Earlier this year, when I earned the last one of the Fab 4 of ISACA certifications – CISM, CISA, CRISC and CGEIT – I decided to write a post about my experience and the lessons I learned along the way. I hope this will be useful for anyone preparing to obtain these industry-recognized credentials.
1. The disclaimer.
2. The motivation.
Several people have asked me why I did it and if there is any value to getting all four of these certifications. I would say that for many in jobs focusing on siloed aspects of information security, the answer is “No”- they would be better served by getting the one or two certifications most relevant to them. But, for an information security and risk consultant like me whose work encompasses a wider universe, there’s definite value in preparing for and getting all of these certifications. At the same time, I believe anyone desirous of expanding his or her overall knowledge in this area will find them useful.
On a more personal note, there’s also a sense of personal achievement tied to this. Balancing client, firm and family commitments in order to study and take these exams was a major motivator.
3. The preparation.
To my mind, the best preparation for getting the ISACA certifications is getting experience in the field. The second best would be to get the CISSP. I believe the CISSP covers a much broader area than any individual ISACA exam and puts one in good stead to ace ISACA’s certification exams later. However, none of these are deal-breakers – you can definitely succeed at the ISACA exams without the CISSP or 12-plus years of experience (like me).
As for the materials I used, I confess that I found the official manuals to be dry. I focused on Questions & Answers databases after going through the free training videos available at Cybrary.it. I would extensively take notes while watching the videos and when reviewing my answers on practice tests using the databases. When reviewing before the exams, I would refer only to my notes.
As many before me have surmised, there IS an ISACA way. Don’t be alarmed; it’s not completely at odds with your knowledge gained from experience, but there may be subtle variations. The best way to understand it is to analyze, with a fine-toothed comb, the answers to the database questions. The wrong answers should also be part of your analysis, as they clearly explain why they are NOT right for a particular question but can be for a different one.
Rule of thumb: if you’re consistently scoring 75 percent in the database Q&A for a particular test, you’re ready for the actual one!
4. The key takeaways.
- IT exists to serve business. Business exists to serve stakeholders’ interests.
- People are the most valuable asset; people are also the weakest link in security.
- Governance is “doing the right things”; management is “doing things right.”
- Security and audit decisions should be risk-based and meet business requirements. Organizational structure and culture are key decision factors.
- The first step before implementing change is to understand the current state.
• Understand the composition and responsibilities of the board, senior management, operational management, IT Strategy Committee, IT Steering Committee and IT Architecture Review Board.
- Understand the composition of the IT Strategic Plan, IT Investment Portfolio, IT Operational Plan, IT Acquisition Plan, IT Implementation Plan, IT Outsourcing Plan, IT Risk Register, Enterprise Architecture, IT Balanced Scorecard, policies, standards and procedures, etc.
- Realize that accountability and responsibility are different things. Usually, the board or senior management are held accountable for security-related decisions. The term “ultimate responsibility” refers to accountability.
- IT strategy should be an extension of enterprise strategy. Enterprise architecture aligns IT strategy with enterprise strategy.
- IT goals should align with enterprise goals. Any IT investment has to be supported by a business case.
- “You cannot manage what you cannot measure” – understand metrics (KPIs and KRIs), how they are selected and measured, and what kind of information they can provide.
5. The D-Day experience.
The best preparation is of little use unless put into practice. Here are some tips around exam day:
- Try to schedule practice tests and the actual exam at the same time of the day. I can’t quote any scientific studies to support this, but I believe the body and mind acclimatize themselves for peak performance during the time you practice most.
- Read the question carefully to understand your role – are you the advisor, auditor or implementer? Your role will determine the answer you should choose.
- For multiple choice questions, it’s usually easier to eliminate two of the four options; selecting the right option from the remaining two is where the difficulty lies.
- The questions often mention “first” or “best”; this is very important when choosing the answer. Multiple options may be right, but only one will be “first” or “best.”
- If “first” is not explicitly mentioned, choose the option that is the root cause. For example, if option A leads to option B and both are correct answers to the question, choose option A.
- If you’re stuck on one question, mark it for review and move on. There’s enough time for you to revisit it later.
- Take frequent breaks. Four hours should be enough to answer all 150 questions and review them. Use the time wisely to pace yourself. I personally took a break after every 50 questions.
- Ensure you answer all questions. There are no negative points for wrong answers, and even a completely random choice has a 25 percent chance of success. Best of luck!