ISACA Exam Passing Principles

protacticusprotacticus Member Posts: 91 ■■□□□□□□□□
Maintain a Risk Management point of view, technical questions are not predominant, questions are subtle but not tricky:
  • Have a rationale for selecting the option that you have
  • Select a response option for reasons related to InfoSec or Risk Management: oversight vs. mere management
e.g., Risk controls
  • “Best” answer is the one associated with better risk management, not necessarily “better’ result from some other perspective
e.g., ‘inefficient’ outcome measures vs. ‘efficient’ activity metric.

Crucial element is to identify the single domain from which question was drawn
1. First filter / eliminate answers not connected with identified domain
2. Then, apply general principles of that domain when finding answer
  • Exam includes few (if any) items related to the specifics of any particular Risk/ audit framework / principle / best practice. Seek broadest understanding of item, select answer that is most generally correct
  • Apply the principles underling a given framework, rather than framework specific details

What is your experience from ISACA exams, are these principles correct?


  • dustervoicedustervoice Member Posts: 877 ■■■■□□□□□□
    I agree with all your points.
  • DolphDolph Member Posts: 12 ■□□□□□□□□□
    I'd mostly agree. For CISM I would say think like a CEO or Senior Management. For example, very simplistically the best way to stop a cyber attack would be to block all incoming traffic, but this would harm the business as it would block legitimate trade traffic. Think in terms of cost effectiveness and what answer is best for the commercial side of the business.
Sign In or Register to comment.