Maintain a Risk Management point of view, technical questions are not predominant, questions are subtle but not tricky:
- Have a rationale for selecting the option that you have
- Select a response option for reasons related to InfoSec or Risk Management: oversight vs. mere management
e.g., Risk controls
- “Best” answer is the one associated with better risk management, not necessarily “better’ result from some other perspective
e.g., ‘inefficient’ outcome measures vs. ‘efficient’ activity metric.
Crucial element is to identify the single domain from which question was drawn
1. First filter / eliminate answers not connected with identified domain
2. Then, apply general principles of that domain when finding answer
- Exam includes few (if any) items related to the specifics of any particular Risk/ audit framework / principle / best practice. Seek broadest understanding of item, select answer that is most generally correct
- Apply the principles underling a given framework, rather than framework specific details
What is your experience from ISACA exams, are these principles correct?
