Earlier this year, when I earned the last one of the Fab 4 of ISACA certifications – CISM, CISA, CRISC and CGEIT – I decided to write a post about my experience and the lessons I learned along the way. I hope this will be useful for anyone preparing to obtain these industry-recognized credentials.
1. The disclaimer.
2. The motivation.
Several people have asked me why I did it and if there is any value to getting all four of these certifications. I would say that for many in jobs focusing on siloed aspects of information security, the answer is “No”- they would be better served by getting the one or two certifications most relevant to them. But, for an information security and risk consultant like me whose work encompasses a wider universe, there’s definite value in preparing for and getting all of these certifications. At the same time, I believe anyone desirous of expanding his or her overall knowledge in this area will find them useful.
On a more personal note, there’s also a sense of personal achievement tied to this. Balancing client, firm and family commitments in order to study and take these exams was a major motivator.
3. The preparation.
To my mind, the best preparation for getting the ISACA certifications is getting experience in the field. The second best would be to get the CISSP. I believe the CISSP covers a much broader area than any individual ISACA exam and puts one in good stead to ace ISACA’s certification exams later. However, none of these are deal-breakers – you can definitely succeed at the ISACA exams without the CISSP or 12-plus years of experience (like me).
As for the materials I used, I confess that I found the official manuals to be dry. I focused on Questions & Answers databases after going through the free training videos available at Cybrary.it. I would extensively take notes while watching the videos and when reviewing my answers on practice tests using the databases. When reviewing before the exams, I would refer only to my notes.
As many before me have surmised, there IS an ISACA way. Don’t be alarmed; it’s not completely at odds with your knowledge gained from experience, but there may be subtle variations. The best way to understand it is to analyze, with a fine-toothed comb, the answers to the database questions. The wrong answers should also be part of your analysis, as they clearly explain why they are NOT right for a particular question but can be for a different one.
Rule of thumb: if you’re consistently scoring 75 percent in the database Q&A for a particular test, you’re ready for the actual one!
4. The key takeaways.
- IT exists to serve business. Business exists to serve stakeholders’ interests.
- People are the most valuable asset; people are also the weakest link in security.
- Governance is “doing the right things”; management is “doing things right.”
- Security and audit decisions should be risk-based and meet business requirements. Organizational structure and culture are key decision factors.
- The first step before implementing change is to understand the current state.
• Understand the composition and responsibilities of the board, senior management, operational management, IT Strategy Committee, IT Steering Committee and IT Architecture Review Board.
- Understand the composition of the IT Strategic Plan, IT Investment Portfolio, IT Operational Plan, IT Acquisition Plan, IT Implementation Plan, IT Outsourcing Plan, IT Risk Register, Enterprise Architecture, IT Balanced Scorecard, policies, standards and procedures, etc.
- Realize that accountability and responsibility are different things. Usually, the board or senior management are held accountable for security-related decisions. The term “ultimate responsibility” refers to accountability.
- IT strategy should be an extension of enterprise strategy. Enterprise architecture aligns IT strategy with enterprise strategy.
- IT goals should align with enterprise goals. Any IT investment has to be supported by a business case.
- “You cannot manage what you cannot measure” – understand metrics (KPIs and KRIs), how they are selected and measured, and what kind of information they can provide.
5. The D-Day experience.
The best preparation is of little use unless put into practice. Here are some tips around exam day:
- Try to schedule practice tests and the actual exam at the same time of the day. I can’t quote any scientific studies to support this, but I believe the body and mind acclimatize themselves for peak performance during the time you practice most.
- Read the question carefully to understand your role – are you the advisor, auditor or implementer? Your role will determine the answer you should choose.
- For multiple choice questions, it’s usually easier to eliminate two of the four options; selecting the right option from the remaining two is where the difficulty lies.
- The questions often mention “first” or “best”; this is very important when choosing the answer. Multiple options may be right, but only one will be “first” or “best.”
- If “first” is not explicitly mentioned, choose the option that is the root cause. For example, if option A leads to option B and both are correct answers to the question, choose option A.
- If you’re stuck on one question, mark it for review and move on. There’s enough time for you to revisit it later.
- Take frequent breaks. Four hours should be enough to answer all 150 questions and review them. Use the time wisely to pace yourself. I personally took a break after every 50 questions.
- Ensure you answer all questions. There are no negative points for wrong answers, and even a completely random choice has a 25 percent chance of success. Best of luck!
My motivation to pursue ISACA’s CRISC certification was to improve my skills, knowledge and understanding of enterprise and IT risk management.
The CRISC exam is the most rigorous assessment available to evaluate the risk management proficiency of IT professionals, and CRISC is among the leading GRC certifications, according to CIO magazine.
During my career, I have worked at different enterprises in IT/IS at various functional levels. I hold PMP and GCIH, which I consider to be significant factors in passing this exam.
Despite the fact that my preparation time for the CRISC exam was relatively short, I strongly believe in proper planning, execution and monitoring to succeed in any endeavor, no matter the amount of time you have. I am delighted to share with you some tips and advice of how I prepared for the exam:
- Do your own research about the certification that you are interested in. One of the best starting points is to check the ISACA website; all information that you need should be available there. Then, speak with your trainer, or others who are being certified, and ask for some assistance.
- To get all ISACA benefits and discounts on certification exams, including CRISC, become a member.
- Start with the official CRISC study materials (Review Manual, Questions, Answers and Explanations), and make sure to get the latest editions. Reading the review manual at least twice cover-to-cover was a great help for me, as well as practicing QAEs as much as possible before the exam. It is important to grasp the underlying logic behind all concepts across all domains.
- For more understanding and practice, enroll in a CRISC training course, or you can choose to self-study.
- Continuously evaluate your understanding level, and challenge yourself with questions to bridge any knowledge gaps and weaknesses. Remember: practice makes perfect!
- Don’t stop researching and reading while you study from various sources. Risk management is full of abstract concepts. I found these resources valuable for preparation: The Risk IT Framework, Measuring and Managing Information Risk: A FAIR Approach, and other ISACA publications.
- Go to the exam with a reasonable confidence level and an understanding of the risk management process cycle. Remember: confidence can make or break any exam!
CRISC is an important journey in my professional life, and I appreciate it much more than before having gone through the process. I posted more tips here after I passed the exam.
I wish you much luck with your CRISC journey!
New highly validated data from 3,305 employers reveals that the average cash market value for hundreds of tech certifications is at its lowest point in four years. Meanwhile, pay premiums for non-certified skills in the same period have gained 6 percent in value on average. What gives?
There’s always been a tug of war within employers about hiring tech people with skill certifications versus those who have learned by experience on the job. Eventually the question of comparable pay arises, shining a light on whether certification is a valid factor when measuring a worker’s value or potential on the job. And if it isn’t, then how should employers be assessing skills competence?
Pay disparities between certified and non-certified tech skills
While the performance of ISACA certifications in the compensation landscape has been mixed, as a group they are earning the equivalent of 12.4 percent of base salary in average pay premium, with CGEIT and CRISC earning the most. Compare this to the 7.5 percent average premium across all 466 certs reported in Foote Partners’ quarterly updated IT Skills and Certifications Pay Index™ (ITSCPI).
The fact is, employers have been perfectly willing to throw cash at both certified and non-certified skills for many years, typically in the form of premiums above and beyond base salary. Foote Partners has been capturing and reporting these cash premiums since 2000. Until 2007, certified skills were earning more on average than non-certified skills, but beginning in mid-2007 this trend reversed. Since then, the gap in pay premiums between the two has widened, with 551 non-certified skills now earning, on average, the equivalent of nearly 2 percent of base salary among more than 466 tech certifications tracked at more than 3,300 employers.
Certifications had a long run of consistently losing overall value from late 2006 to 2012. These were dark years marked by charges of fraud in the certifications-testing business and a prevailing opinion by many that certifications were simply too easy to attain, in particular those being offered by vendors to support their product lines. Technology vendors and vendor-independent certifying organizations fought back by adding prerequisites to sites for exams, real-time labs and peer-review panels.
It seemed to work, as certifications pay began to rise, although not nearly to the level of non-certified skills premiums, often for the same technologies. More and more management, process, and methodology skills and certifications gained popularity in the growth years for both intermediate and advanced skill levels, and pay continued to rise for both segments until about two years ago.
Average pay premiums for tech certifications recorded in the ITSCPI have most recently decreased in the last quarter of 2018, down 1.8 percent overall. They lost 2.4 percent of their value in calendar year 2018 and nearly 3 percent over the last two years. In the last three months of 2018, 57 certifications recorded cash pay premium losses against 17 gaining value.
Meanwhile cash pay premiums for non-certified skills increased 0.6 percent overall in October-November-December with 87 of these skills recording pay premium gains and 72 losing market value. Pay gains have been consistently higher in most quarters in each of the past three years.
Declines in certification market value can be misleading
Certification values decline in the marketplace for a number of obvious and not-so-obvious reasons.
Pay premiums diminish as certifications expire, are retired, or as technology evolves, and they’re replaced with more appropriate certifications. Since certifications have traditionally been attached to infrastructure tech (networking, systems, security) they have natural market pay volatility: nearly 17 percent per calendar quarter in the past four years. Volatility measures the percent of total certs that reported that change value every three months.
There also are certifications for architecture and for processes such as project management, frameworks and methodologies; as a group, they earn the highest average premiums among all categories reported, but they have their non-certified skill counterparts. This subjects them to pay erosion as employers feel more confident measuring talent in these disciplines based on work experience, especially at intermediate and advanced certification levels.
Non-certified skills can be found in far greater numbers than certifications in other segments such as programming and applications development, web, and database. Again, employers devise their own ways to judge proficiency in these areas; for example, coding tests, evaluating past work experience, references, and trial-to-hire employment. They drive down certification values by building their own robust internal training and development program, in effect devising their own certification programs.
There also remains a lingering bias that passing a proctored exam does not necessarily confer onto the test-taker an expertise in a subject, especially in cases when the pass rate entails getting only 70 percent of answers correct. Adding a laboratory requirement only works if the lab is a sufficient test of a candidate’s capabilities in the real world.
But, in a counterintuitive twist, cash market value can be a victim of a certification’s success. As interest in a certification escalates and more people attain the certification, the gap between supply and demand for the certification narrows, driving down its price as the laws of scarcity would dictate. This has been documented in the case of hundreds of certifications over the almost two decades of Foote Partners tracking and reporting cash pay premiums. The media rarely recognizes this contradiction in its reporting.
Perhaps the most common reason for certification values falling is a fundamental weakness that persists in the certification industry: a vast number of popular tech skills simply do not have a certification associated with them. No vendor owns the particular tech with products that are supported by certification training necessary to ensure sales and upgrade investments.
And what about so-called soft skills? Employers often are just as willing to recognize their value with pay premiums both inside and outside of salary, especially if they are combined with hard tech skills and industry, domain, or customer knowledge and experience.
Author’s note: For more information on certification market value in 2018, view this news release summarizing our latest IT Skills Demand and Pay Trends Report.
Editor’s note: The ISACA Now blog occasionally highlights the impact ISACA certifications have in the evolving business landscape, as well as how certifications have impacted individual members of the ISACA professional community. Today, we profile Marco Schulz, CISM, CISA, CGEIT, CEO at marconcert GmbH (Germany). For more information on ISACA certifications, visit www.isaca.org/certification.
ISACA Now: What motivated you to pursue your CISA certification?
As a CISO, I was subject to internal and external reviews for many years and impressed by the instincts of some natural-born auditors. When I took a new supervisory role, I had to conduct on-site audits of subsidiaries around the globe and I suspected I needed to learn some basics before comfortably leading bigger audit engagements. Oh, and there was still some space left next to the CISM on my business card.
ISACA Now: What was your biggest key to success in passing the exam?
Undoubtedly it was my professional experience. When I took the CISA exam in 2008, I had already worked in information security for 12-plus years. From the CISM exam the year before, I was already familiar with the line of questioning and – I should probably not confess – went to the exam with only very little preparation.
ISACA Now: How does the knowledge you gained through CISA fit in with the current technology landscape?
In my view the general IT audit principles have not changed much over the decades. In the meantime, the complexity of technology and its business relevance have gone through the roof. More than ever, a risk-based approach and continuous compliance monitoring are needed to manage IT compliance in a cost-effective manner. The CISA knowledge domains support these objectives and are regularly updated to incorporate major business changes.
ISACA Now: How has the CISA helped advance your professional development and career objectives?
The CISA designation helped me to demonstrate IT audit competencies. It was also a formal prerequisite for some client engagements.
ISACA Now: What does it mean to be part of a global network of ISACA-certified professionals?
Even though I enjoyed speaking at ISACA conferences at times, I had been a rather passive member for many years. But in November 2018 I decided to engage in the German chapter and started to manage our social media accounts on Twitter, LinkedIn and a closed member group on XING. Today I am working from the German chapter office in Berlin, where recently I was dining with the president and the CEO of our Kenyan chapter. I like the professional and personal exchanges in our community and call some ISACA member my friends.
Anyone can succeed with the right information and tools. One of the best ways for information systems professionals to ensure career success with all its attendant benefits is to earn ISACA's CISA certification. The CISA certification has made a tremendous difference in the lives of thousands of people across the globe. In fact, it is one of the certifications that will retain its relevance because of several drivers discussed below.
Increasing criticality of information. Decades ago, traditional assets like land, buildings, oil wells, gold and cash used to be the main considerations for businesses. In this century, it is possible to run a multi-million dollar business with a single laptop and internet connection. Data life cycle management has become extremely critical to the survival of businesses. For organizations regardless of size or geography, information is the business. Because of their expertise in the areas of IS audit, controls, assurance and security, CISA certification-holders will continue to be in demand, as they have been for the past 40 years.
Increased sophistication of cyberattacks. Denial of service, ransomware, phishing, spam, zero-day attacks and other threats are becoming rampant, causing extensive losses to individuals and businesses. Research has shown that businesses lose up to 5 percent of their annual revenue to fraud and irregularities. This reality is prompting many businesses to implement preventive controls by hiring CISA certification-holders to provide assurance on information security and risk management.
Improved governance awareness from boards of directors. ISACA frameworks such as COBIT, Val IT and Risk IT have yielded considerable fruits as business leaders have become more open to the alignment of IT and the business. This commitment from boards of directors is making approval of funds and setup of assurance functions easier than before for many organizations.
Increasing pressure from the regulatory authorities. For many businesses, it is no longer business as usual. Regulators are coming up with stringent rules with dire consequences in cases of non-compliance. The Sarbanes-Oxley Act (SOX) changed the face of corporate reporting in the US, with ripple effects felt globally. More recently, this year, the General Data Protection Regulation (GDPR) began affecting businesses that process personal data of European customers. In order to ensure compliance, businesses will need the services of CISA-certification holders for implementation and audit of the processes.
Increasing relevance of standards and IT frameworks. Certifications and frameworks by bodies such as the International Organization for Standardization (ISO) are fast becoming tools for competitive edge. Globalization is shifting the advantage to the customers, who can be more discerning in their purchase decisions. ISO 27001, ISO 22301, ISO 20000, ITIL, COBIT 5, PCI DSS and other frameworks are being implemented as a result of regulatory directives and as an agent of differentiation. This trend is creating opportunities for CISA certification-holders, who are hired to implement and audit the related considerations.
Increasing disruptive trends in computerization. The reduction in pace of digital change is nowhere in sight. We are now talking of smart cities, e-government, blockchain technology, mobile banking, and so on. Artificial Intelligence and robotics engineering are taking over the manufacturing and aviation sectors. The increased dependence on technology will ensure that CISA certification-holders continue to be needed for assurance and security functions. The certification is being updated to keep pace with the changing technology environment.
With all these benefits for CISA certification-holders, you should consider taking the CISA exam. Here is some guidance on approaching the exam:
Attend an online or classroom lecture. I am an advocate of learning from CISA veterans who can share their own academic and field “war stories.” Their experience can position you to pass with ease.
Master the knowledge statements. Every domain has task and knowledge statements. The task statements contain tasks you should be able to carry out at the end of the study. The knowledge statements contain knowledge you are supposed to have at the end of the study. After reading through a domain, review the knowledge statements to determine if you understand the required concepts. In order to ensure that you have mastered the concepts, read through the CISA Review Manual at least twice (I did it thrice).
Realize that the database is non-negotiable. It is difficult (perhaps impossible) to pass the CISA exam without effectively using the database. Read through the database at least twice. Do not cram the answers. Focus on the detailed justifications made in determining the correct answers.
Choose your answers using the elimination method. The greatest challenge with the CISA exam is that there are similarities among the answer options. This is where many candidates make wrong decisions. Do not just pick an option that “jumps” at you. Analyze each option carefully and justify its correctness or incorrectness based on your knowledge of CISA concepts.
Get practical IS audit experience. Having practical IS audit experience will help you to pass the CISA exam with ease. Arrange for a relevant internship, part-time work or full-time work. If this is not possible, interact with professionals, attend ISACA local chapter meetings/conferences and read articles written by IS audit veterans.
In conclusion, the CISA certification will open doors for global opportunities. Thousands of CISA-certified professionals all over the world will confirm to you that CISA is an investment worth making – perhaps now more than ever.
Of all the certifications represented annually in the Global Knowledge IT Skills and Salary Report, ISACA is more prominent in our top-paying certifications list than any others. This year, ISACA occupies five spots in the top 20, including three in the top six worldwide.
ISACA is associated with two important truths for business technology professionals:
- Enhancing a wide range of careers
- High salaries
ISACA’s certifications in cybersecurity and governance produce the highest salaries. This is in line with our overall salary data, as governance ranks second and security fifth in average global salaries by category.
Here’s a list of the five top-paying ISACA certifications for 2018 (average salaries are for North America):
1. CGEIT: Certified in the Governance of Enterprise IT
Average salary: $117,544
CGEIT is the top-paying certification in the United States and ranks third worldwide ($92,821). Its North American salary is 34% higher than the average for all certified professionals. This certification is designed for individuals who manage, advise or provide assurance services around enterprise IT governance.
Tenure is among the reasons CGEIT-certified professionals typically have higher salaries. To take the exam, an individual needs at least five years of experience in at least three of the five domains the certification covers, including at least one year in the IT governance framework area.
2. CRISC: Certified in Risk and Information Systems Control
Average salary: $107,968
CRISC ranks sixth in North America and second worldwide in average salary. Its average salary is 23% higher than the average for certified professionals. CRISC is a risk management and security credential designed for IT professionals, project managers and others whose job it is to identify and manage IT and business risks through information systems controls.
Globally, six security certifications made our top-20 list, with CRISC trailing only CISSP in average salary. Cybersecurity positions in general pay well, with the average among North American respondents at $101,083, which is more than $13,000 above the average.
Related training: CRISC - Certified in Risk and Information Systems Control Prep Course
3. CISM: Certified Information Security Manager
Average salary: $105,926
CISM ranks seventh in North American salary and sixth globally. It’s aimed at information security management professionals, focusing on security strategy and assessing the systems and policies in place. To take the exam, certification candidates are required to have at least five years of experience in IS, with at least three as a security manager.
It’s now common that many government agencies require their IS and IT professionals to have a CISM certification.
Related training: CISM - Certified Information Security Manager Prep Course
4. COBIT 5 Foundation
Average salary: $102,112
This premier governance credential has a North American salary that tops $100,000 and a worldwide salary that ranks 11th overall ($77,300). COBIT 5 provides a comprehensive framework that assists enterprises in achieving their objectives for the governance and management of enterprise IT.
ISACA’s governance credentials (COBIT 5 Foundation and CGEIT) are two main reasons why governance certifications have the second highest average salary globally ($84,420).
Related training: COBIT 5 Foundation
5. CISA: Certified Information Systems Auditor
Average salary: $97,117
CISA ranks 13th in the US and globally in average salary. It’s also the most popular certification amongst our survey respondents, with 1,923 CISA-certified professionals. The CISA is perfect for individuals whose job responsibilities include auditing, monitoring, controlling and assessing IT and business systems. The exam tests the ability to manage vulnerabilities.
Originating in 1978 and now in its 40th year, CISA is ISACA’s oldest certification. It requires at least five years of experience in information systems auditing, control or security.
Check out these additional Global Knowledge resources to learn more:
Last year, I passed the Certified Information Security Manager (CISM) exam and, surprisingly to me, earned the top global score. It is a great achievement for me in my professional educational activities, and I was glad to be recognized at the 2018 EuroCACS conference in Edinburgh, Scotland. Below are some insights and guidance from my experience that I hope will be useful to other CISM candidates.
Why CISM certification is important for me
CISM is a worldwide-recognized certification and is of great benefit for me as an information security professional and for my organization. It helps me to advance my career and be recognized among other information security practitioners.
In my professional activities, CISM certification helps me to adapt and adopt best practices, standards and frameworks that best fit my organization and align our information security program with business objectives and regulatory requirements. In addition, it helps my organization get competitive advantages, provide our customers with professional expertise, secure products and put in place advanced security services that meet their demands.
If you decide to take the CISM exam and become certified, it would be a good incentive for your professional growth and great opportunity to advance your career.
I would like to share some tips for preparing for and passing the CISM exam that may be useful for you.
Before you start
I recommend identifying the study materials and additional resources you’ll need to prepare for the exam and accomplish your goal.
I used the following study materials:
The CISM Review Manual helps to refresh your existing knowledge in the field of information security and also get additional knowledge and relevant information. The CISM Review Questions, Answers and Explanations Database is a very useful resource during the preparation and before passing the exam. It helps you evaluate the level of knowledge in each CISM domain and test your readiness for an exam. It also helps to test yourself in conditions that mimic the actual CISM exam.
This might be enough if you already have a broad knowledge and work experience in the field of information security. If not, ISACA’s exam prep courses and additional resources may be useful. You may also join the CISM Exam Study Community to connect with other professionals who are on the path to CISM certification or have already successfully passed the CISM exam.
Preparing for the exam
During the preparation for the exam, I reviewed each domain in the CISM Manual and then answered relevant study questions in the Q&A Database after each domain. After the full preparation, it may be useful to dedicate additional time to:
- Go through the study materials one more time. You may spend several additional weeks, but it can have a good effect.
- Try to answer problem questions again (Q&A Database provides this function) and make sure the underlying concepts and knowledge statements are clear to you.
- Make several attempts to pass a full CISM exam (150 questions) to determine if you need to adjust the time needed for answering the questions. Test yourself in conditions as close to the real certification exam as possible. It will help you to avoid time issues during the exam.
After the exam preparation, you should have a strong understating of the underlying information security management principles, concepts, methodologies and frameworks. Try to map the study material to real-world tasks and scenarios to better understand the knowledge statements and how they can be applied to accomplish your work tasks. If you don’t have enough experience, you may contact other professionals and experts in your organization or in your professional community.
Taking the CISM exam
Before taking the exam, I recommend reviewing the exam information and recommendations regarding the exam process and time management, contained in CISM Review Manual.
During the exam:
- Try to not spend additional time on problem questions where the answer is not clear until you have completed the ones with which you are more confident.
- Bookmark problem questions so you can quickly return to them later to review you answers.
- If you have additional time after answering all the questions, review bookmarked questions and check your answers.
After passing the exam
If you successfully passed the CISM exam and became certified, do not forget about continuous professional educational activities. It is especially important in such rapidly changing business, regulatory and technology environments. In addition, ISACA conferences and online events may be beneficial for you.
I hope some of these tips are helpful on your path toward certification. Good luck!
The Certified Information Systems Auditor (CISA) certification has truly benefited my professional aspirations.
In 1997, when I transitioned from active duty as a Captain in the US Army, I had a 10-year-old computer science degree and not a great deal of experience in corporate America, particularly in the financial services industry. The extent of my background at that time was having an IRA. Fortunately, I was able to gain an entry level position as an IT Auditor at Prudential Insurance Company of America (now Prudential Financial) in Newark, New Jersey, through their junior military officer (JMO) hiring program.
It became very clear that on-the-job training was not going to be sufficient for me. During my first couple of months, I concluded that pursuing the CISA professional certification would give me the jump-start I needed to gain a baseline understanding of IT audit and risk management, IT general controls, and IT auditing—especially with regards to assessing applications and the technology environments they resided in. Studying for six months, two nights a week and a number of weekends, becoming a member of my local ISACA chapter, and taking full advantage of the available local chapter CISA preparation courses and materials enabled me to successfully pass the CISA examination and become a credentialed IT audit practitioner.
The professional payoff was immediate for my career development. Understanding IT risk management and associated controls to establish or maintain a well-controlled IT environment served to differentiate me from others in competing for positions and, honestly, just helped me be more successful in meeting or exceeding expectations. While these foundational audit and risk management skills helped to launch my IT audit career, more importantly, they also served to enhance what I had to offer in other risk management and project management roles.
As a result of increased threats to the digital processing environments and subsequent increased regulatory expectations, financial services companies gained an increased appreciation for employees who have the skills that the CISA certification fosters. Since my initial IT auditor role, I have continued to leverage the knowledge and experiences gained through not just the efforts required to gain the CISA certification, but also through completing required continuing education to stay abreast of emerging technologies and becoming a more active participant in ISACA-provided training (such as webinars, local chapter offerings, and attending or presenting at national conferences).
Whether managing IT or operational audit responsibilities at Wachovia, Wells Fargo, or TIAA, a mission-based company where I am fortunate to currently work, or performing project/risk management roles at previous employers such as Goldman Sachs and Ernst & Young, having an IT audit and risk management perspective has been a huge component of my personal success. I am grateful that for 40 years, ISACA has continued to provide the CISA certification, and I encourage all my employees and mentees to pursue the CISA to grow as professionals.
After I passed the CISM exam late last year, ISACA offered to let me share my experience of how (and why) I chose to become a CISM, and what I did to accomplish my goal. I hope this article provides some useful ideas to help you go after your professional development goals, as well.
Why the exam mattered to me
GSWS is a small business that provides cybersecurity and compliance-related services to other small and mid-size organizations in the Southern California region of the U.S. Our clients include optometrists, dentists, CPAs, attorneys, etc. – I mention this because our work environment isn’t like that of a lot of other CISMs, who are employed by much larger organizations.
Our clients are woefully unprepared for the type of cyber risks they face on a daily basis. They are highly skilled within their respected trades, but they have no clue when it comes to understanding cybersecurity. They rely on us to provide this knowledge, experience and solutions. I needed a way to ensure my skills were of a high level and communicate our qualifications to clients and prospects in an easy-to-understand way.
I was familiar with www.cyberseek.org, but when revisiting the site, I saw how highly the CISM and CISA certifications were recognized. I had recently joined ISACA and passed the CSX-F exam, which gave me some degree of familiarity with how ISACA works. That’s when the CISM and CISA certifications became the obvious choices for me. I chose to go after the CISM first.
How I studied
In preparing for the exam, I used the following resources:
Depending on your budget, select what is best for you. I was fortunate to have access to all these resources.
Some additional recommendations to help you prepare for and pass the exam:
- Get involved in your local ISACA chapter. Your local chapter is a great resource for support from experienced peers who want to see you succeed.
- Understand the principal intent of the domains covered. Many times in dealing with a cybersecurity issue, we are faced with more than one option, so the goal is to select the best option. Questions on the exam are set up in the same manner.
- Don’t shoot for a perfect score. I suppose some of you can score an 800, but perfection is not necessary. The exam’s intent is to show that you have an understanding and competency – not perfection.
- Use the ISACA online Question Review Database. The database includes 1,000 questions, tracks your progress, allows customization of questions by domain, number of questions, more difficult questions, etc.
- Study when you are in different moods. Try studying and taking practice tests when you are fresh, tired, happy, sad, stressed, relaxed, etc. While it’s inevitable you will have more anxiety on test day, seeing questions with different mindsets ahead of time helped me mentally prepare for anything.
- Practice real test simulation exams. As it gets closer to your exam date, use the online Question Review Database to take some tests under conditions that mimic the actual exam – for example, four hours to answer 150 questions. That will build your mental calluses for the big exam.
I hope this helps. I’m scheduling for my CISA exam in April and studying for that now. My preparation for the CISA is identical to what I’ve described in this article. Good luck to you!
I recently received my CGEIT exam result, with a final score of 557. It is not an elite score, but surpassed the required number of 450. I was happy with this result, and glad about my CGEIT learning journey.
For me, each autumn is a yearly planning and budget discussion season. It has become harder to balance all stakeholders’ expectations and to keep pace with the fast-changing business landscape. Through CGEIT preparations, I could verify my perceptions, discover theoretical systems to support my ideas, and find more methods to convince others.
Let me share my lessons learned in preparing for the CGEIT. I hope it is helpful for your preparations.
For me, the “journey” took about two months, from getting two books – the CGEIT Review Manual and CGEIT Review Questions, Answers & Explanations Manual – to passing the exam. Because my daily job is very busy, I estimate I spent about 30 hours in total to read the books and other related materials.
My approach was:
- Quickly go through the CGEIT Review Manual, and find the knowledge gaps
- Read the related materials to fill knowledge gaps (most of related materials can be found at the end of each chapter under “suggested resource for further study”)
- Use the material from the CGEIT Review Questions, Answers & Explanations Manual; conduct a rehearsal
- Based on the rehearsal result, review the CGEIT Review Manual.
Note: As everyone’s knowledge gap is different, the time required for step two will be a big range.
The exam time is four hours for the candidate to answer the questions. I spent about 130 minutes to complete the 150 questions. Everyone should have enough time to complete the exam. The questions are designed very well to match real business situations. If a candidate has the capability to make a proper business decision in his or her daily work, getting the right answer is no problem.
Lastly, I want to recommend three other resources for candidates who want to start the CGEIT journey.
- COBIT 5
- The Val IT Framework
- The Risk IT Framework
Good luck with your CGEIT journey!