Interested in IT Auditing/InfoSec

Hello everyone,

Brand new poster here - just found the site today while poking around Google in regards to ISACA. I'm currently working as a computer technician (read: desktop support specialist) at an accountancy firm, where there has recently been some talk that they might like to transition me into an IT Auditor role. As such, it has been suggested I look into getting the CISA certification, though I don't believe there is much understanding around here of how that process goes.

After looking into it, however, and reading this post from a previous thread:

JDMurray wrote: »

Note that the CISA and CISM, like the CISSP, are professional certs that one obtains after gaining years of InfoSec work experience. People tend to misjudge these certs as something to help them break into InfoSec-related auditing or management, but they are not.

I'm starting to think I'm going about it all wrong. I have an MCTS certification, and prior to my current gig, I worked as one of two technicians at a managed services provider on all kinds of systems for about a year and a half. Prior to that I did network/desktop support for 4 years at a major private university. But my degrees are not in CS/IT/MIS, and my experience with auditing and security is next to nil. What is the best way of breaking into the auditing/security realm, particularly from my current position? I am encouraged to pursue certifications here, so would things like Network+ and Security+ help me on my way to a CISA certification further down the line? How does one begin getting the 5 years experience needed for CISA? Any tips are welcome, and hopefully you guys won't mind follow-up questions so that I don't make this post way too long.

Thanks in advance, and nice to meet everyone. I'll probably be around in several different forums going forward, now that I know this place exists.

Find more posts tagged with

Comments

empsecuk

Well, you will begin to get the experience if they transition you to that role ...... Work there for 5 years and then you would qualify for the CISA..

You can take the exam early - i.e. prior to gaining the full experience... you have 5 years in which to make it up!

Security+ may well be a good way to go, though I think that needs some experience too..

You could look at CEH, any technical security qualifications.. there are 29486230846230423423423 qualifications out there.. The CISSP/CISM/CISA ones all need the experience.. But you can take them all (the exams that is) without the exp...

On your CV you can then state that you've passed the exam and are awaiting certification etc...

GoodBishop

I would definitely look into the CISA experience requirements and map them to your own. Then, figure out how to get that experience, whether it be through IT or pure IT auditing.

SecMan3000

mrjonesluckiest wrote: »

Hello everyone,

Brand new poster here - just found the site today while poking around Google in regards to ISACA. I'm currently working as a computer technician (read: desktop support specialist) at an accountancy firm, where there has recently been some talk that they might like to transition me into an IT Auditor role. As such, it has been suggested I look into getting the CISA certification, though I don't believe there is much understanding around here of how that process goes.

After looking into it, however, and reading this post from a previous thread:

I'm starting to think I'm going about it all wrong. I have an MCTS certification, and prior to my current gig, I worked as one of two technicians at a managed services provider on all kinds of systems for about a year and a half. Prior to that I did network/desktop support for 4 years at a major private university. But my degrees are not in CS/IT/MIS, and my experience with auditing and security is next to nil. What is the best way of breaking into the auditing/security realm, particularly from my current position? I am encouraged to pursue certifications here, so would things like Network+ and Security+ help me on my way to a CISA certification further down the line? How does one begin getting the 5 years experience needed for CISA? Any tips are welcome, and hopefully you guys won't mind follow-up questions so that I don't make this post way too long.

Thanks in advance, and nice to meet everyone. I'll probably be around in several different forums going forward, now that I know this place exists.

ISC2 allows you to become an associate if you've passed an exam but don't have the experience.

https://www.isc2.org/how-to-become-an-associate.aspx

Alot of your IT experience could qualify for some of the CISSP domains, you might not even realize it!

https://www.isc2.org/cissp-domains/Default.aspx

My advice would be to write the CISSP exam regardless since it's the most valuable InfoSec cert and then work on gaining auditing experience and write the CISA.

mrjonesluckiest

empsecuk wrote: »

Well, you will begin to get the experience if they transition you to that role ...... Work there for 5 years and then you would qualify for the CISA..

You can take the exam early - i.e. prior to gaining the full experience... you have 5 years in which to make it up!

Security+ may well be a good way to go, though I think that needs some experience too..

You could look at CEH, any technical security qualifications.. there are 29486230846230423423423 qualifications out there.. The CISSP/CISM/CISA ones all need the experience.. But you can take them all (the exams that is) without the exp...

On your CV you can then state that you've passed the exam and are awaiting certification etc...

Thanks for your input! I'm a little wary of taking the exam prior to getting at least some experience, just because I'm not sure that I would really be able to understand some of the concepts. That's what has led me to consider other certifications. I actually can't say that I've ever heard of CEH - how widely recognized and respected is it? As for Security+, I have heard that it is a good idea to complete Network+ first, and I've heard it's a good idea to complete A+ before Network+. Haha.

mrjonesluckiest

GoodBishop wrote: »

I would definitely look into the CISA experience requirements and map them to your own. Then, figure out how to get that experience, whether it be through IT or pure IT auditing.

Definitely want to do that, which is part of the reason I showed up here, to get an understanding of how people go about doing that. My plans are all pretty vague and early stages right now as the transition to the role will probably be relatively long-term and perhaps not all that concrete. Part of the reason I hesitate to consider taking the CISA before the 5 years is that I worry I wouldn't continue building up the experience if I take it too early due to possible job description changes.

mrjonesluckiest

SecMan3000 wrote: »

ISC2 allows you to become an associate if you've passed an exam but don't have the experience.

https://www.isc2.org/how-to-become-an-associate.aspx

Alot of your IT experience could qualify for some of the CISSP domains, you might not even realize it!

https://www.isc2.org/cissp-domains/Default.aspx

My advice would be to write the CISSP exam regardless since it's the most valuable InfoSec cert and then work on gaining auditing experience and write the CISA.

That is an intriguing thought, though as empsecuk mentioned, I'm sure I could put "Passed the CISA exam" on my CV. I notice that the "Associate" designation goes away 5 years after your test, much like the way you can no longer become certified if you don't have the 5 years experience in the first 5 years after you pass the CISA. I'll definitely look into ISC2 as an option, though, because the e-learning provider my company uses already provides us with ISC2 training. Have you been CISSP certified? If so, how did you prepare for the exam?

Again, thanks to everyone for the input.

SecMan3000

mrjonesluckiest wrote: »

That is an intriguing thought, though as empsecuk mentioned, I'm sure I could put "Passed the CISA exam" on my CV. I notice that the "Associate" designation goes away 5 years after your test, much like the way you can no longer become certified if you don't have the 5 years experience in the first 5 years after you pass the CISA. I'll definitely look into ISC2 as an option, though, because the e-learning provider my company uses already provides us with ISC2 training. Have you been CISSP certified? If so, how did you prepare for the exam?

Again, thanks to everyone for the input.

I'm a CISSP. I attended a Deloitte boot camp that was 5 full days followed by the exam on the 6th. It's expensive (~3500) but luckily my employer paid for it. I'd highly recommend it, if you can get someone to pay. Otherwise, check out the CISSP forum here for study tips.

Gorby

I'd recommend shadowing an IT Auditor also if you haven't already researched the day to day task. I've seen some new hires at my current role come in excited and disappear after 4 months due to having to write up security plans or poams.

Not trying to discourage as it's a good field though, just make sure before you map out a cert path.

mrjonesluckiest

SecMan3000 wrote: »

I'm a CISSP. I attended a Deloitte boot camp that was 5 full days followed by the exam on the 6th. It's expensive (~3500) but luckily my employer paid for it. I'd highly recommend it, if you can get someone to pay. Otherwise, check out the CISSP forum here for study tips.

Wow, yeah, that is pretty pricey. I'll look into it, though. Thanks

mrjonesluckiest

Gorby wrote: »

I'd recommend shadowing an IT Auditor also if you haven't already researched the day to day task. I've seen some new hires at my current role come in excited and disappear after 4 months due to having to write up security plans or poams.

Not trying to discourage as it's a good field though, just make sure before you map out a cert path.

No worries, not discouraging. I appreciate the thought. Shadowing is actually kind of part of the plan, and luckily I was briefed on the writing portion of the job as well. I did a lot of writing in college; you might actually say I have more of a background in that than I do in IT. But I can definitely see how it could be off-putting, and I certainly haven't done any of this kind of writing, so I'll be interested to see what it entails.

I certainly appreciate the idea of not doing too much in terms of certification path-mapping until after doing some shadowing, though I'm definitely not trying to put the cart before the horse. On the contrary, I'm just trying to figure out which is the cart and which is the horse.