diff options
Diffstat (limited to 'content/blog/2021-12-04-cisa.md')
| -rw-r--r-- | content/blog/2021-12-04-cisa.md | 319 |
1 files changed, 152 insertions, 167 deletions
diff --git a/content/blog/2021-12-04-cisa.md b/content/blog/2021-12-04-cisa.md index 7060d5e..b605493 100644 --- a/content/blog/2021-12-04-cisa.md +++ b/content/blog/2021-12-04-cisa.md @@ -8,208 +8,193 @@ draft = false # What is the CISA? For those of you lucky enough not to be knee-deep in the world of IT/IS -Auditing, [CISA](https://www.isaca.org/credentialing/cisa) stands for -Certified Information Systems Auditor. This certification and exam are -part of ISACA\'s suite of certifications. As I often explain it to -people like my family, it basically means you\'re employed to use your -knowledge of information systems, regulations, common threats, risks, -etc. in order to assess an organization\'s current control of their -risk. If a risk isn\'t controlled (and the company doesn\'t want to -accept the risk), an IS auditor will suggest implementing a control to -address that risk. - -Now, the CISA certification itself is, in my opinion, the main -certification for this career. While certifications such as the CPA or -CISSP are beneficial, nothing matches the power of the CISA for an IS -auditor when it comes to getting hired, getting a raise/bonus, or -earning respect in the field. - -However, to be honest, I am a skeptic of most certifications. I -understand the value they hold in terms of how much you need to commit -to studying or learning on the job, as well as the market value for -certifications such as the CISA. But I also have known some very -~~incompetent~~ *less than stellar* auditors who have CPAs, CISAs, CIAs, -etc. - -The same goes for most industries: if a person is good at studying, they -can earn the certification. However, that knowledge means nothing unless -you\'re actually able to use it in real life and perform as expected of -a certification holder. The challenge comes when people are hired or -connected strictly because of their certifications or resume; you need -to see a person work before you can assume them having a CISA means -they\'re better than someone without the CISA. - -Okay, rant over. Certifications are generally accepted as a measuring -stick of commitment and quality of an employee, so I am accepting it -too. +Auditing, [CISA](https://www.isaca.org/credentialing/cisa) stands for Certified +Information Systems Auditor. This certification and exam are part of ISACA's +suite of certifications. As I often explain it to people like my family, it +basically means you're employed to use your knowledge of information systems, +regulations, common threats, risks, etc. in order to assess an organization's +current control of their risk. If a risk isn't controlled (and the company +doesn't want to accept the risk), an IS auditor will suggest implementing a +control to address that risk. + +Now, the CISA certification itself is, in my opinion, the main certification for +this career. While certifications such as the CPA or CISSP are beneficial, +nothing matches the power of the CISA for an IS auditor when it comes to getting +hired, getting a raise/bonus, or earning respect in the field. + +However, to be honest, I am a skeptic of most certifications. I understand the +value they hold in terms of how much you need to commit to studying or learning +on the job, as well as the market value for certifications such as the CISA. But +I also have known some very ~~incompetent~~ *less than stellar* auditors who +have CPAs, CISAs, CIAs, etc. + +The same goes for most industries: if a person is good at studying, they can +earn the certification. However, that knowledge means nothing unless you're +actually able to use it in real life and perform as expected of a certification +holder. The challenge comes when people are hired or connected strictly because +of their certifications or resume; you need to see a person work before you can +assume them having a CISA means they're better than someone without the CISA. + +Okay, rant over. Certifications are generally accepted as a measuring stick of +commitment and quality of an employee, so I am accepting it too. # Exam Content -The CISA is broken down into five sections, each weighted with a -percentage of test questions that may appear. +The CISA is broken down into five sections, each weighted with a percentage of +test questions that may appear.  -Since the exam contains 150 questions, here\'s how those sections break -down: +Since the exam contains 150 questions, here's how those sections break down: - Exam Section Percentage of Exam Questions - ----------------- -------------------- ----------- - 1 21% 32 - 2 17% 26 - 3 12% 18 - 4 23% 34 - 5 27% 40 - **Grand Total** **100%** **150** +| Exam Section | Percentage of Exam | Questions | +|-----------------|--------------------|-----------| +| 1 | 21% | 32 | +| 2 | 17% | 26 | +| 3 | 12% | 18 | +| 4 | 23% | 34 | +| 5 | 27% | 40 | +| **Grand Total** | **100%** | **150** | # My Studying Habits -This part is a little hard for me to break down into specific detail due -to the craziness of the last year. While I officially purchased my -studying materials in December 2020 and opened them to \"start -studying\" in January 2021, I really wasn\'t able to study much due to -the demands of my job and personal life. +This part is a little hard for me to break down into specific detail due to the +craziness of the last year. While I officially purchased my studying materials +in December 2020 and opened them to "start studying" in January 2021, I really +wasn't able to study much due to the demands of my job and personal life. Let me approach this from a few different viewpoints. ## Study Materials -Let\'s start by discussing the study materials I purchased. I\'ll be -referring to #1 as the CRM and #2 as the QAE. - -1. [CISA Review Manual, 27th Edition \| - Print](https://store.isaca.org/s/store#/store/browse/detail/a2S4w000004KoCbEAK) -2. \[\[<https://store.isaca.org/s/store#/store/browse/detail/a2S4w000004KoCcEAK>\]\[CISA - Review Questions, Answers & Explanations Manual, 12th Edition \| - Print\]\] - -The CRM is an excellent source of information and could honestly be used -as a reference for most IS auditors as a learning reference during their -daily audit responsibilities. However, it is **full\*** of information -and can be overloading if you\'re not good at filtering out useless -information while studying. - -The QAE is the real star of the show here. This book contains 1000 -questions, separated by exam section, and a practice exam. My only -complaint about the QAE is that each question is immediately followed -with the correct answer and explanations below it, which means I had to -use something to constantly cover the answers while I was studying. - -I didn\'t use the online database version of the QAE, but I\'ve heard -that it\'s easier to use than the printed book. However, it is more -expensive (\$299 database vs \$129 book) which might be important if -you\'re paying for materials yourself. - -In terms of question difficulty, I felt that the QAE was a good -representation of the actual exam. I\'ve seen a lot of people online say -it wasn\'t accurate to the exam or that it was much easier/harder, but I -disagree with all of those. The exam was fairly similar to the QAE, just -focusing on whichever topics they chose for my version of the exam. - -If you understand the concepts, skim the CRM (and read in-depth on -topics you struggle with), and use the QAE to continue practicing -exam-like questions, you should be fine. I didn\'t use any online -courses, videos, etc. - the ISACA materials are more than enough. +Let's start by discussing the study materials I purchased. I'll be referring +to #1 as the CRM and #2 as the QAE. + +1. [CISA Review Manual, 27th Edition | +Print](https://store.isaca.org/s/store#/store/browse/detail/a2S4w000004KoCbEAK) +2. [CISA Review Questions, Answers & Explanations Manual, 12th Edition | +Print](https://store.isaca.org/s/store#/store/browse/detail/a2S4w000004KoCcEAK) + +The CRM is an excellent source of information and could honestly be used as a +reference for most IS auditors as a learning reference during their daily audit +responsibilities. However, it is **full** of information and can be +overloading if you're not good at filtering out useless information while +studying. + +The QAE is the real star of the show here. This book contains 1000 questions, +separated by exam section, and a practice exam. My only complaint about the QAE +is that each question is immediately followed with the correct answer and +explanations below it, which means I had to use something to constantly cover +the answers while I was studying. + +I didn't use the online database version of the QAE, but I've heard that it's +easier to use than the printed book. However, it is more expensive ($299 +database vs $129 book) which might be important if you're paying for materials +yourself. + +In terms of question difficulty, I felt that the QAE was a good representation +of the actual exam. I've seen a lot of people online say it wasn't accurate to +the exam or that it was much easier/harder, but I disagree with all of those. +The exam was fairly similar to the QAE, just focusing on whichever topics they +chose for my version of the exam. + +If you understand the concepts, skim the CRM (and read in-depth on topics you +struggle with), and use the QAE to continue practicing exam-like questions, you +should be fine. I didn't use any online courses, videos, etc. - the ISACA +materials are more than enough. ## Studying Process -While I was able to briefly read through sections 1 and 2 in early 2021, -I had to stop and take a break from February/March to September. I -switched jobs in September, which allowed me a lot more free time to -study. +While I was able to briefly read through sections 1 and 2 in early 2021, I had +to stop and take a break from February/March to September. I switched jobs in +September, which allowed me a lot more free time to study. -In September, I studied sections 3-5, took notes, and did a quick review -of the section topics. Once I felt comfortable with my notes, I took a -practice exam from the QAE manual and scored 70% (105/150). +In September, I studied sections 3-5, took notes, and did a quick review of the +section topics. Once I felt comfortable with my notes, I took a practice exam +from the QAE manual and scored 70% (105/150). -Here\'s a breakdown of my initial practice exam: +Here's a breakdown of my initial practice exam: - Exam Section Incorrect Correct Grand Total Percent - ------------------- ----------- ----------- ------------- ----------- - 1 8 25 33 76% - 2 5 20 25 80% - 3 6 12 18 67% - 4 10 23 33 70% - 5 16 25 41 61% - **Grand Total\*** **45\*** **105\*** **150\*** **70%\*** +| Exam Section | Incorrect | Correct | Grand Total | Percent | +|-----------------|-----------|---------|-------------|---------| +| 1 | 8 | 25 | 33 | 76% | +| 2 | 5 | 20 | 25 | 80% | +| 3 | 6 | 12 | 18 | 67% | +| 4 | 10 | 23 | 33 | 70% | +| 5 | 16 | 25 | 41 | 61% | +| **Grand Total** | **45** | **105** | **150** | **70%** | As I expected, my toughest sections were related to project management, development, implementation, and security. -This just leaves October and November. For these months, I tried to -practice every few days, doing 10 questions for each section, until the -exam. This came out to 13 practice sessions, \~140 questions per -section, and \~700 questions total. - -While some practice sessions were worse and some were better, the final -results were similar to my practice exam results. As you can see below, -my averages were slightly worse than my practice exam. However, I got in -over 700 questions of practice and, most importantly, \*I read through -the explanations every time I answered incorrectly and learned from my -mistakes\*. - - Exam Section Incorrect Correct Grand Total Percent - ------------------- ----------- ----------- ------------- ----------- - 1 33 108 141 77% - 2 33 109 142 77% - 3 55 89 144 62% - 4 52 88 140 63% - 5 55 85 140 61% - **Grand Total\*** **228\*** **479\*** **707\*** **68%\*** +This just leaves October and November. For these months, I tried to practice +every few days, doing 10 questions for each section, until the exam. This came +out to 13 practice sessions, ~140 questions per section, and ~700 questions +total. + +While some practice sessions were worse and some were better, the final results +were similar to my practice exam results. As you can see below, my averages were +slightly worse than my practice exam. However, I got in over 700 questions of +practice and, most importantly, *I read through the explanations every time I +answered incorrectly and learned from my mistakes*. + +| Exam Section | Incorrect | Correct | Grand Total | Percent | +|-----------------|-----------|---------|-------------|---------| +| 1 | 33 | 108 | 141 | 77% | +| 2 | 33 | 109 | 142 | 77% | +| 3 | 55 | 89 | 144 | 62% | +| 4 | 52 | 88 | 140 | 63% | +| 5 | 55 | 85 | 140 | 61% | +| **Grand Total** | **228** | **479** | **707** | **68%** |  # Results -Now, how do the practice scores reflect my actual results? After all, -it\'s hard to tell how good a practice regimen is unless you see how it -turns out. - - Exam Section Section Name Score - -------------- ------------------------------------------------------------------ --------- - 1 Information Systems Auditing Process 678 - 2 Governance and Management of IT 590 - 3 Information Systems Acquisition, Development, and Implementation 721 - 4 Information Systems Operations and Business Resilience 643 - 5 Protection of Information Assets 511 - **TOTAL** **616** - -Now, in order to pass the CISA, you need at least 450 on a sliding scale -of 200-800. Personally, I really have no clue what an average CISA score -is. After a *very* brief look online, I can see that the high end is -usually in the low 700s. In addition, only about 50-60% of people pass -the exam. - -Given this information, I feel great about my scores. 616 may not be -phenomenal, and I wish I had done better on sections 2 & 5, but my -practicing seems to have worked very well overall. - -However, the practice results do not conform to the actual results. -Section 2 was one of my highest practice sections and was my -second-lowest score in the exam. Conversely, section 3 was my -second-lowest practice section and turned out to be my highest actual -score! - -After reflecting, it is obvious that if you have any background on the -CISA topics at all, the most important part of studying is doing -practice questions. You really need to understand how to read the -questions critically and pick the best answer. +Now, how do the practice scores reflect my actual results? After all, it's hard +to tell how good a practice regimen is unless you see how it turns out. + +| Exam Section | Section Name | Score | +|--------------|------------------------------------------------------------------|-------| +| 1 | Information Systems Auditing Process | 678 | +| 2 | Governance and Management of IT | 590 | +| 3 | Information Systems Acquisition, Development, and Implementation | 721 | +| 4 | Information Systems Operations and Business Resilience | 643 | +| 5 | Protection of Information Assets | 511 | + +Now, in order to pass the CISA, you need at least 450 on a sliding scale of +200-800. Personally, I really have no clue what an average CISA score is. After +a *very* brief look online, I can see that the high end is usually in the low +700s. In addition, only about 50-60% of people pass the exam. + +Given this information, I feel great about my scores. 616 may not be phenomenal, +and I wish I had done better on sections 2 & 5, but my practicing seems to have +worked very well overall. + +However, the practice results do not conform to the actual results. Section 2 +was one of my highest practice sections and was my second-lowest score in the +exam. Conversely, section 3 was my second-lowest practice section and turned out +to be my highest actual score! + +After reflecting, it is obvious that if you have any background on the CISA +topics at all, the most important part of studying is doing practice questions. +You really need to understand how to read the questions critically and pick the +best answer. # Looking Forward -I am extremely happy that I was finally able to pass the CISA. Looking -to the future, I\'m not sure what\'s next in terms of professional -learning. My current company offers internal learning courses, so I will -most likely focus on that if I need to gain more knowledge in certain -areas. - -To be fair, even if you pass the CISA, it\'s hard to become an expert on -any specific topic found within. My career may take me in a different -direction, and I might need to focus more on security or networking -certifications (or possibly building a better analysis/visualization -portfolio if I want to go into data analysis/science). +I am extremely happy that I was finally able to pass the CISA. Looking to the +future, I'm not sure what's next in terms of professional learning. My current +company offers internal learning courses, so I will most likely focus on that if +I need to gain more knowledge in certain areas. + +To be fair, even if you pass the CISA, it's hard to become an expert on any +specific topic found within. My career may take me in a different direction, and +I might need to focus more on security or networking certifications (or possibly +building a better analysis/visualization portfolio if I want to go into data +analysis/science). All I know is that I am content at the moment and extremely proud of my accomplishment. |