition | Print](https://store.isaca.org/s/store#/store/browse/detail/a2S4w000004KoCcEAK) - -The CRM is an excellent source of information and could honestly be used as a -reference for most IS auditors as a learning reference during their daily audit -responsibilities. However, it is **full** of information and can be overloading -if you're not good at filtering out useless information while studying. - -The QAE is the real star of the show here. This book contains 1000 questions, -separated by exam section, and a practice exam. My only complaint about the QAE -is that each question is immediately followed with the correct answer and -explanations below it, which means I had to use something to constantly cover -the answers while I was studying. - -I didn't use the online database version of the QAE, but I've heard that it's -easier to use than the printed book. However, it is more expensive ($299 -database vs $129 book) which might be important if you're paying for materials -yourself. - -In terms of question difficulty, I felt that the QAE was a good representation -of the actual exam. I've seen a lot of people online say it wasn't accurate to -the exam or that it was much easier/harder, but I disagree with all of those. -The exam was fairly similar to the QAE, just focusing on whichever topics they -chose for my version of the exam. - -If you understand the concepts, skim the CRM (and read in-depth on topics you -struggle with), and use the QAE to continue practicing exam-like questions, you -should be fine. I didn't use any online courses, videos, etc. - the ISACA -materials are more than enough. - -### Studying Process - -While I was able to briefly read through sections 1 and 2 in early 2021, I had -to stop and take a break from February/March to September. -I switched jobs in September, which allowed me a lot more free time to study. - -In September, I studied sections 3-5, took notes, and did a quick review of the -section topics. Once I felt comfortable with my notes, I took a practice exam -from the QAE manual and scored 70% (105/150). +*** Study Materials +:PROPERTIES: +:CUSTOM_ID: study-materials +:END: +Let's start by discussing the study materials I purchased. I'll be +referring to #1 as the CRM and #2 as the QAE. + +1. [[https://store.isaca.org/s/store#/store/browse/detail/a2S4w000004KoCbEAK][CISA + Review Manual, 27th Edition | Print]] +2. [[https://store.isaca.org/s/store#/store/browse/detail/a2S4w000004KoCcEAK][CISA + Review Questions, Answers & Explanations Manual, 12th Edition | + Print]] + +The CRM is an excellent source of information and could honestly be used +as a reference for most IS auditors as a learning reference during their +daily audit responsibilities. However, it is *full* of information and +can be overloading if you're not good at filtering out useless +information while studying. + +The QAE is the real star of the show here. This book contains 1000 +questions, separated by exam section, and a practice exam. My only +complaint about the QAE is that each question is immediately followed +with the correct answer and explanations below it, which means I had to +use something to constantly cover the answers while I was studying. + +I didn't use the online database version of the QAE, but I've heard that +it's easier to use than the printed book. However, it is more expensive +($299 database vs $129 book) which might be important if you're paying +for materials yourself. + +In terms of question difficulty, I felt that the QAE was a good +representation of the actual exam. I've seen a lot of people online say +it wasn't accurate to the exam or that it was much easier/harder, but I +disagree with all of those. The exam was fairly similar to the QAE, just +focusing on whichever topics they chose for my version of the exam. + +If you understand the concepts, skim the CRM (and read in-depth on +topics you struggle with), and use the QAE to continue practicing +exam-like questions, you should be fine. I didn't use any online +courses, videos, etc. - the ISACA materials are more than enough. + +*** Studying Process +:PROPERTIES: +:CUSTOM_ID: studying-process +:END: +While I was able to briefly read through sections 1 and 2 in early 2021, +I had to stop and take a break from February/March to September. I +switched jobs in September, which allowed me a lot more free time to +study. + +In September, I studied sections 3-5, took notes, and did a quick review +of the section topics. Once I felt comfortable with my notes, I took a +practice exam from the QAE manual and scored 70% (105/150). Here's a breakdown of my initial practice exam: -| Exam Section | Incorrect | Correct | Grand Total | Percent | -|:---------------:|:---------:|:-------:|:-----------:|:-------:| -| 1 | 8 | 25 | 33 | 76% | -| 2 | 5 | 20 | 25 | 80% | -| 3 | 6 | 12 | 18 | 67% | -| 4 | 10 | 23 | 33 | 70% | -| 5 | 16 | 25 | 41 | 61% | -| **Grand Total** | **45** | **105** | **150** | **70%** | +| Exam Section | Incorrect | Correct | Grand Total | Percent | +|---------------+-----------+---------+-------------+---------| +| 1 | 8 | 25 | 33 | 76% | +| 2 | 5 | 20 | 25 | 80% | +| 3 | 6 | 12 | 18 | 67% | +| 4 | 10 | 23 | 33 | 70% | +| 5 | 16 | 25 | 41 | 61% | +| *Grand Total* | *45* | *105* | *150* | *70%* | As I expected, my toughest sections were related to project management, development, implementation, and security. -This just leaves October and November. For these months, I tried to practice -every few days, doing 10 questions for each section, until the exam. This came -out to 13 practice sessions, ~140 questions per section, and ~700 questions -total. - -While some practice sessions were worse and some were better, the final results -were similar to my practice exam results. As you can see below, my averages were -slightly worse than my practice exam. However, I got in over 700 questions of -practice and, most importantly, **I read through the explanations every time I -answered incorrectly and learned from my mistakes**. - -| Exam Section | Incorrect | Correct | Grand Total | Percent | -|:---------------:|:---------:|:-------:|:-----------:|:-------:| -| 1 | 33 | 108 | 141 | 77% | -| 2 | 33 | 109 | 142 | 77% | -| 3 | 55 | 89 | 144 | 62% | -| 4 | 52 | 88 | 140 | 63% | -| 5 | 55 | 85 | 140 | 61% | -| **Grand Total** | **228** | **479** | **707** | **68%** | - - - -## Results - -Now, how do the practice scores reflect my actual results? -After all, it's hard to tell how good a practice regimen is unless you see -how it turns out. - -| Exam Section | Section Name | Score | -|:------------:|------------------------------------------------------------------|:-------:| -| 1 | Information Systems Auditing Process | 678 | -| 2 | Governance and Management of IT | 590 | -| 3 | Information Systems Acquisition, Development, and Implementation | 721 | -| 4 | Information Systems Operations and Business Resilience | 643 | -| 5 | Protection of Information Assets | 511 | -| **TOTAL** | | **616** | - -Now, in order to pass the CISA, you need at least 450 on a sliding scale of -200-800. Personally, I really have no clue what an average CISA score is. After -a _very_ brief look online, I can see that the high end is usually in the low -700s. In addition, only about 50-60% of people pass the exam. - -Given this information, I feel great about my scores. -616 may not be phenomenal, and I wish I had done better on sections 2 & 5, -but my practicing seems to have worked very well overall. - -However, the practice results do not conform to the actual results. Section 2 -was one of my highest practice sections and was my second-lowest score in the -exam. Conversely, section 3 was my second-lowest practice section and turned out -to be my highest actual score! - -After reflecting, it is obvious that if you have any background on the CISA -topics at all, the most important part of studying is doing practice questions. -You really need to understand how to read the questions critically and pick the -best answer. - -## Looking Forward - -I am extremely happy that I was finally able to pass the CISA. Looking to the -future, I'm not sure what's next in terms of professional learning. My current -company offers internal learning courses, so I will most likely focus on that if -I need to gain more knowledge in certain areas. - -To be fair, even if you pass the CISA, it's hard to become an expert on any -specific topic found within. -My career may take me in a different direction, and I might need to focus -more on security or networking certifications (or possibly building a better -analysis/visualization portfolio if I want to go into data analysis/science). +This just leaves October and November. For these months, I tried to +practice every few days, doing 10 questions for each section, until the +exam. This came out to 13 practice sessions, ~140 questions per section, +and ~700 questions total. + +While some practice sessions were worse and some were better, the final +results were similar to my practice exam results. As you can see below, +my averages were slightly worse than my practice exam. However, I got in +over 700 questions of practice and, most importantly, *I read through +the explanations every time I answered incorrectly and learned from my +mistakes*. + +| Exam Section | Incorrect | Correct | Grand Total | Percent | +|---------------+-----------+---------+-------------+---------| +| 1 | 33 | 108 | 141 | 77% | +| 2 | 33 | 109 | 142 | 77% | +| 3 | 55 | 89 | 144 | 62% | +| 4 | 52 | 88 | 140 | 63% | +| 5 | 55 | 85 | 140 | 61% | +| *Grand Total* | *228* | *479* | *707* | *68%* | + +#+caption: CISA practice question results +[[https://img.cleberg.net/blog/20211204-i-passed-the-cisa/cisa-practice-questions-results.png]] + +** Results +:PROPERTIES: +:CUSTOM_ID: results +:END: +Now, how do the practice scores reflect my actual results? After all, +it's hard to tell how good a practice regimen is unless you see how it +turns out. + +| Exam Section | Section Name | Score | +|--------------+------------------------------------------------------------------+-------| +| 1 | Information Systems Auditing Process | 678 | +| 2 | Governance and Management of IT | 590 | +| 3 | Information Systems Acquisition, Development, and Implementation | 721 | +| 4 | Information Systems Operations and Business Resilience | 643 | +| 5 | Protection of Information Assets | 511 | +| *TOTAL* | | *616* | + +Now, in order to pass the CISA, you need at least 450 on a sliding scale +of 200-800. Personally, I really have no clue what an average CISA score +is. After a /very/ brief look online, I can see that the high end is +usually in the low 700s. In addition, only about 50-60% of people pass +the exam. + +Given this information, I feel great about my scores. 616 may not be +phenomenal, and I wish I had done better on sections 2 & 5, but my +practicing seems to have worked very well overall. + +However, the practice results do not conform to the actual results. +Section 2 was one of my highest practice sections and was my +second-lowest score in the exam. Conversely, section 3 was my +second-lowest practice section and turned out to be my highest actual +score! + +After reflecting, it is obvious that if you have any background on the +CISA topics at all, the most important part of studying is doing +practice questions. You really need to understand how to read the +questions critically and pick the best answer. + +** Looking Forward +:PROPERTIES: +:CUSTOM_ID: looking-forward +:END: +I am extremely happy that I was finally able to pass the CISA. Looking +to the future, I'm not sure what's next in terms of professional +learning. My current company offers internal learning courses, so I will +most likely focus on that if I need to gain more knowledge in certain +areas. + +To be fair, even if you pass the CISA, it's hard to become an expert on +any specific topic found within. My career may take me in a different +direction, and I might need to focus more on security or networking +certifications (or possibly building a better analysis/visualization +portfolio if I want to go into data analysis/science). All I know is that I am content at the moment and extremely proud of my accomplishment. |