Everything you need to know to pass with flying colors.
Studying for the CISA exam can be tough, but it is also a great opportunity to understand the world of information security auditing as it applies to a variety of frameworks, such as PCI DSS, ISO 27001, and SOC 2
At risk3sixty, passing the Certified Information Systems Auditor (CISA) exam is a key expectation for consulting team members in their first 12 months. Our team currently enjoys a 100% pass rate utilizing the methods below.
This is because we figured something out: with CISA knowledge in your company, compliance and audit efforts will be a smoother experience. Most importantly, your company will have a better sense of what strong security controls entail. This is what we provide to every client.
We have provided advice for taking the CISA exam in blogs in 2015 & early 2020. This blog post summarizes the combined knowledge of the risk3sixty team when it comes to preparing for the CISA exam. This includes the relevant items from previous blogs and current updates such as changes due to COVID-19. If you are planning to take the CISA exam or are curious about why you should, this blog is for you!
What is in the CISA Exam?
To pass the CISA exam, you need a scaled score of 450 or higher across the five domain areas. This represents the minimum standard of knowledge as established by ISACA’s CISA Certification Working Group. ISACA bases its scores on the following CISA domain areas:
In our experience, technical people will have knowledge gaps in Domains 1-3 whereas business-minded people will have gaps in Domains 4-5. To succeed on the exam, we recommend that you have a strategic, high-level understanding of how the functional and technical areas integrate.
Even though this exam is designed for information security auditors, the CISA exam gives senior management a great opportunity to understand the purpose and background of information security. The common thread we notice in our compliance projects are gaps in vendor management, disaster recovery, and monitoring.
How should I prepare for the CISA Exam?
We recommend studying at least three times a week over at least eight weeks to prepare for this exam. We rely on ISACA’s PERFORM platform and the 27th edition of the ISACA Review Manual as our study materials. The PERFORM tool replaces the previous ISACA QAE question database, with updated scoring mechanics and functionality.
If you decide to take at least eight weeks to study, here is our approach:
- During the first week, you should perform a self-assessment in the ISACA PERFORM platform to identify knowledge gaps. Use your previous business knowledge to become comfortable with what you know and fill in your knowledge gaps!
- In the following five weeks, you should work through the Study Plan – Adaptive Plan module within PERFORM. Use the reference book to review the knowledge gaps identified as you work through the domains. You should tackle at least one domain per week.
- In the final two weeks, you should take both practice exams offered that cover 150 questions on all five domains to determine if you are ready for the exam. Note that you may use the Practice module to target specific domains and sub-domains.
None of the questions in the official ISACA PERFORM platform will be written verbatim in the CISA exam. Running through the test database and memorizing answers will not help you prepare for the CISA.
Instead, take the test questions and read the explanations ISACA provides. Then, see the review manual for more details. We recommend taking your time to properly prepare and reflect on each practice question and its meaning.
We strongly suggest that you DO NOT read the review manual from front to back as you would a traditional textbook. Instead, use it to study topics of difficulty identified as you work through the test database. You should review the book for key concepts and terms.
Key Updates with PERFORM
A key change with PERFORM is that the MCQ ReadyScore has been replaced by three separate categories:
- Percentile Rank: This is your percentile ranking relative to other participants currently using the PERFORM platform. Note that this number will fluctuate throughout your preparation as your comparison cohort changes. We recommend consistently achieving a ranking above the 70% percentile.
- Score on Practice: This is your average score across all domains and questions you have attempted. We recommend ensuring steady growth here until you hit above 75%.
- Score on Tests: This is your average score on the two practice exams. We recommend a score above 80%.
If you don’t feel ready for the exam, you will be able to change the exam date up to 48 hours before the exam date.
What is the CISA test-taking experience Like?
Due to the Coronavirus pandemic, the CISA exam is being offered in-person, in controlled environments, and online. Below you will find two recent experiences from our team members for each of these exam environments.
This is based on the experience of Kendall Morris, who took his CISA exam in the traditional format at the testing environment in Kennesaw, GA at the Cobb County International Airport.
He took his exam in a small room containing only a computer with a camera and one proctor there to set up the exam and camera used to monitor the test taker virtually.
You will be asked to empty your pockets and put all personal items in a locker before entering. Additionally, cell phones are not allowed in the exam space and have to be checked at the front desk. There will be no items on the desk except for the computer provided by the proctors.
The CISA exam is taken on the computer instead of using manually completed scantrons. The test consists of 150 multiple-choice questions.
Before taking the exam, you will be required to acknowledge the ISACA test-taking rules. We were warned repeatedly of the zero-tolerance policy for breaking any of the rules.
During the exam, only one person may use the restroom at a time, and a proctor waits outside the door of the restroom.
Once you finish the exam, the computer will notify you of your exam results. Later, you will receive an email from ISACA with your score range in each domain area.
This is based on the experience of Phillip Lee, who took his CISA in the COVID-19 era, using the online, proctored exam service.
When registering for the online exam, a series of instructions are provided to minimize the risk of breaking any rules. Based on these, Phillip took the exam in a conference room at the risk3sixty offices with nothing in the room but a table, chairs, and an unplugged TV (other risk3sixty team members were told that they had to remove the TV and any monitors from the room).
The proctor will give you instructions via chat in the online proctoring tool and tell you how to show the proctor the entire room using the webcam. Please note, you will need to be on your webcam the entire time and leave your microphone on.
If you need a bathroom break, you can request those via chat and the proctor will approve a 10 to 15-minute break and lock the exam while you are away. You can request two breaks during the exam. When you return, you will use the chat to notify the proctor who will unlock your exam.
The proctors remain available via chat for the duration of the exam to assist with any issues or questions.
Once you have completed the exam, you will be given the option to review and submit your exam. Once you submit the exam, you will receive a preliminary pass or fail result. Your detailed CISA score breakdown will arrive via email from ISACA within two weeks.
Good luck with your studies, and feel free to contact us with any questions!
If you are a current CISA, please feel free to share any additional tips. Share your questions and experiences in the comments.