Warm Greetings to all of you future Information System Auditors. If you are intending to or decided to opt for CISA, then congratulations you are on a very exciting and challenging journey ahead. The recent information security incidents have also lead to an increased demand for information security professionals, CISA being one of them. Further, CISA is a well-renowned course for Information Security Audit. It highly sought worldwide. Also, if you look at the current vacancy, regarding Information Security Manager or Information Security Officer, “Preferred Qualification- CISA “, always pops up.

But it is necessary to make one thing clear that CISA qualification will not any chance to make you an expert in the information security field. If you are already from an audit background, it will help you to apply that audit concept in the information security field. But it also does not mean, that you will be able to clear the CISA exam with only Audit knowledge. CISA requires you to have general knowledge about the information security concept but not in detail. However, the broad concept of Audit like planning, risk assessment, report writing still prevail. 

Let’s Get Technical:

You can check out the CISA Exam Fees by going through its official site here which is exactly USD 760 till September 2019 that may be subject to change. However, we believe you are really interested in what CISA exam is all about and how can one clear this exam. So, lets cut into the mean and look inside what CISA is all about. You need to score 450 out of 800 to pass this exam which roughly comes about 56%, which is not difficult to score if follow our footsteps to prepare for the CISA exam. But before we share with you our tips and tricks, let us talk about what CISA Exam is really about and what is expected out of any candidate.

If you read for the CISA Review for the first time, some of you may get confused. So following brief introduction will give you a rough idea about what CISA exam is all about so that you can plan your approach for your study.

CISA exam is divided into 5 domains that carry different weights of marks. We will list the weights in the percentage at the side of the title of domain:

Domain 1: The Process of Auditing Information System(21%)

If you are involved in Audit area then you will find this domain very easy, whichever sector you perform audit like IT, financial, regulatory, the basic concepts of Audit will be always the same. You need to Plan the Audit, perform risk assessment, do substantive and analytical testing, write reports. There are other things like the code of ethics, audit risk, internal controls. If any of these words seems alien to you then, my friend, its time to get educated with the following book:

Domain 2: Governance and Management of IT(16%)

In the simplest term, this chapter tells you about how IT should be included in the overall organization structure. There should be Board overseeing IT function, Steering committee to make the decision about IT issues. There should be a proper department structure of IT with the clear job responsibilities of Information Security Officer, Chief Technology Officer and other IT support staff without any overlapping duties and authorities. There should be proper IT plan and policies which should support the overall business objective of the organization.

Domain 3: Information System, Acquisition, Development and Implementation(18%)

This section talks about how any IT Hardware and Software procurement and development should be treated as a project with a detailed explanation of different concepts of project management like planning, budget, time schedule. You also learn about System Development Lifecycle, different types of testing methods of any Software. Finally, it talks about the concept of electronic commerce like electronic finance, banking, point of sale systems.

Domain 4: Information Systems Operation, Maintenance and Service Management(20%)

This chapter provides you with information about different components of information system like what is network infrastructure, what are network devices like firewalls, router, switches. It also gives information about different components that are widely used in IT infrastructure. You can say that this chapter is like a glossary or brochure of the different hardware and software components that anyone who claims to be IT literate should know about.

Domain 5: Protection of Information Assets(25%)

This is a far more interesting and important domain than any other domains. You will learn about different types of information security threats either physical or logical that may occur in Information systems from physical threats like a flood, fire, vandalism to hacking, phishing and so on. It also teaches you the mechanism to protect from those risks.

You can purchase the CISA Review Manual from the link below.

[the_ad id=”515″]

Time to Prepare:

I think two categories of people like to take CISA certification: One who is in already in Audit or risk management career; others who are involved in IT or IT security. I have written this article so that it would be helpful for both.

For IT professionals

CISA is mainly related to Audit rather than IT, I will say it’s about 40% pure Information Technology. So, having good knowledge of Audit concept and methodology will help you all long way. There are unlimited sources where you can look into. The other important thing is to understand this concept that how much you understand CISA is based on your IT background. There are two key ideas that is widely accepted in all organization: Business and Risk. If your IT background is related to developing different types of programs and applications to run the business of the organization, you need to really work on understanding different Risk Concepts. It requires a shift in your perspective. You need to analyze the thing from a Risk point of view. For e.g. let’s say if you are looking at someone written program, now from Risk eye, you need to evaluate, whether there is a backdoor in the program or not and others. Now, let’s say if your background is from IT security, then it will be much easier for you to grasp the concept mentioned in CISA.


For Non- IT guy but with zeal in information security

As as I said earlier CISA required you to have quite a knowledge about Information Security but doesn’t require you to be an expert. For e.g., you may have never seen Firewall but if you have idea about how a firewall works then it will be sufficient. Another good example is you may never have written program in your life, that’s Ok, you only need to understand whether these program were created as per management approval or whether any changes in these program was properly authorized.

I had taken CISA exam on December 2014 and my score was in top 20% of top scorers globally. Since,I didn’t have any IT background then, so this scoring meant a lot to me. I like to share my techniques of studying.

  1. Read CISA Review Manual(CRM) for multiple times. You may want to understand the concept as clearly as possible. Also you want to give yourself ample of time before attempting this exam. I suggest 2 to 3 months preparation time will be sufficient to clear this certification.

2. If possible take some certification courses like linux, CompTia A+ if you have never taken any computer courses. Put you focus on the security areas like how the permission are granted, how to change privilege so different users.

3. If you don’t have time to take courses. You may want to online tutorial videos regarding information security like CBT nugget training videos.  You can watch them at your convenient time.

4. You need to Practice CISA question database. You many have went to give more emphasis on question database rather than CRM. However, I think that if you understand concept, clearly you can attempt any question, since, these question are there to examine your understanding. Right. Always read question twice before answering and if your answer is still wrong, try to understand why your answer was wrong.

5.  Before taking your exam, it is generally good idea to attempt mock test. It is simulation for you exam and it gives you briefly idea about time management. 

6. I think it is best you take one day off your exam. Put your mind at ease by doing things that you love. This will give you mind you process all the information and make necessary. You will see what I mean.


Are You Read to be An Information Security Expert?

Thank you for your time.

Below is the video demonstration of everything said above.