CISA® (Certified Information Systems Auditor) is a globally recognized certification for IS Audit, Control and Assurance. The certification is issued by ISACA formerly called Information Systems Audit and Control Association but used only as an acronym now due the wider scope of domains and certifications it currently covers. ISACA issues the CISA, CISM, CRISC, CGEIT and the CSX Certifications. The CSX is the latest addition that covers the Cyber Security domain.

CISA is the oldest of the ISACA Certifications, dating back to early 1978. Over 1.25 lakh people have earned the CISA designation since inception (as per ISACA website). It’s valued across industries and even mandated for select job profiles. It’s amongst the highest paying IT Certifications as per a report conducted by Global Knowledge.

To become a CISA Certified professional, there are 3 key steps.

Pass the CISA exam Have relevant work experience of 5 yrs. (there are certain exemptions to this. For details, visit ISACA). Abide by the code of Ethics and Professional Standards set forth by ISACA. This blog post will cover the first of the 3 portions, namely the passing of the CISA exam.

From 2017, the CISA exam will be conducted via CBT (Computer Based Testing). For more info on this, visit the post titled Changes to the CISA Exam Structure from 2017

Tips to pass the CISA

Use the CRM (CISA Review Manual) judiciously. The latest is the CRM 26th Edition that is available on the ISACA Bookstore for purchase. It’s a must have. It’s considered the Bible for CISA and while it’s very verbose, it’s well laid out with detailed and well-constructed sentences with apt examples. However, the CRM is not the cornerstone, meaning you would not find questions in the CISA directly from the CRM. CISA is a professional certification and it relies more on application of knowledge rather than rote learning. Hence, the CRM is to be used judiciously in the sense that you don’t cram the various topics but you instead understand the usage or application. For example, BCP or Business Continuity Planning is to be understood from the point of how or when a BCP is initiated, who initiates the BCP, what are the components of the BCP and how it’s different from a DRP (Disaster Recovery Planning). If you instead were to skim around for who invented the BCP or which organizations use or don’t use the BCP, you are absolutely wasting your preparation time.

The CISA Review QAE Manual or the Questions, Answers and Explanations Manual is a must have. You could either pick the 11th edition or subscribe for a 12 month subscription to the QAE database. Both are exhaustive and give you loads of domain-wise practise tests with detailed explanations. They also have a full length Mock exam at the end. These are very good resources and a nice confidence booster for your preparation. However, do note that the CISA questions would not come directly from the QAE for obvious reasons. As a matter of fact, a majority of the CISA questions might look out of syllabus to you in the actual exam. The reason is, while the QAE focuses more on the direct questions, the CISA examination tests the candidates understanding of the concepts. Nonetheless, getting a 80-90% consistently on the QAE has helped many participants feel a tad better prepared and mentally strong while appearing for the CISA

Online resources, videos or podcasts are another important source of preparation. Online course portals like ApnaCourse.com have self-paced / instructor led video classes for CISA that are aligned to the CRM. The benefit of doing such online courses is to get a better and clearer understanding of the concepts in the CRM. As noted earlier, the CRM is quite verbose and it’s highly likely that you could lose focus midway. Online video courses can help retain the attention span. It’s proven that visual aids give better attention and retention than textbooks. Thus, it’s highly recommended to enrol into a self-paced training program like the one found on ApnaCourse for CISA.

Plan, Plan and Plan: There is no better tool or easy guide for the CISA than a proper planning. The ideal preparation time is 4 months for those who have a background in Auditing or IT Security and about 6-8 months for those new to these areas (assuming you spend around 7-8 hours a week). Define your exam date well in advance and detail your study plan thoroughly. It’s good to prepare a Gant Chart of your study plan with week-wise milestones. Buy the relevant CRM, QAE and enrol into an online training or instructor led training beforehand. The plan should be till the date of the exam so ensure you have significant control on it including provisioning for any contingencies like unplanned vacations etc. that might hamper your study plan.

Avoid online free tests: A simple google search will throw open tons of online free tests for the CISA. Please avoid taking such tests. Most are outdated or have wrong solutions that will confuse the test taker. The CISA is more application based and hence it’s important to understand the concepts thoroughly rather than takes scores of tests. The references mentioned in the above points numbered 1-3 are sufficient for the preparation. If you have done the QAE completely, that should be enough.

Do the Mock a week before the exam date. As mentioned earlier, the QAE provides 1 full length mock exam. Do that on the weekend exactly 5-7 days before the actual exam date. Create an exam atmosphere and avoid family disturbances. It’s important to recreate an exam situation because the CISA is a gruelling 4 hour long exam. Most candidates tend to take the entire 4 hours’ time given the difficulty of the exam. Hence, it’s extremely important to sit through a mock or a simulator exam of similar structure.

On the days post the mock exam and before the actual exam, revise the concepts over and over again. It doesn’t hurt to review the CRM, quickly browse the QAE and revisit bookmarked sections of the online training. But avoid trying to understand new concepts. If for example you did not intend to learn about Virtualization in your earlier preparation time, avoid trying to learn it now. It’s better to master the domains you are confident in than to venture into newer ones. While there is a domain-wise scoring for CISA, there is no minimum marks per domain that a candidate should achieve to be considered as pass. Hence, spend time revisiting and reviewing the concepts and understand your areas of strengths and weaknesses.

Relax on the day before the exam. It’s easy to lose your cool and fret about the exam the next day. However, it’s important that you relax and keep fresh for the exam. Drink lots of liquid the day before, energise your body well, watch some TV shows or play a sport and most importantly ensure you get enough sleep. Again, the CISA is quite a gruelling exam. Most candidates are in their early or late 30’s while appearing for the CISA so it’s been over 8-10 years since they sat on such long duration exams.

Take some refreshments to the exam hall. The exam hall does provide the basic facilities including rest rooms and drinking water. You are also allowed to carry refreshments but the same should be kept separately and not on your desk. You can pop in a sugar toffee or a glucose drink just before the exam. Avoid electronic devices including mobile phones. Keep them in silent mode and inside your bag. The bag has to be kept at a designated area only and not close to you.

Don’t rush to the exam centre. Ensure you have enough time to be there at least an hour before the exam start time. It helps to know the exact location of the exam centre a couple of days prior so you don’t get tensed trying to find the centre location on the exam day. It would also be a good idea to carry a shawl or sweater just in case you are asked to sit right under the AC or near a cooler. Most CBT centres get really chill after a couple of hours. The exam instructions will begin half hour before the exam time. Ensure you read the instructions carefully. Complete the basic information details before you proceed with the examination

Take a deep breath and start your exam. If the first few questions boggle you, simply mark them for review and move ahead. Do not waste time on the questions you aren’t sure. Such questions will only consume your time and create fear in you. You can revisit these questions at the end. Answer those that you feel are confident and comfortable.

You’ll find very few answer choices that can be ignored. Of the 4 options per question, in most cases, all 4 or min 3 will seem to be the right option choice. However, keenly understand the question. Read the question once, twice and even thrice. A single word or a phrase may create a different meaning altogether. Evaluate every answer option and understand why one should be more suited than the others. Keep an eye for bolded or highlighted words in the question like “MOST”, “BEST” etc. Such questions mean that while all answer options are suited, there is only 1 option that is correct. Ask “Why” on every option choice. This means to ask “Why option 1 is correct” or “Why option 2 is not the right option” etc. The more you ask yourself “Why” the higher is your chance of finding the right answer.

Review the answers before submitting the exam. It’s highly likely that the exam was stressful and you are relieved to have completed it in time. But ensure to keep 10-15 minutes to review your answers, at least the ones marked for review or the ones that seemed tricky. Do not force yourself to change the answer. Analyse and understand why a particular option is correct or better suited and not the others.

Pray the almighty and hit the Submit button. Check your provisional result and jump up if you have passed! Until Dec 2016, the CISA was a paper based exam that had a waiting period of 5 weeks for the results to be published. That’s changed from 2017. The CISA is now Online (CBT). For more info, read the related blog titled Changes to the CISA Exam Structure from 2017. This means that you would get a provisional score as soon as you click on submit.

Go back home and start the detailed application process. The application includes details on your work experience, waivers if any etc. Its takes ISACA about 6 weeks to process an application. So ensure you start filling that early and submitting it quickly. Only after you have passed the exam and submitted the application, you will be approved by ISACA to be a CISA Certified Professional.

Hope this blog covered all that you were looking for in your preparation for the CISA. All the very best for your exam! Leave your comment below for any clarification or a happy note if these tips helped you pass.

Cheers!