Advice for Taking the CISA Exam

This past December I took the ISACA CISA exam and I’m pleased to announce that last week, I got my confirmation letter stating that I passed in the top 10 percentile of fellow test takers!

With the test passed and the experience still very fresh on my mind, I felt I should take the opportunity share my experience and any advice to aid my fellow aspiring Certified Information Systems Auditors (CISA) out there!

What was the CISA Exam Like!?

I’ll get strait to answering the question I assume 99% of the people who stumble onto this blog are looking for.

The name of the certification is “Certified Information Systems auditor” yet I felt like the content was a bit light on the information systems side. This might be personal bias, since I have a very technical background and most of what was covered on the exam from a technical standpoint was fairly lightweight to me.

Instead, I felt like a lot more attention was given to IT governance (for example, what is the appropriate role of the board of directors, senior management, audit staff, etc.) and things like Disaster Recovery and Vendor Management. (Side Note: After studying and sitting for the CISA exam I’ve come to realize most of the organizations I audit are not giving their disaster recovery planning enough attention!)

There were also a fair amount of questions on actual audit processes, like which kind of control is best in what situation (detective VS preventative controls, automated controls, and so forth). The takeaway here is that if you aren’t highly technical – you should be fine.

CISA Test Prep

To prepare for the CISA, I relied heavily on ISACA’s official study materials. I primarily referred to a free CISA study guide put together by Mack over at the ITAuditSecurity blog.

The Book

The ISACA review manual was helpful as a support text for topics I encountered while running through the test database. I strongly suggest you DO NOT read the review manual from front to back as you would a traditional text book. You’ll quickly become bored to tears and start contemplating new career choices. Instead, skim the book for key concepts and terms.

Test Database Questions

What was most surprising to me upon actually taking the CISA was that none of the questions in the official ISACA test database showed up on the exam. (Christian, the co-author of this blog, said that when he took the exam the test database was very similar to the exam.) Simply running through the test database and memorizing answers will not help you (at least in my experience). It is much more important you take the test questions and read the explanations ISACA gives you then follow up in their review manual for more details.

Thankfully, I took the time to properly prepare and didn’t try to “pump and dump” for this exam. The exam did force me to actually think through many of the questions.

What is the CISA Test Taking Experience Like?

I sat for the CISA in Atlanta, GA. The test taking environment was extremely controlled with three proctors walking the room for the duration of the exam.

We were asked to empty our pockets and put any personal items at the front of the room when entering. Cell phones were not allowed in the exam space and had to be checked at the front desk before entering.

During the test, only one person was allowed to go to the restroom at a time and a proctor stood outside the door of the restroom while you went. The only thing allowed on the desk during the test were a few #2 pencils and an eraser. I saw some people have their erasers inspected (because they were covered in a paper wrapping). If the leads broke on all your pencils during the test, you were out of luck and warned of that ahead of time.

The test was all Scantron (fill in the bubble), multiple choice and consisted of 200 questions. I finished the exam in about an hour and a half of the four hours allotted. I was among the first to complete the exam. We were warned repeatedly that there was a zero tolerance policy for breaking any rules and the proctors appeared to take the rules very seriously.

In the lobby there were free refreshments (including a soda fountain machine and a Keurig coffee machine) and parking was partially validated for us. The test taking environment was very nice.

Anyone else a CISA? Do you have any pressing questions I didn’t address? Share your questions and experiences in the comments.

By Christian Hyatt|2020-12-03T21:00:40+00:00January 22nd, 2015|IT Audit and Compliance|29 Comments

About the Author: Christian Hyatt

Christian is the CEO and Co-founder of risk3sixty. Christian is responsible for setting the vision for the team, ensuring the leadership team is “rowing in the same direction,” creating purpose and alignment across the firm, and nurturing company culture. Christian has 15 years of experience advising technology companies to build and improve their cybersecurity programs. Christian works hard to partner with executives to help ensure they have the strategy and tactics to align cybersecurity and business objectives. Under Christian’s leadership, risk3sixty has been named Consulting Magazine’s Best Firms to Work For, Atlanta’s Fastest Growing companies, Atlanta’s Best Places to Work, HireVets Platinum Honoree, and more. Outside risk3sixty, Christian advises technology start-ups on business and growth challenges is an author and, keynote speaker, and Vistage member. Christian has an M.B.A. from Georgia Tech and a B.B.A. from the University of Georgia. Christian is a Georgia Tech Technology and Management (T&M) corporate partner and Advisory Board Member for UGA’s Management Information System Advisory Board.

29 Comments

ITauditSecurity (Mack) January 22, 2015 at 10:03 pm - Reply
Shane,
Congrats. Your experience was very similar to mine:
-Exam is light on IT side, heavier on the audit side.
-ISACA guide helpful, but a hard read.
-No test questions on the exam. If I recall, they give out 4 different versions of the exam, so the guy next to you has a different version
The only diff for me was that the proctor/environment was real loose. My neighbor opened his exam before being told, a big no-no.
Thanks for the mention of my CISA guide.
Steve January 23, 2015 at 12:58 pm - Reply
Yes Shane – congratulations.
I took the exam a little over 12 years ago, but it sounds like the process is roughly the same – especially the extreme proctoring. I remember I had a cold when I took the exam and they inspected my Kleenex and cough drops.
My biggest frustration with the exam was the inconsistency of the questions. Back then (and may still be the case), exam questions were written by CISAs and ISACA members. Members could submit questions and it seemed like they were simply pasted into the exam. There was no consistency in style, format or content which made it challenging to get into a rhythm. I also felt there was some subjectivity in the questions themselves. A lot of them would ask for the BEST answer or action you would take FIRST. Many of the answers could technically be correct, but not necessarily the FIRST or BEST thing to do.
I also agree that the review manual should mainly be used as a reference while going through the practice questions. In fact, I remember many of the practice questions covering material that wasn’t even in the manual. Personally I found the CISSP study manual to be a better reference for the CISA. I highly recommend using it as a resource. You can typically pick one up cheaper at a used book store. Or check out ITAuditSecurity’s blog for reference material.
Shane January 23, 2015 at 2:15 pm - Reply
Thanks for the input Steve and Mack.
@Steve: Also, I forgot to add the point you brought to my attention. I felt like the questions were fairly consistent in the logic and questioning style used, but there were definitely more than a few (at least from the test database) where I felt ISACA’s take on what was correct incorrect due to first hand experience in the field.
Thanks.
Robert March 19, 2015 at 9:51 am - Reply
I often struggle with self guided study. For me using the book would have led to me not successfully passing the exam.
A former colleague of mine suggested I try the ISACA CISA online study course. For me this was great – I was able to study an hour a night with some self paced tutorials. There were questions during at the end of each section – and then I supplemented this with the very popular questions database.
Also – at the end of each section (there are 5) you are given CPE credits (I have other certifications – so this was very valuable for me).
As this blog does alot of showing – there are many ways to skin a cat – in this case passing the CISA exam. For me I found this ISACA course to be a little expensive ($500) but also very useful in passing the September 2014 CISA exam.
- Mark February 18, 2016 at 10:20 am - Reply
  Hi Robert,
  What institution did you take the course from?
  Thanks,
V. Cherian Abraham May 13, 2015 at 3:55 am - Reply
Hi Shane
Congrats on your success of passing CISA.
Reading your post reminded me of the process that I adopted for clearing the CISA exams. I also passed out in December 2014. I gave my exams from Muscat, Oman.
The process followed by me upto the exam days was almost same: –
– Attending the review classes conducted by the Muscat chapter.
– Reading the review manual atleast twice before the exams.
– Attempting the test database questions.
– Appearing for the mock test in exam condition.
Cherian
Ziyanda July 30, 2015 at 2:11 am - Reply
Hie
Congratulations !!!! I have a question , do you have to necessarily have IT auditing experience before taking the exam to pass the CISA exam in other words what are the chances of passing the exam with zero experience in IT auditing. I am a recent grad with a year of experience in IT the technical side wanted to sit for the December 2015 exam. Your advice will be greatly appreciated.
- Shane Peden July 30, 2015 at 7:30 am - Reply
  Ziyanda,
  Honestly, the exam is more concerned with audit techniques and the various elements of IT management than the hard IT concepts. For example, there are quite a few questions on change management, logical access, and disaster recovery- which in my experience, the pure IT guys don’t always necessarily understand the workings of from the same perspective as the Auditor or Manager might.
  Further, there is a professional experience requirement which you probably won’t meet at this time. If you want to break into the IS Auditing and Security field, I’d suggest checking out CompTIA’s Security+ and Network+ certs. I don’t believe they have work experience requirements.
  Good luck, Shane
Anthony August 13, 2015 at 11:11 pm - Reply
Ahhhh…Security+ was a joke for me. Haha! I am an auditor for third party vendors on the ISO 270001 standard. It seems like this exam is the most in line with my career goals. I HOPE. Do you have any knowledge of the ISO Lead Audit cert? It seems like most job postings list ISACA certs as required or nice to have. I’m wondering if it would be best to switch up to stand out or if that would leave me high and dry! What ya think…….? (:
Shane Peden August 14, 2015 at 6:36 am - Reply
Anthony,
I’m not familiar with the ISO Lead Audit Cert.
The CISA certification isn’t like the Security+ certification. The two tests are concerned over very different subject matter. I’d argue you learn a lot more from studying for the CISA than Security+ though. All I’ve learned studying for the Security+ are a bunch of acronyms, thus far.
I’d get the CISA just to get my foot in the door with most jobs if I were you. Expect to be studying a lot more about audit techniques and IT management than hard IT concepts though.
- Anthony August 14, 2015 at 7:05 am - Reply
  Ok. Great! Thank you for the quick reply. (:
- Anthony August 18, 2015 at 9:57 pm - Reply
  Shane: Oops! Two more?
  I plan to use what you have under test prep. The manual on here is 2014 and I have a manual from 2013. Shall I pony up the cash for the 2015 CISA Review manual?
  Also, I’m doing all this now for the December exam…and was going to add the 5 mod CISA training that Robert suggested above – any opinion on the 5 module online training that ISACA has for $500. right before I sit for the exam? Not sure if overkill will kill me – or pass me! Ha!
  Thank YOU!
  - Shane August 19, 2015 at 7:37 am - Reply
    Anthony,
    The best training resource is the official CISA test question app that ISACA sells. If your job will pay for the reference manual, I’d get that too, just so you can look stuff up that you have questions about while taking the practice exam.
    Studying the reference book alone won’t get you far. It’s best to do the test questions then follow up by looking up things in the reference book. Don’t just pump and dump the exam either. There were no repeat questions on the actual test, just questions over the same subject matter.
    Look for CISA Review Questions, Answers & Explanations Database v15 CD-ROM here: https://www.isaca.org/bookstore/pages/cisa-exam-resources.aspx
    - fmkangazi January 4, 2016 at 6:46 am - Reply
      I am Computer Science guy and working at law enforcement. The burning desire to write CISA just skills and ability of IS audit as step up through my work and career in general.Thanks for all comments as I am in preparation to write in June 2016.My QUESTION are there any need to have some review of CISSP? Thanks Shane
      - Shane Peden January 4, 2016 at 8:02 am
        The CISSP and CISA subject matter overlap A LOT! But the CISSP is more focused on the technology aspect of Info Sec and Management while the CISA is meant is more focused on assessment of Information Systems.
        Focus on the CISA subject matter now. Passing the CISA will go a long way in helping you prep for the CISSP.
Tintin October 7, 2015 at 5:55 pm - Reply
Hi Shane and others. I want to take the CISA exam in December. I was wondering if studying for a month is enough? I have worked in IT Audit for over 6 years, am currently about to write my ISO 27001 this October and I have just completed a masters in cyber security this September. My point being, I hope I have the arsenal and right state of mind as next years exam will be too far. Generally, is it possible if I study my nights away?
- Anthony October 7, 2015 at 10:45 pm - Reply
  Tintin, I would say that you have two months. I would also say that gievn your recent accomplishments, you stand a good chance of passing. I would consider the fact that ISACA/CISA questions and the way you need to answer them will be unlike the questions and answers from your previous endeavors. As Shane states (and many others) the QA DB from ISACA and the CM will be your best bet, I am also using the Nuggets. I am doing an hour per day with 2-3hrs on weekends where available. Good Luck! (:
  - Tintin October 9, 2015 at 10:45 am - Reply
    Thanks Anthony.
Anthony October 20, 2015 at 11:48 pm - Reply
Hi Shane,
Question: Any idea how the ISACA Complete CISA Online Review Course—All 5 Modules is for test prep compared to the CBT Nuggets?
Thank you~!
- Robert October 21, 2015 at 7:04 am - Reply
  That is what I used to study for the exam.
  That and the old exam questions released by ISACA was my entire study plan.
  It worked. I’m a CISA.
Harshal November 20, 2015 at 7:53 am - Reply
I have one question. I am having over 10 years of NON-audit IT experience.
I am analyzing for career switch into audit by taking CISA certification.
Does this suitable for me in getting job?
Padmini December 26, 2015 at 8:08 pm - Reply
Thank You for sharing your experience. As I see that the CISA Exam in June 2016 contains only 150 questions. Request you to please kindly share the CISA Review Manual 2015 and Questions Database so that it will be helpful for my preparation.
Biliqis February 22, 2016 at 6:40 am - Reply
Your write up is rather encouraging…and really true the manual is daunting to face as it does not read like a regular book. I feel bolstered to register for the June exams. What average number of study hours do you think is required?
Pie May 25, 2016 at 9:04 pm - Reply
Hi! Congratulations!
I am interested to take the CISA exam.
However, I’m afraid that it might be hard for me since I only have a minimal IT background.. I was very interested with CISA. Btw, I am a Certified Public Accountant…
Do you think I have to take up short IT courses first before I take the review? or I can take the review right away? Thanks!
- Robert May 26, 2016 at 10:41 am - Reply
  I think you will be fine starting your review – alot of the exam is geared toward how to audit and not is not as technical as other IT certifications.
  I also have a CPA – and I have found if you can study and pass that exam – it will help for other standardized tests.
  Use a similar studying technique – and I recommend using the ISACA’s official online study guide (it’s about $500). While pricey – it sets up the information and questions in an easy to understand and study format.
Hasmali Shah June 21, 2016 at 3:23 pm - Reply
Hi
I too am starting out on this and have a question please on good training materials- after reading the posts above i looked out for the ISACA material but the following is on their website
”The CISA Online Review Course is no longer available for purchase. A new course is being developed that incorporates CISA job practice changes as well as upgrades to the course format and technology.”
Does anyone have any opinions as to the courses offered by (1) certified information security (2) Simplilearn (3) Exam matrix // these are the only 3 i could find when carrying out a google search
Many thanks
Simit August 4, 2016 at 2:11 am - Reply
Hi,
I am planning to starts CISA. I have completed CA. I have experience in Internal Audit. Currently I am working in OMAN.
I came to know there are 3 books are available for preparation.
1. Review Guide
2. Questions Answers Guide
3. 12 month subscription
Can anyone suggest all three books are required or only first 2 books are enough??
Thanks
Simit
- Minsun October 29, 2016 at 8:46 am - Reply
  hi simit, I also gonna to take the next cisa exam…do you want to buy and share cost with me the meterial….
Subbu September 25, 2016 at 12:16 pm - Reply
Hi Simit,
I have the same query – so, what did you buy finally? Thanks, Subbu