CRISC Dec 2016
Sat the December CRISC. What an enjoyable experience. I know it's the last time ISACA will do scantrons, but I still can't believe it's 2016 and I just took a professional exam requiring a #2 pencil...
I don't know if I passed or failed - It wasn't so much hard as it was ambiguous....? I think that's the best way to describe my experience. Nothing I hadn't seen using the standard 2016 CRISC review manual, Q&As, IT practitioner Guide, and IT Risk Management Framework. Now the best past of all - let the waiting begin.
I don't know if I passed or failed - It wasn't so much hard as it was ambiguous....? I think that's the best way to describe my experience. Nothing I hadn't seen using the standard 2016 CRISC review manual, Q&As, IT practitioner Guide, and IT Risk Management Framework. Now the best past of all - let the waiting begin.
Comments
-
MeggieMoo95 Registered Users Posts: 2 ■□□□□□□□□□I too wrote the CRISC today. I felt like I was in a bad dream where I had studied the wrong material for the exam I was presented with.
I wrote and passed my CISA in 2007. I found that exam to be very straightforward and I was completed in 2 hours. All with a relatively minimal amount of practical experience (bare minimum to qualify).
This time around, I wrote having been a risk professional for many, many years. Despite that, I found the CRISC exam to contain many ambiguous questions that were strangely worded and not relative to the study material/database questions. I'm not sure if they're trying to assess my risk knowledge or my ability to decider trick questions and ISACA's (sometimes bizarre) idea of theoretical risk management.
I have no clue if I've passed. I can't even imagine what writing that exam would be like for something with only 3 years of basic experience. Not impressed at all ISACA! -
cooldudevimal Registered Users Posts: 4 ■□□□□□□□□□I have appeared CRISC exam today and i was completely confused on seeing the questions which were neither seen in review manual or other materials i have referred. Every question was leading me to deep thinking and i started feeling that my brain is going to come out by such deep thinking on every question . i had to spend entire 4 hours in thinking/rethinking , writing/erasing and rewriting the answers. June 2016 i cleared CISM in which i didn't face any such complications. When i started the exam i was in a very high spirit and ended up with a complete silence with fully lost confidence. Not sure whether i will pass or not as most questions i had to guess and answer. Now the painful wait period of 8 weeks has started
-
thehayn1 Member Posts: 46 ■■□□□□□□□□Meggiemoo95 and Rufio,
I took the the exam in June as well as yesterday. I feel way better now than I did after taking it in June because I knew what to expect as far as ambiguity. You hit it on the head, its almost as if ISACA wants us to be better at decoding than actual knowledge. Although Im pretty sure I passed, this exam has gone down hill in my opinion. Especially because the study material (specifically the Q & As) cost so much and are not even CLOSE to what you see on the test. -
johnj6425 Member Posts: 25 ■□□□□□□□□□I agree with most of the comments. The exam was interesting. I passed the CISA in September using the review manual and database, and used the same material for the CRISC exam. I studied for the exam for about 8 weeks reading each chapter twice and over 2000 attempts on the database questions resulting in a high 90%. The exam really made you think and required at least for me rereading each question multiple times. I walked out of the exam really thinking I did not pass. I do not need this certification for my job and it was something I personally wanted to take/achieve (paying out of my own pocket).
I do agree with ISACA that these tests should challenge and demonstrate the necessary knowledge prior to an individual earning the certification, so if I passed or failed it's on me and moving onto CISM in June. -
Rufio Member Posts: 25 ■■■□□□□□□□I agree with most of the comments. The exam was interesting. I passed the CISA in September using the review manual and database, and used the same material for the CRISC exam. I studied for the exam for about 8 weeks reading each chapter twice and over 2000 attempts on the database questions resulting in a high 90%. The exam really made you think and required at least for me rereading each question multiple times. I walked out of the exam really thinking I did not pass. I do not need this certification from my job and it was something I personally wanted to take/achieve (paying out of my own pocket). I do agree with ISACA that these tests should challenge and demonstrate the necessary knowledge prior to an individual earning the certification, so if I passed or failed it's on me and moving onto CISM in June.
-
RogueJD Member Posts: 46 ■■■□□□□□□□On the CISM exam, do you have to have a management title? I was an Information Security and Risk Analyst that fulfilled several of the job requirements, but it wasn't a management role. Does that matter?
To sit for the exam, no. To earn the certification, yes.
From ISACA:
Submit evidence of a minimum of five years of information security work experience, with a minimum of three years of information security management work experience in three or more of the job practice analysis areas.
Domain 1—Information Security Governance (24%)
Domain 2—Information Risk Management (30%)
Domain 3—Information Security Program Development and Management (27%)
Domain 4—Information Security Incident Management (19%) -
johnj6425 Member Posts: 25 ■□□□□□□□□□I agree with RogueJD. You'll need the experience for the certification and it's something I've been doing over the past 10 years.
-
Rufio Member Posts: 25 ■■■□□□□□□□Great. That's helpful. I've almost got the management requirement.
-
mwnciboo Registered Users Posts: 4 ■■□□□□□□□□I do agree with ISACA that these tests should challenge and demonstrate the necessary knowledge prior to an individual earning the certification, so if I passed or failed it's on me and moving onto CISM in June.
They don't demonstrate Knowledge, they demonstrate that you can think in some hatch-job US idealistic model.
It doesn't know what it is... Is it a Role competency assessment? or is it an examination of knowledge?
The key to education is to teach people "to think", not "What to think", this is the problem with their Idealistic Model of Companies that they reference in many questions. It is competency based as it is scenario driven, yet it touts itself as an Exam. Knowledge and Competence do not automatically go hand in hand.
CRISC is completely dyspraxic and there is no co-ordination between the Exam, Syllabus and preparation materials. There are 42 separate further study references of other publications (a fair proportion are ISACA publications!!!) which they also draw questions from.
Any exam which references this much additional material, that is examined in a syllabus but is not in the Study materials is pretty outrageous (especially as ISACA own a significant number of the publications).
L.Ron Hubbard said "if you want to get rich, start your own Religion"
I say if you want to rich start your own Accreditation Body! -
johnj6425 Member Posts: 25 ■□□□□□□□□□When I stated earlier about "demonstrating the necessary knowledge", I was referring to thinking outside the box and not related to some old school standardized testing by reading a few chapters and answering the questions correctly to earn a certification.
I'm not a paid spokesman for ISACA, but I'll stand by my initial statement that it comes down to the individual in regards to passing or failing. -
cooldudevimal Registered Users Posts: 4 ■□□□□□□□□□Risk Taxonomy was focused in multiple questions in CRISC Exam Dec 2016. As per me it serves two purposes
1. Aggregation of Risks into Categories
2. Aligning IT Risks with Business Risks
This is what i had answered in the exam, Kindly throw some light on this pls... -
maxrev Member Posts: 15 ■□□□□□□□□□Wow! I am second guessing myself now after reading this thread, I felt the exam was not different from what I expected it to be. I was expecting CRISC to be a cryptic exam from all the threads I read online. However, I found the exam to be very similar to CISM in the way the questions were structured and very few questions made me think that I have not seen this before. I passed CISM with 545 and hope that I did not do 100 points worse on CRISC.
-
RogueJD Member Posts: 46 ■■■□□□□□□□Here's my CRISC experience: (Posted from another thread that didn't get any traction)
This was my first certification - ever (CRISC). I have a good core of academic knowledge (MS: IT), and even attended a 4-month full-time trade school. I should have rec'd my A+, Sec+, CCNA, and Some basic Microsoft certs, but even though I attended that full-time course, I didn't find a lot of value in the entry level certs, so I never actually took the tests. I work as a "risk practitioner", so I have a lot of practical experience that helped.
Since I'm tasked with developing our Enterprise Cybersecurity Risk Management department where I work, I convinced the brass to spring for a 3-day "CRISC Boot Camp." That was the Monday - Wednesday prior to the exam. The only studying I did prior to that was going over a few basic practice exams, and some of the self-assessment questions in the official ISACA CRISC Study guide (provided to me by the same company that did the boot camp).
In the end, I think the "boot camp" was helpful, but having access to many practice exams with an answer key that had explanations for each possible response was most beneficial.
Exam experience itself was more-or-less what I expected it to be. Archaic, in a way. Not very efficient at all. I over prepared by having three hand-sharpened pencils, three mechanical ones... Panicked instinctively when I thought I forgot to leave my phone in the car. Patted my pockets, phone was in the car. Two minutes later, panicked again when I wasn't thinking and instinctively checked my pockets and thought I lost my cell phone... Proctors kept using a monosyllabic pronunciation of "Chrisk" when they mentioned the CRISC exam. Thought that was funny.
Made several passes through the exam. First pass, I answered approx. 65-70% of the questions. Marked those I wanted to take a closer look at. I wanted to get the "easy" ones out of the way first. The practice exams helped a ton. I was able to take many questions, and from the explanations in the practice exams, I was able to go "Ah, I see what you're trying to do here..." to most of those 65=70% of questions. Maybe I just had good practice exams, but they did seem a good indication of what to expect on the official exam, in my opinion. In fact, the official exam seemed to use less "trickery" than the practice exams.
On my second and subsequent passes, I continued narrowing down responses. The responses seemed to follow a pattern of "One or two of these answers are obviously wrong, one is correct, and one is a subset to the correct answer." I was less confident about how I answered some of these questions. I found my multiple-pass method beneficial, as I found that if I didn't recall a concept, I would be able to get a better idea of the concept just because they probably would mention it elsewhere in the exam, which provided me with more context. Example: Q1: What color is Chrisk's car? Q45: Crhisks' green car uses what kind of fuel?
I left with the feeling that I passed, but certainly didn't "Ace" it. Not my best performance, but I was playing the odds. I more-or-less did a cost-benefit-analysis. I didn't study much because I knew I needed only 57% of my answers to be correct, and the "boot camp" allows for me to take it again if I fail the first one.
We'll see in eight weeks! -
mog27 Member Posts: 302Here's my CRISC experience: (Posted from another thread that didn't get any traction)
This was my first certification - ever (CRISC). I have a good core of academic knowledge (MS: IT), and even attended a 4-month full-time trade school. I should have rec'd my A+, Sec+, CCNA, and Some basic Microsoft certs, but even though I attended that full-time course, I didn't find a lot of value in the entry level certs, so I never actually took the tests. I work as a "risk practitioner", so I have a lot of practical experience that helped.
Since I'm tasked with developing our Enterprise Cybersecurity Risk Management department where I work, I convinced the brass to spring for a 3-day "CRISC Boot Camp." That was the Monday - Wednesday prior to the exam. The only studying I did prior to that was going over a few basic practice exams, and some of the self-assessment questions in the official ISACA CRISC Study guide (provided to me by the same company that did the boot camp).
In the end, I think the "boot camp" was helpful, but having access to many practice exams with an answer key that had explanations for each possible response was most beneficial.
Exam experience itself was more-or-less what I expected it to be. Archaic, in a way. Not very efficient at all. I over prepared by having three hand-sharpened pencils, three mechanical ones... Panicked instinctively when I thought I forgot to leave my phone in the car. Patted my pockets, phone was in the car. Two minutes later, panicked again when I wasn't thinking and instinctively checked my pockets and thought I lost my cell phone... Proctors kept using a monosyllabic pronunciation of "Chrisk" when they mentioned the CRISC exam. Thought that was funny.
Made several passes through the exam. First pass, I answered approx. 65-70% of the questions. Marked those I wanted to take a closer look at. I wanted to get the "easy" ones out of the way first. The practice exams helped a ton. I was able to take many questions, and from the explanations in the practice exams, I was able to go "Ah, I see what you're trying to do here..." to most of those 65=70% of questions. Maybe I just had good practice exams, but they did seem a good indication of what to expect on the official exam, in my opinion. In fact, the official exam seemed to use less "trickery" than the practice exams.
On my second and subsequent passes, I continued narrowing down responses. The responses seemed to follow a pattern of "One or two of these answers are obviously wrong, one is correct, and one is a subset to the correct answer." I was less confident about how I answered some of these questions. I found my multiple-pass method beneficial, as I found that if I didn't recall a concept, I would be able to get a better idea of the concept just because they probably would mention it elsewhere in the exam, which provided me with more context. Example: Q1: What color is Chrisk's car? Q45: Crhisks' green car uses what kind of fuel?
I left with the feeling that I passed, but certainly didn't "Ace" it. Not my best performance, but I was playing the odds. I more-or-less did a cost-benefit-analysis. I didn't study much because I knew I needed only 57% of my answers to be correct, and the "boot camp" allows for me to take it again if I fail the first one.
We'll see in eight weeks!
What bootcamp did you take and how was the bootcamp?"They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -- Ben Franklin
"The internet is a great way to get on the net." --Bob Dole -
RogueJD Member Posts: 46 ■■■□□□□□□□Boot Camp: InfoSec Institute.
How was it? Well, it was okay.. I found it a bit frustrating that we spent a lot of time covering "static" concepts - things that don't really change between different Common Security Frameworks. Like, the concept of PKI in encryption. People at this level in their careers should have a base understanding of these topics. These boot camps start on the Monday prior to the exam. If you don't know the concepts by then, you shouldn't be sitting for the exam.
I read a lot about users experiences before I sat for this exam... How ambiguous the questions were; how no one walked away feeling confident that they passed. I was hoping for training on "speaking ISACA" - how to apply the concepts that one should already know to ISACAs style of logic; how to walk away from the exam with a little more confidence.
I did get some of that training during the boot camp, but that wasn't the focus. It was more akin to "cramming" - a review all of the static concepts. There are many recent scientific studies on "cramming". The overwhelming consensus is that it is far less-effective than taking multiple practice exams. ...On the subject of practice exams, one comment I hear a lot is that the study guide and practice exams are not a good representation of the exam itself. I call B.S.. Yes, the content was different - I don't remember thinking "Oh, I saw that question on a practice exam", but I do remember thinking "Ah, I've seen this logic before."
About the boot camp experience itself:
The sales person pushed for a distance-learning environment as opposed to me flying out there. I cannot emphasize this enough: If you have the opportunity - go on site. Do not do the web-based training.
It was horrible. A single webcam in the back of a small hotel conference room. Audio was good for the instructor, he was miced up, but we couldn't hear the other students. Made Q and A very difficult! The instructor had a single screen that he also projected on. He had to alt+tab to see the online students' questions. Made our participation very limited.
They used Lync (or Skype for Business, I think) for their setup. It was complete trash. We had to manually scroll down to see other students' comments, we had zero options for customization - like there was no way to resize the presentation to full-screen without all the other parts of the page taking up a lot of space. Even though we were all muted, you had to have a microphone physically installed just to hear the presentation. For someone pushing distance learning, their A/V setup and choice of teleconference software was trash.
There is no doubt that the instructor was knowledgeable. He knew every detail of every concept, and speaks "ISACA" fluently. Unfortunately, he was monotonous and never moved from his chair. Not very engaging. I've been to a few other training events in the past. SANS instructors always blew me away. Not only where they just as knowledgeable, they were fantastic instructors. The SANS guy could read a phone book and everyone would be on the edge of their seats. Our guy wasn't horrible, but I'm sure I missed a few things because it was just boring.
It should be noted that my colleague took the CISM boot camp that same week. He said his instructor was fantastic, and rated him on par with the SANS guy.
In the end, the exam went exactly as I thought. I did walk away with confidence that I "Spoke enough ISACA" to take the sting of ambiguity out of the exam. If I failed, it's because I didn't have enough practical experience in my career to understand the concepts. For instance, I had a question on the concept of taxonomy when categorizing and collating risk between relatively-disparate entities within an organization. I had no idea what the word "Taxonomy" meant. In my career, I never thought that way about the categorization methods that I use to classify risk. In the end, I recall guessing correctly, though.
I like the fact that this exam has a low pass rate. This exam is for Risk Practitioners to validate their experience, not for someone thinking "Wow, the average salary of a CRISC is $121k! I think I'll try for that cert so I can maybe work in that field and earn that money" -
Rufio Member Posts: 25 ■■■□□□□□□□Having taken the exam 2 weeks ago, it's feeling more and more likely that I didn't pass even though I walked out feeling neutral. Waiting another 6 weeks for results is brutal.
Does the exam material change much from year to year? If I fail, I probably don't need to purchase the 2017 material, right? -
mog27 Member Posts: 302Boot Camp: InfoSec Institute.
How was it? Well, it was okay.. I found it a bit frustrating that we spent a lot of time covering "static" concepts - things that don't really change between different Common Security Frameworks. Like, the concept of PKI in encryption. People at this level in their careers should have a base understanding of these topics. These boot camps start on the Monday prior to the exam. If you don't know the concepts by then, you shouldn't be sitting for the exam.
I read a lot about users experiences before I sat for this exam... How ambiguous the questions were; how no one walked away feeling confident that they passed. I was hoping for training on "speaking ISACA" - how to apply the concepts that one should already know to ISACAs style of logic; how to walk away from the exam with a little more confidence.
I did get some of that training during the boot camp, but that wasn't the focus. It was more akin to "cramming" - a review all of the static concepts. There are many recent scientific studies on "cramming". The overwhelming consensus is that it is far less-effective than taking multiple practice exams. ...On the subject of practice exams, one comment I hear a lot is that the study guide and practice exams are not a good representation of the exam itself. I call B.S.. Yes, the content was different - I don't remember thinking "Oh, I saw that question on a practice exam", but I do remember thinking "Ah, I've seen this logic before."
About the boot camp experience itself:
The sales person pushed for a distance-learning environment as opposed to me flying out there. I cannot emphasize this enough: If you have the opportunity - go on site. Do not do the web-based training.
It was horrible. A single webcam in the back of a small hotel conference room. Audio was good for the instructor, he was miced up, but we couldn't hear the other students. Made Q and A very difficult! The instructor had a single screen that he also projected on. He had to alt+tab to see the online students' questions. Made our participation very limited.
They used Lync (or Skype for Business, I think) for their setup. It was complete trash. We had to manually scroll down to see other students' comments, we had zero options for customization - like there was no way to resize the presentation to full-screen without all the other parts of the page taking up a lot of space. Even though we were all muted, you had to have a microphone physically installed just to hear the presentation. For someone pushing distance learning, their A/V setup and choice of teleconference software was trash.
There is no doubt that the instructor was knowledgeable. He knew every detail of every concept, and speaks "ISACA" fluently. Unfortunately, he was monotonous and never moved from his chair. Not very engaging. I've been to a few other training events in the past. SANS instructors always blew me away. Not only where they just as knowledgeable, they were fantastic instructors. The SANS guy could read a phone book and everyone would be on the edge of their seats. Our guy wasn't horrible, but I'm sure I missed a few things because it was just boring.
It should be noted that my colleague took the CISM boot camp that same week. He said his instructor was fantastic, and rated him on par with the SANS guy.
In the end, the exam went exactly as I thought. I did walk away with confidence that I "Spoke enough ISACA" to take the sting of ambiguity out of the exam. If I failed, it's because I didn't have enough practical experience in my career to understand the concepts. For instance, I had a question on the concept of taxonomy when categorizing and collating risk between relatively-disparate entities within an organization. I had no idea what the word "Taxonomy" meant. In my career, I never thought that way about the categorization methods that I use to classify risk. In the end, I recall guessing correctly, though.
I like the fact that this exam has a low pass rate. This exam is for Risk Practitioners to validate their experience, not for someone thinking "Wow, the average salary of a CRISC is $121k! I think I'll try for that cert so I can maybe work in that field and earn that money"
I took the "live online" ISSEP class last year from infosecinstitute and thought it was fairly good. There were a few annoying technical issues but overall I didn't think it was too bad. I also had everyone's favorite instructor from the cybrary CISSP class, Kelly Handerhan. I noticed there is also an online CRISC course from trainingcamp.com; I wonder if that is any better?
Also, is it known what the pass rate is? How low is it?"They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -- Ben Franklin
"The internet is a great way to get on the net." --Bob Dole -
RogueJD Member Posts: 46 ■■■□□□□□□□Yea, Kelly seems to be one of those instructors I would like. I watched a lot of her CISSP videos.
Regarding the pass rate - I don't even recall where I heard that. For some reason, 60% comes to mind, but I have no clue where I got that number. Maybe my boot camp instructor? -
ST_Raph Member Posts: 6 ■■■□□□□□□□I took the exam on the 10th as well. I feel like I did "OK" , but the exam was not what I expected. ..The wait continues....
-
jcundiff Member Posts: 486 ■■■■□□□□□□@mog27, I have no experience with training camp's online courses, their onsite boot camps are great if you are a seasoned infosec or risk management type person as a polish to self study. I took the CRISC in Dec 2015 and found it to be quite straight forward. My study plan was almost non-existent, just on the job doing the tasks and concepts for about 5 years. I had training $$ left available at the end of 2015 so figured why not... fully intended on reading the manuals, did fiind time to re-read the IT Risk Framework, that was about the extent of my studying. Was done in about an hour and 15 minutes, walked to the front of the room knowing I had passed.
Everyone started talking after the June 2016 about the exam being off, so not sure what happened between the two test cycles"Hard Work Beats Talent When Talent Doesn't Work Hard" - Tim Notke -
johnj6425 Member Posts: 25 ■□□□□□□□□□I'm sure everyone is ready for the results.... 4 weeks left!!!
-
RogueJD Member Posts: 46 ■■■□□□□□□□I still check the site every day, even though I'm fairly certain the results won't be there.
-
kukku Member Posts: 130 ■■□□□□□□□□Exam results should be released on 2/4, right?
CRISC and CGEIT will take couple more weeks after the results of CISA,CISM. -
maxrev Member Posts: 15 ■□□□□□□□□□They should be able to release the results for CRISC and CGEIT sooner as there are fewer questions on these exams, I don't buy into the whole low level of maturity bs as many questions were the same as CISM. I hope I pass this one and run as far away as I can from ISACA.
-
johnj6425 Member Posts: 25 ■□□□□□□□□□The waiting sucks!!! I know the results are coming and a few weeks away.
-
natalie37203 Member Posts: 6 ■□□□□□□□□□Ready to get the results for the CRISC!! Anyone else take an exam in Nashville in December? ISACA sent out notices that if we failed we would automatically be registered for free to retake it in May using the CBT because the hotel had maintenance drilling in the vicinity of our room. It was SO LOUD and distracting. I'm secretly a little happy about it though because like others, I walked out with no sense of whether I bombed it or aced it (or somewhere in between...)
-
zeroG Member Posts: 14 ■■■□□□□□□□natalie37203 wrote: »Ready to get the results for the CRISC!! Anyone else take an exam in Nashville in December? ISACA sent out notices that if we failed we would automatically be registered for free to retake it in May using the CBT because the hotel had maintenance drilling in the vicinity of our room. It was SO LOUD and distracting. I'm secretly a little happy about it though because like others, I walked out with no sense of whether I bombed it or aced it (or somewhere in between...)
More than ready! I took the CRISC exam in Germany and felt exactly the same afterwards, not knowing at all whether I might have passed or not.