ISACA vs (ISC)2

NimrodHunterNimrodHunter Member Posts: 42 ■■□□□□□□□□
Can anyone shed some insight on the difficulty of ISACA exams compared to (ISC)2.

Comments

  • paul78paul78 Member Posts: 3,016 ■■■■■■■■■■
    I thought that the level of difficulty was about the same. The question style was similar in both cases. The differences were really about content. The ISACA questions tend to be more process and business focused whereas the ISC2 questions had a little more technical interest.

    My experience was with CISM, CRISC, CISSP so I imagine it could vary based on the other exam content.

    Also - when I took the exams, they were only available as paper based. So if you took the electronic version of the CISSP, that would be one big difference which you may have to contend with. I believe that ISACA exams are still all paper based.
  • NimrodHunterNimrodHunter Member Posts: 42 ■■□□□□□□□□
    My I ask what you used to study/review for CISM and CRISC? I am looking to take both these and CISA with CISM probably last, since I already have CISSP
  • AverageJoeAverageJoe Member Posts: 316 ■■■■□□□□□□
    I've taken the CISM and CISSP, and I agree with Paul78 that the difficulty level of questions themselves is about equal. I found the CISSP to be a little easier for me because I was more familiar with its domains going in.

    In preparing for the CISM I used ISACA's CISM Review Manual and William Manning's CISM prep book, 2nd edition. I didn't find either book to be particularly riveting, but they did the job. I think there's a much better selection of highly readable CISSP prep books.

    Also, Paul78 is right that the CISM is still paper-based. That didn't bother me a great deal, but I did feel like I was wasting a lot of time trying to get circles colored in right with my number 2 pencil. As it turned out, I finished with plenty of time to spare, so it really wasn't an issue... but I didn't know that early on in the test when I didn't know how long it would take to finish.

    The biggest difference was after the tests! I left the CISSP knowing I passed. I left the CISM hoping I passed, but not knowing for sure until a month later when I received my e-mail notification that I passed. That wait the toughest part!

    Good luck!
    Joe
  • paul78paul78 Member Posts: 3,016 ■■■■■■■■■■
    My I ask what you used to study/review for CISM and CRISC?

    I used the ISACA Review Manual and the ISACA Review Q&A. When I took the CRISC, I also purchased the online practice questions a few days before the exam. The actual online practice questions wasn't really very useful and redundant to the Review Q&A. I understand that the CISM practice database is decent but I didn't purchase it.

    Also Joe brings up a good point - because it's paper based, there is a lot of time spent circling in the answers. I recall that for the CRISC, I finished with little time to spare.
  • dustervoicedustervoice Member Posts: 877 ■■■■□□□□□□
    I find Isaca exams to be more challenging not from contents of the domains but the wording of the questions. Isc2 questions are straight forward and clear, you know exactly what they are a asking. On the other hand, Isaca's questions are very confusing at times and the wording is really strange. when practicing the DB questions when an incorrect answer is explained you will think "i had no clue that's what they were asking". Also you must think the isaca way, forget all your real world knowledge! Dont ask why they continue to use PBT.
  • RemedympRemedymp Member Posts: 834 ■■■■□□□□□□
    I find Isaca exams to be more challenging not from contents of the domains but the wording of the questions. Isc2 questions are straight forward and clear, you know exactly what they are a asking. On the other hand, Isaca's questions are very confusing at times and the wording is really strange. when practicing the DB questions when an incorrect answer is explained you will think "i had no clue that's what they were asking". Also you must think the isaca way, forget all your real world knowledge! Dont ask why they continue to use PBT.

    Your comment echo's word for word how I feel about ISACA exams. I couldn't agree more.
  • andhowandhow Member Posts: 151
    I felt that the CISSP exam included more facts about technology and the cybersecurity world. If you have traditional "old school" IT experience, you probably already have a lot of the knowledge from your work in networking, server setup, active directory, firewalls, and all the rest to the understand many of the ISC2 domains. Certainly there were a lot of questions designed to see if you were approaching issues from the perspective of a manager, not an analyst or sysadmin. Example:
    What should a security manager do first when they believe a web server has been compromised?
    1. Engage incident management protocols
    2. Segregate suspected system from the network
    3. Protect system security logs
    4. Notify business of a possible breach
    The answer is almost always to follow the established protocols. Management manages and should not start "fixing" the problem.


    ISACA exams seem to reinforce certain points that they believe are key. For instance, if you get a question that is asking you to choose the most important factor in a security design, the answer is always that it meets the business goal. ISACA reinforces the idea that the business must prioritize legal, privacy, and other factors. The business is accountable for articulating the risk tolerance. The security manager (CISM exam example) is accountable to implement the relevant controls. A lot of people get hung up on this especially if they get a question that asked them what is most important. Example:
    What should a security manager prioritize the highest?
    1. Host nation legal compliance
    2. Privacy
    3. Business objective is met
    4. Compliance with relevant international laws
    Sounds like a no-win question, right? If in doubt, align with the business.

    One thing to know when preparing for the exams is that while understanding the ISACA and ISC2 facts are important, you also need to understand how they expect you to apply the concepts or principles. If you get a question that doesn't have a clear answer, ask yourself if there is a ISACA or ISC2 principle that is relevant.
  • mokazmokaz Member Posts: 172
    I find Isaca exams to be more challenging not from contents of the domains but the wording of the questions. Isc2 questions are straight forward and clear, you know exactly what they are a asking. On the other hand, Isaca's questions are very confusing at times and the wording is really strange. when practicing the DB questions when an incorrect answer is explained you will think "i had no clue that's what they were asking". Also you must think the isaca way, forget all your real world knowledge! Dont ask why they continue to use PBT.

    Well you're correct and honestly i'd define ISACA by "vague and closed". There's only one source for any available study materials, ISACA (which for this only shall have raised my suspicions). You've got to understand the ISACA way, which between us is nowhere on my radar. On top of that the only real difficulty about their exam is that you don't really understand either the question nor the answers, it's like they've got straight questions filtered with old English and applied the vague plugin on top... So honestly i don't really understand any hype about it at all... Although maybe these certs aren't geared toward people in IT but more for the tied up finance folks or such...

    I went through it once and i'm not planning to get back at it.

    On the contrary, I've had a good time at my CISSP.
  • RemedympRemedymp Member Posts: 834 ■■■■□□□□□□
    mokaz wrote: »
    Well you're correct and honestly i'd define ISACA by "vague and closed". There's only one source for any available study materials, ISACA (which for this only shall have raised my suspicions). You've got to understand the ISACA way, which between us is nowhere on my radar. On top of that the only real difficulty about their exam is that you don't really understand either the question nor the answers, it's like they've got straight questions filtered with old English and applied the vague plugin on top... So honestly i don't really understand any hype about it at all... Although maybe these certs aren't geared toward people in IT but more for the tied up finance folks or such...

    I went through it once and i'm not planning to get back at it.

    On the contrary, I've had a good time at my CISSP.

    It's geared toward IT people. The purpose of the CISA is to demonstrate the comprehension of the frame work of auditing information systems. Even if a candidate does not pass, the knowledge from the study guide is used to audit information systems. Which is very lucrative at this point with all the breaches happening in the enterprise.
  • mokazmokaz Member Posts: 172
    Remedymp wrote: »
    It's geared toward IT people. The purpose of the CISA is to demonstrate the comprehension of the frame work of auditing information systems.

    Of which, the framework, has to be applied through the ISACA gyroscope. Which renders things a little narrowed down if you ask me..
  • dustervoicedustervoice Member Posts: 877 ■■■■□□□□□□
    ..... and if you do pass, don't forget to FAXicon_rolleyes.gif in your endorsement form!
  • andhowandhow Member Posts: 151
    ..... and if you do pass, don't forget to FAXicon_rolleyes.gif in your endorsement form!

    I wonder if the archaic way that ISACA manages the test (and endorsement) somehow keeps the certifications more rare and valuable. I sure hope that's not the reason why they resist coming to the 21st century...
  • RemedympRemedymp Member Posts: 834 ■■■■□□□□□□
    andhow wrote: »
    I wonder if the archaic way that ISACA manages the test (and endorsement) somehow keeps the certifications more rare and valuable. I sure hope that's not the reason why they resist coming to the 21st century...


    From my understanding, it's so test takers couldn't do brain ****. But, I could be wrong...
  • JoJoCal19JoJoCal19 Mod Posts: 2,835 Mod
    andhow wrote: »
    I wonder if the archaic way that ISACA manages the test (and endorsement) somehow keeps the certifications more rare and valuable. I sure hope that's not the reason why they resist coming to the 21st century...

    I disagree, with every InfoSec newbie and their dog getting the CISSP nowadays I prefer if ISACA kept it how it is that way when I go for CISM and CISA next year, they keep their value icon_thumright.gif
    Have: CISSP, CISM, CISA, CRISC, eJPT, GCIA, GSEC, CCSP, CCSK, AWS CSAA, AWS CCP, OCI Foundations Associate, ITIL-F, MS Cyber Security - USF, BSBA - UF, MSISA - WGU
    Currently Working On: Python, OSCP Prep
    Next Up:​ OSCP
    Studying:​ Code Academy (Python), Bash Scripting, Virtual Hacking Lab Coursework
  • mokazmokaz Member Posts: 172
    JoJoCal19 wrote: »
    I disagree, with every InfoSec newbie and their dog getting the CISSP nowadays I prefer if ISACA kept it how it is that way when I go for CISM and CISA next year, they keep their value icon_thumright.gif

    To be honest, i think that if i passed my examination with them, i might turn down the certification enrollment specifying that THIS is excatly what will make me outstand @ any HR where i'd be welcome to work for...
  • EasyPeezyEasyPeezy Member Posts: 111 ■■■□□□□□□□
    mokaz wrote: »
    To be honest, i think that if i passed my examination with them, i might turn down the certification enrollment specifying that THIS is excatly what will make me outstand @ any HR where i'd be welcome to work for...

    ...ehmm! You are not certified until you apply for certification. Passing the exam is just one of the requirements, you are either in or out.
  • dustervoicedustervoice Member Posts: 877 ■■■■□□□□□□
    what about people who are contractors and get a new gig every 3 months do they have to chase down 20 past managers to prove years of experience?
  • andhowandhow Member Posts: 151
    what about people who are contractors and get a new gig every 3 months do they have to chase down 20 past managers to prove years of experience?

    I'd run that question by ISACA. I'd hope that they would ask you to document/detail the experience and list prior contacts. It certainly isn't unusual to run into a situation where a past contact is unreachable. I've run into that situation with past military experience where I was asked (during an interview) if they could contact a military office about specific experience. I had to point out that the base had likely completely turned over in the several years since I had worked there.
Sign In or Register to comment.