Getting CISA. The history of one certificate and help to those interested

    This story is about how I received the CISA certificate to become a certified auditor of information systems and join the army of more than 100,000 professionals (according to ISACA itself). I think in general terms, the analogy can be expanded to CISM, CGEIT and CRISC.

    Certification is quite popular, in Russia, judging by the appearance for the exam, many, but not so many materials about how to prepare and just personal experience on this topic are trying to pass. I decided to fix this situation.

    Under the spoilers, I hid my individual research regarding this certification, so that a large amount of text would not scare people who accidentally stopped by and wished to quickly look around the whole article. Fans of details will be satisfied with my colorful soul-mate by revealing spoilers.

    And here is the first one. About myself
    I have a higher professional education in information security. Work experience in state structure, experience in the IS service of one of the Big Three operators. Today I work as an IT and IS auditor and plan to develop further in this direction.

    Why CISA?

    CISA certification is highly regarded throughout the world and is slowly coming to Russia. It is a good help for employment in international companies (however, experience will not replace). Also in the ISACA certification line, the auditor is the first step on the path to CISM, which is already a recognized requirement for serious leaders of IT or information security departments. Also, a feature of CISA is the versatility of the studied material, which will be useful in any case.

    How did I get to this ...
    Before you get to the decision on obtaining certification, I mastered a large number of different materials in related fields. Among the most interesting ones that caught my eye over the past year (and in fact six months, since the preparation began later) were: ISO 27001 (I could not help but point out that this is the most interesting document, but certainly a mast read), NIST Special Publication 800 (a series of documents from the American Institute on information security), COBIT 5 (this is more about IT, but very useful), ISAF 2 (this is purely for auditors).

    Issue price

    First of all, the question arises - how much will it cost? Here it is most reasonable to indicate the price in dollars, so it will be more relevant and objective. I was lucky, and I managed to pay the bulk in January, when Crimea was not yet; our dollar had not jumped to the current 36 copecks (when I started writing the article it was still 35 ...).
    1. New Member Fee Online + 10.00
    2. Russia Chapter (for 2014) + 10.00
    3. Basic Membership Dues (for 2014) + 135.00
    4. Bookstore Purchase (books) + 171.00
    5. 2014 June CISA Exam + 495.00 - 75.00 - 50.00 = 370.00
    6. CISA Practice Question Database v14 + 185.00
    7. CISA Application Processing Fee + 50.00
    Total = 931.00

    From the preparatory materials, I bought everything that is possible (in English, there are still versions in Japanese, French, etc. ... Russian is missing and this is good). The complete curriculum offered by ISACA includes:
    1. The official manual for the exam (book).
    2. Fresh questionnaire for 2014 (book).
    3. Base of questions for 2014 (ON).
    More details about them below.


    1. Get discounts by becoming a member of ISACA (paid option). In addition, without membership to the exam, they still will not be allowed.
    2. Buy materials and everything else as early as possible - save more.
    3. If the employer pays for your certification, it will be a pleasant trifle.
    4. Only official materials are enough.

    Discount History
    It is also worth mentioning here about one small discount case, which gave me $ 50 and a large portion of respect for the organization of ISACA. And the thing was that when I paid $ 420 for the exam (with a discount of $ 75 for early registration), in the evening I received a letter from ISACA, in which I was vigorously informed about the provision of a personal discount on the exam at $ 50. It turns out almost 1700 rubles - also money, and it's a shame a bit, a little late. After spending half an hour thinking about the option of canceling the transaction and re-paying already at a discount, I came to the conclusion that this is the wrong line of behavior. And then I just wrote in support that I paid for the exam, forgetting to use the personal discount code and indicated it in the letter. I did this rather out of hopelessness than in the hope of getting a real solution. What was my surprise when support, without any additional questioning, notified me that the lost discount would be transferred to my card. Which happened a few days later. I was humanly pleased.

    Theory and practice: a picture about cool encryption and cryptanalysis with a soldering iron.

    About Theory

    The exam passes after self-study. The Internet also offers courses, of course, quite expensive. For five days they promise to cover the material of the entire exam. I will not follow the principle of “I have not read, but condemn”, but for myself I dismissed this option immediately. Therefore, training is exclusively on their own.
    The theory is represented by five domains, the description of which is on the official website. In a sense, I was lucky because my professional education and main practical experience fell into the domain of the Information Security domain, the proportion of which in the exam is almost a third. And this means that questions from this domain are more common and it was easier for me, since I am familiar with this topic more than closely.
    Now about the official manual. There are many theories, the book is more than 300 pages in small print. The text is quite lively and differs for the better from dry standards. At the beginning of each domain, those competencies are described that are covered in it and those practical tasks for which these competencies are necessary. There are test cases at the end of each domain so that you can evaluate yourself by answering a few questions.
    The information in the manual is very detailed and useful. Allows an engineer to look at project management issues, and managers, for example, on change management issues. Naturally, the depth of the material is far from professional literature, so the section on your specialization will be read two times faster.

    How i prepared
    After choosing the summer exam to be held in June, I decided to start preparing in 5 months. As it turned out later - this is much more than advised on the forums. However, this approach has yielded results, a certificate has been received, so I believe that I have chosen the right path.
    In most CISA preparation reviews, you will find that there are enough official materials. Now I can confidently confirm this statement, especially if you have a good technical background.
    However, I not only decided to prepare in 5 months, but also did it successfully and almost daily. Stability, regularity, constancy - all this is the key to a good result (as in any training). In mid-January, I paid for books, and so I don’t have to wait until they arrive (in my case, this wait lasted more than a month) I began to read the 2013 manual found on the Internet. According to experienced experts, most of the material has not changed over the year (and for two, and for three, in fact, too).
    Below is an example of a schedule according to which I prepared and motivated myself (in the columns I ran a range of pages, skipped blank and introductory pages). On average, it turned out to read about 4 pages of the official manual per day, which for a foreign text in small print was enough, especially if not just reading, but trying to understand and remember. As a result, due to the good quality of the text and its “liveliness”, my vocabulary has noticeably expanded.

    I calculated that by May I would finish the whole theory and after that I could devote a month and a half to studying the base of questions.
    This happened approximately the same, however, the May holidays, as usual and as I suspected, completely unsettle the training, despite any super motivation.


    1. Regularity is a prerequisite for success.
    2. Calculate the time with a margin, for a couple of months it will be difficult to fully prepare. Reading every day 4 pages per book, it will take you more than 3 months - and this is without days off.
    3. Find as much motivation as you can. Everything is individual here. I built a schedule, and as much as I encouraged and controlled myself.
    4. Protect yourself from everything that distracts you. For example, I finally left my WoT wife .
    5. Try not to burn out. Take a break once or twice a week, but do not forget that you will have to increase the load in the following days.

    Training on

    The base of questions consists of two parts. The first is a book with 100 fresh questions (updated every year), in which there are detailed explanations of the answers and a couple of answer sheets as in the exam, so that you can arrange a hardware simulation of the exam. Questions, like in the exam, are mixed up on topics; complexity varies from obvious to complex.
    The second is a question base provided on disk or simply downloaded as an installation file of 76 megabytes in size. If you live in Russia you do not trust mail, you are tired of waiting or you have an ultrabook without a drive - choose the second option. The database contains about 1100 questions, including those in the paper update for the year. If you wish, you can save on this without ordering a book version. In the base for eachmost questions have fairly detailed explanations for the answers. There are various training modes, including the Professor intelligent system, which itself selects the questions necessary for training (more on this in my experience under the spoiler). There are also modes for selecting questions by domain and various grounds (not viewed, with errors, etc.).
    The main opportunity is software simulation of the exam - 4 hours with a countdown, 200 questions and no explanation for choosing an answer. Diablo 3 hardcore mode

    How did I work with the questionnaire
    I bought a question base back in March, as soon as it became available (they started selling it later than the main materials).
    However, I carefully kept the distribution package until the May holidays, believing that it is better to read the entire manual first, and then run away all the questions at once. After finishing the training, I thought that maybe it was worth answering 50-100 questions from the database for each domain after I read the material from the manual. Perhaps this would make it possible to better understand and remember the basic principles. However, I’m not sure that all this would not be erased by subsequent domains.
    The question base is a special program that allows you to track successes by answering questions, choosing training modes, etc. An excellent option, without it, it seems unrealistic for me to successfully prepare for the exam.
    The base makes it possible to understand the basic principles of the formation of questions, since often questions are a little unusual. As everyone knows, the questions in the vast majority of cases require choosing the wrong one, not the right one, but the most suitable or, for example, the least difficult option. Also on these issues, you will understand basic ideas, such as: human life above all other values ​​and goals (in the case of checking the availability of security systems in catastrophes, for example), audit evidence must be reliable and reliable (before reporting any violation it is necessary to collect sufficient, reliable and strong evidence), etc. These concepts will make it easier to navigate issues when in doubt.
    The general concept of training allows you to take an adaptive course Personal Professor, during which the program itself selects questions and domains for you, mixing them in a proportion approximately corresponding to the exam. It is also possible to answer questions of a separate domain, etc.
    At first, I went through questions of 30-50 pieces in Personal Professor mode every day. After the answer, the program provides an explanation of the correct and incorrect answers. This allows you to learn not only the principles of "how to", but also "how not to", which, of course, is also useful. thus testing allows you to study the material even in the process of answering questions. However, the Professor’s program periodically pops up old questions to reinforce. Repetitions amount to about 10-20% and this is useful on the one hand, because “repetition is the mother of learning.” However, on the other hand, questions become familiar and after that the head already chooses the answer not on the basis of reflection, but recalling the question.
    I think that it is unrealistic to remember 1,100 questions with answers in their pure form, however, according to the most diverse set of associations (question length, keywords), right before the exam (after a month of daily lessons) I answered more than 50% of questions on the machine, almost without thinking and not reading the answers, but as if “perceiving” them (looking with an diffused look at the entire text on the monitor, like fighters in the ring to catch all the opponent’s movements). Therefore, towards the end, I had to slightly change the tactics of training. A week before the exam, I had about 300 questions that I had never answered correctly during the training (either I was mistaken, or the program did not even offer me these questions). Therefore, in the last week I practiced answering only those questions that were not answered, the program also includes such a regimen.
    There were questions that I answered incorrectly over and over again. My reasoning was at odds with ISACA. Maybe due to lack of experience, the intricacies of translation and something else. I honestly tried to peck these questions again and again, until I understand and remember the essence of the correct answer.
    The program also has the ability to simulate an exam - 200 questions in 4 hours. I have passed such testing 4 or 5 times in order to practice perseverance and roughly simulate the load. However, of course, such a training gives only an approximate idea of ​​the exam. Usually I managed from 2 to a quarter to 3 hours out of 4.


    1. At first, you can use the Personal Professor mode, but they will not be fed up with one.
    2. Walk at least once through the entire database of questions, be sure to study the explanations for the questions - this is the key to consolidating the study.
    3. Try not only to intuitively choose an answer based on your experience and knowledge, but mentally voice the logic of choice for yourself. This will help to better consolidate the material in those issues that cause particular difficulties.
    4. Be sure to pass at least a couple of times just the four-hour simulation of the exam.
    5. It is useful for self-esteem to pass a book simulation exam before studying the theory. Then after studying the theory. And it is possible after studying most of the base of questions. This will help to understand the dynamics of learning.


    The exam is carried out 3 times a year. In 2014, it is June, August and December. Details about the deadlines for registering for the exam and discounts for early registration can be found on the official website.
    The case is taking place in Moscow. Apparently, residents of the CIS countries also come here, where they do not conduct exams. The Russian division of ISACA does not have its own venue, so an event is being held at the sites of universities or other organizations. The June exam was held at the institute next to Belorusskaya.
    An invitation to an exam is a document without which admission is not allowed. He will be sent by mail and email so that you can print it yourself. The invitation details the strict rules of the exam, the conditions for anathemaexile for violations and other important information. You can’t drink and eat during the exam, and there will not be enough time.
    The structure of the exam is also detailed on the official website. Initially, oral instructions, the collective filling of examination forms and answers to questions. then everyone hides the sealed questionnaires (which can be used as a draft) and begin the exam.

    How did everything go
    Invitations for the exam sent by mail, I have not waited so far. Probably, the customs officers thought that the letter from America contains the iPhone. However, the invitation is easily printed from the ISACA website from your personal account.
    From the subtleties : write your name on the site in English. The fact that the document proving your identity on the exam (passport) is written in Russian is not a problem. Reliable information from technical support.

    On the exam, everything is far from as strict as it was written in the invitation. The staff of the training center who conducted the exam are nice people who speak Russian. Answer any questions. Actively help. As a result, it was possible to take things and mobile devices with you (which was strictly forbidden in the document), provided that they were carefully placed next to the chair. I left everything in the car, taking with me only a passport, pencils, an invitation, and the keys to the car. Someone even managed to have a little snack. One latecomer was launched after the start of oral instruction, although the second exception, I think, would not have been allowed. Earplugs and pencils were handed out to those who wish, if anyone forgot.
    The start was a little delayed and the exam began 40 minutes later than planned. 4 hours passed almost imperceptibly and they were barely enough.
    All I finally managed to do was answer three-quarters of the questions immediately to the clean-up. And re-read the remaining 50 questions from the draft again and once more having considered the answer, enter it in the answer sheet. All that I have left is 20 minutes. Judging by the pair of neighbors, I was not the slowest, so the time is actually less than I expected.
    Questions on the exam are completely different than in the database. Don't hope to find similar or twisted questions. Questions seem more complicated than in the preparatory base. Perhaps this is stress and exam conditions. Some questions created the feeling that their topic was not even covered in the manual, although I am sure it is not. This means that 1,100 questions, even in general terms, did not cover all the material.
    In general, the exam has fewer easy questions like choosing a hash function among encryption algorithms, choosing the right type of backup data center, etc.
    However, there is a small part of the questions (maybe 10% -15%) that can be answered guided by the same general principles that were mentioned above.

    On leaving the exam, I had absolutely no understanding of my results. I felt that with exactly the same probability I could, like passing, never passing the exam. A very unusual sensation resulting from difficult questions.
    Some passers advise you to get drunk and forget about the exam until you get the results. And if you can’t forget, get drunk again. I was able to simply protect myself from muddy thoughts and, having plunged the work, I will be removed from this, despite the regular questioning of others about the result.


    1. It is very important to find your own rhythm, to understand how much time is permissible for an easy / medium / difficult question. Simulation of the exam during preparation helps with this.
    2. Naturally, distract, relax, clear the mind, and so on. Most likely it will not work if you do not own yoga.
    3. Find the line between questions that need to be answered immediately and those that need to be rethought. Walking twice in all is almost unrealistic.
    4. Leaving a question for later, select at least some option. Perhaps the intuition prompting the first answer will be the only guideline.

    Preparation of documents

    Exam results are announced after 5 weeks. This is pretty fast, because before there were as many as 8. After that, a notification and further instructions come to the email. ISACA honestly warns that it is still too early to praise everyone that you have become CISA, however it provides links to social services. networks so everyone can share the news about the exam.
    Now the preparation phase of the CISA Application begins. It is necessary to fill out 6 sheets of A4 manually or through a form in a browser with the following information:
    1. Work
    experience 2. Teaching experience
    3. Education
    4. Certificate delivery information
    5. Confirmation from 2 people

    In accordance with the requirements for certification, 5 years of work experience must be confirmed. Part can be counted as teaching experience, and part for higher education. I was credited with 2 years for higher education in information security, the remaining 4 years for real work experience.
    To confirm education, you can send a special letter from the educational institution to ISACA, however, to simplify the procedure, confirmation from 2 recommenders is required.
    Each of both verifiers needs to fill out a form on two sheets, where it is indicated that they confirm education, previous work experience, real work experience and list the skills (from domains, as in the manual) that you possess.
    After that, scans can be sent to ISACA e-mail, you can appoint a Certification Assistant, which will perform the verification and registration of the certificate, which takes up to 8 weeks.
    Simultaneously with the submission of documents for certification, it is necessary to pay another fee.
    The certificate itself will be paper and sent by regular mail, so you should not expect an early receipt in Russia. Hope to get it in a couple of months.

    Real terms
    After just 2 days less than the promised five weeks, I finally got the result from ISACA.
    I did not postpone it and the next morning I filled out the certification documents, scanned it and sent it, at the same time paying another 50 dollars.
    Just 10 days after sending the documents, an email was received on the certification and the official title of CISA. It's time to call everyone and show off a new achievement. A few days later a letter came with a link to an electronic badge that can be provided to all doubters and interested in your certificate. The electronic badge is provided in accordance with the Mozilla Open Badges standard by On the site you need to create a profile in which you can aggregate such electronic badges from other places. This badge can already be attached to your profile on Linkedin or
    This is how a piece of my badge looks like:


    On the whole, the task turned out to be quite capable if we approach it responsibly. Like most tasks in life, however ...
    Obtaining certification was as follows:
    December 2013 - decision making
    January 2014 - purchase of materials
    January - May 2014 - study of theoretical materials
    May-June 2014 - practice on the basis of questions
    June 14, 2014 - exam
    July 17, 2014 - obtaining results
    July 18, 2014 - sending documents for certification
    July 28, 2014 - receiving certification confirmation
    August 2, 2014 - receiving an electronic badge confirming certification
    Approximately September 2014 - receiving a paper certificate

    Ps Next time I’ll tell you how to get the CPE, so necessary to maintain the status. As soon as I have enough experience, of course.

    Also popular now: