I took the Certified Information Systems Auditor (CISA) exam and passed. However, how I passed and learned that I passed was a little unconventional. First, lets start with how I learned I passed. Normally with exams from ISACA, once you complete the exam you receive a preliminary pass/fail on the screen. When I completed the exam, I was asked if I wanted to complete a survey. This will conclude the exam and submit the answers to the testing authority (ISACA). My answers were submitted and I was presented with the survey. However, I could not answer any of the survey questions. The computer froze. The proctor came and made sure that the exam was submitted and since this was a survey, they could close out the exam. Since no report is printed and my PC froze, I never received the preliminary pass/fail that is displayed. Now I had to wait 10 days to find out if I passed or failed the exam. Exactly 11 days (if we don’t count the holiday that fell during this period, it was 10 days) after taking the exam, I received the exam results report. I passed. 11 long days to wait and find out I passed since I really did not have any idea because of a computer failure. But computer failures are something we expect in the IT world. I was taking a practice test for another certification and my laptop “blue screened” at question 41 out of 50. In this instance the practice test accounted for the laptop downtime and awarded 3 “extra” minutes after I logged back in due to the apparent 3 minute crash and reboot cycle.

Now on to the unconventional way I passed. I call it unconventional, it might be normal for someone else. I actually used the following items to prepare and study: CISA Review Questions, Answers & Explanations (QAE) Database from ISACA, CISA Online Review Course from ISACA (Check: ISACA CISA Exam Resources) and CISA (Certified Information Systems Auditor) Complete Video Course by Pearson IT Certification via O’Reilly. Although not specifically exam review guides, I also reviewed the following two books: WHY DO SO MANY PEOPLE FAIL THE CISA EXAM? by Nir Hollender (Amazon) and How To Pass Your INFOSEC Certification Test: A Guide To Passing The CISSP, CISA, CISM, Network+, Security+, and CCSP by Ben Manlisow (Amazon). Before continuing I want to mention that I am not endorsing any of these resources as the best to study and pass, especially since the job practice areas has changed beginning in June, 2019. A little about my background, I am a information security engineer and have an IT/INFOSEC background. When I initially took the quizzes through QAE, I did not do extremely well. I was tackling the problems as a information security professional and not as a information systems auditor. Although an auditor and information security professional see the same problems, each of these sees them in a different way. Information security professionals have the job of “fixing” the issues. IS Auditors have the job of letting you know the problem and recommending the fix. Basically information security professionals fix the issues that IS auditors find. So when using the QAE and the exam, you need to know and figure out when to answer a question as an auditor and when to answer a question as a information security professional.

Regarding the QAE, I seen some post where some had a ready score of 88% and failed the exam. My ready score was 59%. That is definitely not a score you want to have before taking the exam. Honestly, my ready score was actually dropping prior to the actual exam date. I had scores in the 40% range and domain specific scores were in the 40-60% range. I realized that my study path with QAE was not good. I would study after work and after a long day at work, my mind was not able to fully concentrate on what I was reading. After I answered a question, I realized that I didn’t actually “read” the question. So I needed to change the way I used the QAE. Do the QAE when you can think clearly. RTFQ (from Ben Manlisow’s book) which means (the clean version) Read the Full Question. Understand what is being asked. Read the answers carefully. Understand the responses. The wording of questions in the QAE is similar to the actual exam (Note: questions on the exam are not the same questions from the QAE). Once you understand this, you will be more ready to take the exam, even if your ready score is horrible.

Next, I studied more of the information that I did not know or knew little about verses all of the information. This does not mean I did not review the information I knew. I just did a brief review and Sari Greene’s video course helped with this. So I briefly reviewed domains 4 and 5, but studies indepth domains 1, 2 and 3. To a degree I knew some of the information in domains 2 and 3 since that is information covered in the CISSP domains. But it was a good refresher. So in my case, I knew the technical information covered in domains 4 and 5, needed a refresher for domains 2 and 3 and studied in-depth domain 1 since I did not know the audit process. Interesting, in my exam report it reflected that I “knew” (the exam is weighted so technical I could have answered the same amount of questions for each domain) more in domain 2 than the other domains. So in your studying, study what you don’t know or know little about. If you are a auditor and know the audit process, but know little about information technology/security, study domains 3, 4 and 5 in-depth. If you a information security professional with little to no auditing experience, study domains 1 and 2 in-depth. Look at this way, review all domains, but review in-depth the domains that you could not use to claim experience when applying for certification.

So that is my experience with studying and taking the CISA exam. Now comes the process of applying for the certification. I hope this information helps you in your study plan. As I mentioned earlier, these resources helped me. Your mileage may vary. Use the resources that you feel will best help you to pass. I also hope you don’t run into the issues I did with the computer freeze, the wait to find out if you passed or failed, or the parking ticket issue (another story).