Connect with us


Sharing My ISACA Exam Experience


After passing the CISSP examination last year, I felt that CISSP did not talk deeply enough in the field of information security governance and risk management, so I decided to continue to take the CISM examination. Later, Mr. Dong, a friend of the financial industry, proposed to invest in the field of Zian education and training. In order to strengthen the qualification of becoming a Zian lecturer, he continued the original licensing plan and continued to obtain CRISC(spoto practice exam), CISA, CGEIT and other certifications.

The examination plan also adopts clear target management and sufficient budget preparation, coupled with disciplined implementation, so it is quite smooth; The total investment time of the four certifications is 61 days, a total of 175 hours, with an average of about 3.5 hours per day.

I personally position ISACA’s license at the governance level (in fact, ISACA also deliberately distinguishes the differences between governance and management). The topics discussed in the examination and the knowledge system constructed by ISACA quite meet my expectations and needs. CISM is entirely from the perspective of governance, that is, from the perspective of the management (board of directors and senior executives) to position and guide the role and development of asset security. For example, the purpose of governance is to deliver value. Objectives and strategies must be developed by mission and vision, and strategies must be implemented in combination with strategy implementation framework (such as OPM of PMI); Therefore, we must carry out program/ project management, invest resources and measure compliance. At the same time of governance, risk and compliance must be considered, that is, enterprises must be farsighted in making money, and give consideration to the clear training of gentlemen who love money and take it in a proper way.


Its challenge is to apply the seemingly empty theory to the practice of enterprise management and personal work experience; As the individual has more than 20 years of working experience in the information field, and the company has made full use of what he has learned from EMBA in the past 10 years since its establishment, and because has just passed the CISSP, the knowledge related to capital security is still in memory. Therefore, the CISM exam is quite easy, and it took 40 hours in total.


CRISC is my second test subject. It is a general subject of other ISACA tests. When preparing CISSP and CISM, in fact, I have studied the risk concept of ZiAn, and I have obtained the RMP risk manager license of PMI before; Therefore, the challenge in preparing CRISC is how to integrate the statements of various risk theories, such as ISO, NIST, ISACA and PMI. I personally regard ZiAn as a branch of risk management, so I highly recommend that more time be allocated to risk management, especially the integration of enterprise risk management, information risk and project risk.


CISA is a subject with the most contents. It must take into account the issues of governance, management and technology at the same time, and the challenge is not low. Since most of the contents of CISA have been read in the process of preparing CISSP, CISM and CRISC, only the topics in the audit field need to be strengthened; Therefore, the CISA exam passed successfully, and 50 hours were invested in total.


CGEIT is basically an examination for IT directors, not ZiAn; However, its IT strategy implementation is very consistent with PMI’s OPM strategy implementation framework. In addition, ZiAn also has a high correlation with it operation. Therefore, I decided to continue to take the cgeit test as the end of my personal learning and growth plan in 2018. After obtaining CGEIT, PMI’s PgMP or PfMP certification can be considered to enrich more complete strategic implementation issues and integrate with strategic planning.


These four certificates of ISACA are basically based on a very solid knowledge system, and may feel too theoretical for the first contact; However, it will be a great harvest to interpret these concepts or theories with their own work experience. For example: let your work experience get theoretical support; Or if you encounter issues that have not been handled, you can have a theory or reference framework to follow; When communicating with colleagues or customers, being able to have a common or more accurate language can not only increase their sense of professionalism, but also can make customers feel more confident.


To prepare for the ISACA exam, it is recommended to purchase official textbooks and subscribe to the official online question bank. Although ISACA can study and apply for the examination by itself, participating in the education and training courses organized by the association or other training institutions can clarify the direction and concept of the examination, save time, consult or assist in applying for the examination, applying for  qualification verification and obtaining certification.


Finally, clear goals and reading plans, time management, communication and support between the company and family, full budget preparation, commitment and discipline to their own learning, effective reading methods and teaching materials, and having partners and mentors who take the exam together are all important factors for passing exams.