#cybersecurity #auditing #ISACA #CISA #guide #resources
IT certification exam day is an emotional day and the best feeling is when you passed the exam. This has been a long journey towards earning my ISACA CISA certification. I start planning my goals in March 2020, right before the COVID-19 pandemic and during the time I was pursuing my eLearnSecurity Junior Penetration Tester certification. I lost a lot of focus and developed a HUGE case of imposter syndrome. If you are not familiar with imposter syndrome, check out this article about it. https://www.thedataincubator.com/blog/2022/02/23/6-steps-to-break-the-imposter-syndrome-cycle/ It was definitely hard to get back into things but somehow I got back on track and started back grinding on my studies. What is CISA? CISA stands for Certified Information System Auditor and it is created by ISACA. This is the definition of CISA from ISACA website:
"CISA is world-renowned as the standard of achievement for those who audit, control, monitor and assess an organization’s information technology and business systems. CISA can showcase your expertise and assert your ability to apply a risk-based approach to planning, executing and reporting on audit engagements. "
The CISA proves your expertise in these five domains:
Domain 1—Information Systems Auditing Process:
Providing audit services in accordance with standards to assist organizations in protecting and controlling information systems. Domain 1 affirms your credibility to offer conclusions on the state of an organization’s IS/IT security, risk and control solutions.
Domain 2—Governance and Management of IT:
Confirms to stakeholders your abilities to identify critical issues and recommend enterprise-specific practices to support and safeguard the governance of information and related technologies.
Domain 3—Information Systems Acquisition, Development and Implementation and Domain 4—Information Systems Operations and Business Resilience:
Offers proof not only of your competency in IT controls, but also your understanding of how IT relates to business.
Domain 5—Protection of Information Assets:
Cybersecurity now touches virtually every information systems role, and understanding its principles, best practices and pitfalls is a major focus within Domain 5.
ISACA has quite a bit of study material to prepare you for this exam. You can opt for their online review course, review manual, or the questions, answer, and explanation (QAE) database. The exam cost is $575 for members and $760 for non-members. https://store.isaca.org/s/store#/store/browse/cat/a2D4w00000Ac6NLEAZ/tiles
My Study Resources Like all my certification journeys, I always start at Reddit to see what resources others are using and if there are any valuable tips. The one name that was always mentioned is Hemang Doshi. Hemang Doshi is a chartered accountant and a CISA with more than 15 years' experience in the field of information system auditing/risk-based auditing/compliance auditing/vendor risk management/due diligence/system risk and control. A few of his resources are below:
Hemang Doshi's Website: http://cisaexamstudy.com/hemang-doshis-e-books/
Hemang Doshi's Udemy Course: https://www.udemy.com/course/certified-in-information-system-audit/
Hemang Doshi's Official Review Manual: https://www.amazon.com/CISA-Certified-Information-Systems-information/dp/1838989587 Hemang Doshi's Youtube Channel: https://www.youtube.com/c/HemangDoshi/featured
I purchased his review manual from Amazon and was able to get his Udemy Course for free through my company, so that was a little financial relief. Udemy has promotion periods and reduces the price of each course drastically. So if you are a visual learner and this interest you, make sure to setup notifications in Udemy so you don’t miss these opportunities. Hemang's Review Manual was a good resource. He compress all the relevant material into this manual to cover what is needed for the exam. I wouldn't use it as a sole study guide though. I recommend using it along with his review course through Udemy. A few folks complained that the material in the book and review course did not cover all the new updates for the CISA exam. My only complaint about the course was the inconsistency of the slide deck and audio. There are a lot of practice questions in the review course to really instill the concept. These are not dumps. None of the questions from his practice questions were in the exam.
I also purchased the CISA's official review manual and online version of the QAE. I used the QAE for my CISM and really enjoyed this platform. The QAE let you set your desired exam date to stay on course with your studies. The QAE is good for a year but you can extend your studies if you need more time. My access was set to expire on November 10 so I was motivated not to extend it. Here is what it looks like:
The QAE questions were challenging so do not fret if you missed some. The explanation of the right answer is how you learn the concept. So it is very important to know the concept and not remember the answer because none of the questions from the QAE is on the real exam. I highly recommend you buy the online version though vs the hard book version of the QAE. There is a $100 difference but trust me, you won't regret it. Exam Day
COVID-19 really changed how we conduct business. Organizations around the world had to adapt to restrictions and implemented collaboration tools like Microsoft Teams and Zoom. Organizations that offered IT certifications introduced remote proctoring to mitigate the spread of COVID-19 which was a huge win for us. My first remote proctored exam was through EC-Council for my Certified Ethical Hacker (CEH) certification. The process was convenient and very easy. No issues at all. I am a US service member serving in South Korea, so when I took my ISACA Certified Information Security Manager (CISM) certification, I had to travel to Seoul, South Korea to a PSI Test Center for my exam. That experience was not ideal. Traveling in South Korea is like being in a Mad Max film. It is non-stop stress and a lot of defensive driving. Plus a ridiculous amount of traffic. So I opted for the online proctoring this time around to avoid all of that. You need a decent camera, spearker, microphone, clear room, clean desk, and ID card to use this option. I purchased a C922 Logitech Webcam since it had a built in microphone. You are allowed to start your exam 30 minutes before your test time. I recommend conducted a system check before test day to give yourself time to make fixes. You can do this through PSI to make sure your system is compatible. System Compatibility Check https://syscheck.bridge.psiexams.com/ You also have to download PSI Secure Browser to conduct the exam. My system was working fine until I executed it. My keyboard immediately went out but I had no plan to do any typing so it didn't bother me much. You have to do some pre-checks with your camera to ensure you are not cheating. Once that was completed, your proctor will validate everything and release your exam. I was 1 hour into my exam and had about 30 questions remaining when my connection dropped. I was already frustrated because these questions were challenging and I was sure I was failing. So I called the helpdesk and they were able to reconnect me. I also unplugged my keyboard and installed it again and got my keyboard function back. I started my test again and completed 27 questions when my connection dropped again. So each time you are disconnected, you have to restart Secure Browser to start your test again. All these issues were common in all the Reddit forum so I expected some faults but not to this scale. This is my last PSI exam while I am here in South Korea. When I return to the United States, and if I decide to pursue ISACA's Certified in Risk and Information Systems Control (CRISC), I will surely drive to a PSI Test Center.
Tips This is what I recommend for anyone that wants to pursue this exam:
Understand the concept. If you can find a hands on auditing course, take it. Don’t try and remember answers because the questions are not on the real exam.
Auditors don't implement, they identify, test, and document findings.
Auditors must be independent. So remember that when you take your exam.
Understand the importance of policies.
You first check for compliance and then use substantive testing to find errors.
IT supports the business. IT mangers goals should be align to the business strategy. So projects are based on the overall business strategy.
Know when to escalate an issue when dealing with auditee. You never want to burn bridges. Keep things cordial and escalate when required.
Understand firewall capabilities and limitations.
Know the Risk Assessment Steps.
DoD Approved 8570 Baseline Certifications The CISA is a IAT Level III certification. This was my main goal for this certification. I wanted this certification to be able to work for a specific organization once I transition out of the Army. Ultimately, I just want to know a little bit of everything in Cybersecurity.
https://public.cyber.mil/cw/cwmp/dod-approved-8570-baseline-certifications/ My Next Goals
I received a preliminary pass on November 4, 2022, so now I need to wait 10 days to receive my official test results and apply for certification. Once this is complete, I can share my badge on Linkedin to become a little more marketable. My next goal is to complete my Bachelors degree in Cybersecurity and start studying for the Splunk Core Certified User and TCM Security Practical Network Penetration Tester certification. I will also continue learning hands-on blue team skills through LetsDefend platform.