Passed Today - Here is my perspective (you should read)

Hunter85

Hi all,

Yes I passed the exam today but at what cost

A bit of my background
- 12 years in security
- CISSP, Comptia Security+, Microsoft Certifications, ITIL etc.
- Have been working in global organisations in Europe, US and Australia

Study Resources

Official Bootcamp - Expensive and not necessary
Official Book - took about 1 month to finish 90% and got bored (10 pages a day max)
Official Question Database - Frustrating and does not set you up for the exam, spent 2 months (a total of 42 hours of study, final score 90%). There are some questions which you would like to encounter again and again until you get the right answer (DB consist of over 1000+ questions) but the system keeps asking you the same 50-60 questions over and over again on 150 exam preparation.

Furthermore, most of the hard questions (which are in majority) are answered correctly only by 8-30% of the candidates; this by itself tells you that there is something fundamentally wrong with ISACA's mind-set because considering the experience requirements. (In my opinion having a 55% correct answer rate should be enough to sound the alarm bells in the industry).


Questions I had before exam and what do I think (or know) now

1. Will my experience help me pass the exam
    No, ISACA lives on its own universe
2. Is there a standard approach to ISACA's logic
    Definitely no
3.How would you compare CISSP vs CISM
   There is no comparison, I DO understand now why CISSP is the most valued IS certification  
4. Can I brian **** questions
     Absolutely not because ISACA would use its own (unique) terminology in official study guide, will use a different terminology in official question database and yet you will be challenged with a completely new terminology in the exam
5. What will I achieve by getting this certification
    Dont know yet, will let you know

About Official Book & Question DB

Official book: really good resource for work and real life scenarios BUT too wordy and keeps repeating same very generic practices which distracts you from focusing on exam specific

Is it a good resource to study? So so!

To give you an example. When you read about incident management you would find a paragraph which resembles below definition (I cant copy paste sorry);

"Incident management consist of preparation, detection, containment response etc..."

A question in official DB would be

Which of below incident management process is the most important one
a) Preparation
b) Detection
c) Containment etc.

In the exam

Which of below process is the most important one
a) Incident
b) Management
c) Process 

Or another example would be

Official book would give you a definition of confidentiality, integrity and availability but the official question DB would ask

Which one of 3 CIA triad is the most important one
a) Confidentiality 
b) Integrity
c) Availability

Lets suppose the answer is "A", the rationale for answer "B" and "C" would be, A is always the most important 

In the exam

Which one of 3 CIA triad is the least important one
a) Confidentiality 
b) Integrity
c) Availability

Obviously with no context (what type of industry you are working in finance, military, mining etc.) there is no right answer for both questions and the official question DB doesnt exactly tell you why "A" is the right answer and why "B" and "C" are not!

And lastly I need to mention there was even a question about the biggest disadvantage of digitally signing and encrypting an e-mail message (a message which is sent internally) - will let you guys use your imagination

Furthermore, I have discovered several inconsistencies within the official book and official study question DB but you may as well say that there might be some exceptions as my official book might be an older version than the official study DB... but no

I noticed multiple questions in official study DB which contradict each other. It's like there are different groups within ISACA with complete different understanding of what is ISACA way.

About the Exam

1. More ambiguous terminology, things you wouldn't find in the book nor in the study question database
2. Poor grammar, english is not my first language (especially when it comes to writing) but the level of grammatical mistakes takes me back to 6th grade (is / are, has /have and even they's / there's type of mistakes)
3. Words that dont exist in english language (according to google translate)
3. Rubbish service_1: When I registered for the exam I received an email stating that I need a single form of identification (e.g driving licence or a passport etc.) but while trying to login to exam session the (remote) agent requested 2 forms of identification (passport and driving licence). I tried explaining that, this wasnt what was communicated to me. After 10 mins of chat I had to go back and find the exam booking email print-out to prove my point.(Think about the stress I was in) I would be sc**ed if I had forgotten printed copy of my exam schedule as you are not allowed to bring mobile phones and any other device which works on batteries (not even your fitbit charge 2 which is pretty old and primitive)
4. Rubbish service_2: You are not allowed to bring water,coffee or any snacks - I had a glass of water (in a glass which I filled in the exam centre kitchen) and a packet cookie on my desk (just in case), the (remote) agent requested me to remove everything before he/she can allow me to start my exam.
5. Rubbish service_3: You are not allowed to go to toilet during the 4 hour exam! (No comment here)
6. No congratulations when you pass the exam, actually it took me couple of seconds (probably 20-30) to understand that I passed the exam. When you submit your questions, you will be presented with a screen which displays almost every non necessary information in font size 18 and your exam pass / fail status is written in font size 8 at the very bottom. 

Overall I am not really satisfied with anything except official study guide. Good luck to you all

Metaldave

Wow. That just sounds like a horrific experience! Not being allowed to use the toilet sounds mental! The cookies, I agree with to be honest.. the noise of the wrapper could be quite distracting to other test takers. 

LonerVamp

Not to be argumentative, but you were not allowed drink or food and you brought drink and food. Doesn't sound like the remote agent did anything wrong there.

lucky0977

I think it's a different experience for everyone. My test center allowed me to take as many breaks as I wanted but I had to empty all my pockets and all belongings were placed in a locker prior to taking the exam.
I've taken two exams by ISACA and felt they were a lot easier and far more inferior to the CISSP. I mean, I didn't even use the study guide for either exam. I just used the Q&A database for both and again, I felt they were way easier than ISC2 exams. The questions were one or two sentences in length and appeared to be fair questions without ambiguity.
Sorry to hear what you went through but at least you passed.

nisti2

Amazing! Thanks for sharing! 

FluffyBunny

Thanks for sharing such an exhaustive review! 

1. Will my experience help me pass the exam
    No, ISACA lives on its own universe
2. Is there a standard approach to ISACA's logic
    Definitely no

Big yikes

Infosec_Sam

Even if you didn't get a congratulations from the exam, you can be sure to get one from us! Nice job on the pass, and here's hoping you can keep it renewed with CPEs!

sfportaro

I took the exam at the end of November. I disagree with most of your comments.

Yes, ISACA has their own logic and you  need to get into their mindset. But, this is more or less true of every cert organization. This is why the QAE is so important.

No, I did not see grammatical mistakes. I found the question easier and clearer then those on the CSSLP and the CIPT. There was only one question that I thought was out of left field.

There were problems. The exam froze and it took 45 minutes to get back in.

Some of your problems where related to your test center. Mainly the ID issue and the bathroom break.

I have never heard of a testing center that would allow food and/or drink. That is just rude to the other test takers.

But, be proud of passing.

Mike564

Hunter85 said:

Or another example would be

Official book would give you a definition of confidentiality, integrity and availability but the official question DB would ask

Which one of 3 CIA triad is the most important one
a) Confidentiality 
b) Integrity
c) Availability

Lets suppose the answer is "A", the rationale for answer "B" and "C" would be, A is always the most important 

In the exam

Which one of 3 CIA triad is the least important one
a) Confidentiality 
b) Integrity
c) Availability

The interesting part - at this link  (https resources.infosecinstitute.com/cia-triad/#gref)   (apparently as a new user I am not allowed to post links yet so you have to re-create the link yourself)  you can read the following:

****************************************

The importance of the whole CIA Triad is equally important, however, sometimes we need to give importance to one of them or a combination of them over the other as per the context. For example:

• Let’s assume we are examining proprietary information and finding priority among CIA Triad to assign to. In this case, since it is proprietary, the priority and importance should be Confidentiality i.e. limiting access to the underlying information itself.
• In another example consider the scenario of financial information in a bank which is supposed to be protected. In this case, importance will be to protect the integrity of the underlying information so that all the transactions hold their true value.
• Let’s now consider the case when some type of information is available for public consumption. Now in this case Availability will hold the priority because that is the main motive for this information to the public. Confidentiality will not be an issue in this since it is available to everyone whereas Integrity holds lower priority than Availability.

*****************************************

As OP said,the  context is needed - and Infosec resource confirms that. Therefore without the context - what is considered the right answer???

lucky0977

Give you a hint....You're not going to see a vague question like that in the exam. Maybe in the study practice exams but not the actual exam. You know how many test takers would complain about how stupid the question is if you're not given any context. The questions on the exam were fair and unambiguous.

Mike564

lucky0977 said:

Give you a hint....You're not going to see a vague question like that in the exam. Maybe in the study practice exams but not the actual exam. You know how many test takers would complain about how stupid the question is if you're not given any context. The questions on the exam were fair and unambiguous.

Thx for the suggestion! However OP said that this was the question on the actual exam? Also, as long as question is without the context, it does not help even during study practice exams, as I am preparing for the exam now....Is there any resource that provides actual exam questions with answers?

sfportaro

Mike564 said:

lucky0977 said:

Give you a hint....You're not going to see a vague question like that in the exam. Maybe in the study practice exams but not the actual exam. You know how many test takers would complain about how stupid the question is if you're not given any context. The questions on the exam were fair and unambiguous.

Thx for the suggestion! However OP said that this was the question on the actual exam? Also, as long as question is without the context, it does not help even during study practice exams, as I am preparing for the exam now....Is there any resource that provides actual exam questions with answers?

Well, if he posted the question verbatim, he is in violation of the NDA. Again, I took the exam 2 months ago and it was fine. 

And, why would you want the actual questions beforehand (brain ****)? Why not give any cert to who ever wants them?  Talk about cheapening the value of a cert. There is a value in actually knowing the subject matter.

LordQarlyn

Mike564 said:

Hunter85 said:

Or another example would be

Official book would give you a definition of confidentiality, integrity and availability but the official question DB would ask

Which one of 3 CIA triad is the most important one
a) Confidentiality 
b) Integrity
c) Availability

Lets suppose the answer is "A", the rationale for answer "B" and "C" would be, A is always the most important 

In the exam

Which one of 3 CIA triad is the least important one
a) Confidentiality 
b) Integrity
c) Availability

The interesting part - at this link  (https resources.infosecinstitute.com/cia-triad/#gref)   (apparently as a new user I am not allowed to post links yet so you have to re-create the link yourself)  you can read the following:

****************************************

The importance of the whole CIA Triad is equally important, however, sometimes we need to give importance to one of them or a combination of them over the other as per the context. For example:

• Let’s assume we are examining proprietary information and finding priority among CIA Triad to assign to. In this case, since it is proprietary, the priority and importance should be Confidentiality i.e. limiting access to the underlying information itself.
• In another example consider the scenario of financial information in a bank which is supposed to be protected. In this case, importance will be to protect the integrity of the underlying information so that all the transactions hold their true value.
• Let’s now consider the case when some type of information is available for public consumption. Now in this case Availability will hold the priority because that is the main motive for this information to the public. Confidentiality will not be an issue in this since it is available to everyone whereas Integrity holds lower priority than Availability.

*****************************************

As OP said,the  context is needed - and Infosec resource confirms that. Therefore without the context - what is considered the right answer???

I would say C is the most important. If a network or system isn't available, then no one gets to use it, regardless how well confidentiality and integrity controls are implemented. At my current job, if some systems are down, work literally has to stop. Yes of course A & B are very important, but in the final analysis if the system is not available then it's of no use to the customers. internal or external.

Hunter85

LonerVamp said:

Not to be argumentative, but you were not allowed drink or food and you brought drink and food. Doesn't sound like the remote agent did anything wrong there.

I did not receive any official letter or email from ISACA or the test centre asking me not to bring any liquids or food to the exam centre

It was requested by the offshore exam instructor while I was logging into the system 

(You are being monitored by a webcam throughout the exam by ISACA or ISACA contracted instructors)

The exam room was designated for 1 person only

1 computer, 1 desk, 1 chair

Local guys were alright

So I dont get the point of destructing other people while drinking water or eating a cookie

Hunter85

Mike564 said:

lucky0977 said:

Give you a hint....You're not going to see a vague question like that in the exam. Maybe in the study practice exams but not the actual exam. You know how many test takers would complain about how stupid the question is if you're not given any context. The questions on the exam were fair and unambiguous.

Thx for the suggestion! However OP said that this was the question on the actual exam? Also, as long as question is without the context, it does not help even during study practice exams, as I am preparing for the exam now....Is there any resource that provides actual exam questions with answers?

sfportaro said:

Mike564 said:

lucky0977 said:

Give you a hint....You're not going to see a vague question like that in the exam. Maybe in the study practice exams but not the actual exam. You know how many test takers would complain about how stupid the question is if you're not given any context. The questions on the exam were fair and unambiguous.

Thx for the suggestion! However OP said that this was the question on the actual exam? Also, as long as question is without the context, it does not help even during study practice exams, as I am preparing for the exam now....Is there any resource that provides actual exam questions with answers?

Well, if he posted the question verbatim, he is in violation of the NDA. Again, I took the exam 2 months ago and it was fine. 

And, why would you want the actual questions beforehand (brain ****)? Why not give any cert to who ever wants them?  Talk about cheapening the value of a cert. There is a value in actually knowing the subject matter.

I guess I will need to clarify myself

Both questions were just examples

There were no questions looking exactly like my post but there were questions in the exam and the QDB which looked really, really .... really similar...

What I was trying to say was that

The Official Study Guide: gives you the definition of Confidentiality, Integrity and Availability

The Official QBD: asks you (not the original question but very similar)

Which of the following CIA triad is the most important one

a) Confidentiality
b) Integrity
c) Availability

Lets suppose the answer is "A" 

My point was that with no context you cant tell why A is the right answer

and the QDB rationale was that A is the most important one

In the exam however, you may find a very very, .... very similar question that may / can be resemble 

Which of the following CIA triad is the least important one

a) Confidentiality
b) Integrity
c) Availability

My point is before going to the exam:

You will know the definitions of all 3 terms

You will know the most important one but yet

No resource (official study book or QDB) will tell you about the order or importance (without any context)

While above 2 questions are not from the exam or QDB, they are a pretty accurate representation of what I have seen

I hope this answers your question

LonerVamp

Hunter85 said:

LonerVamp said:

Not to be argumentative, but you were not allowed drink or food and you brought drink and food. Doesn't sound like the remote agent did anything wrong there.

I did not receive any official letter or email from ISACA or the test centre asking me not to bring any liquids or food to the exam centre

It was requested by the offshore exam instructor while I was logging into the system 

(You are being monitored by a webcam throughout the exam by ISACA or ISACA contracted instructors)

The exam room was designated for 1 person only

1 computer, 1 desk, 1 chair

Local guys were alright

So I dont get the point of destructing other people while drinking water or eating a cookie

I would honestly suspect you were told not to bring anything else with you into the exam room.

I mean, you weren't probably not told you couldn't bring a squeaky rubber ducky in with you either, but you'd probably not be allowed it.

bigdogz

Congratulations on the pass!

I was confused on the thread as I saw what topic it was under. Just remember next time you post have the name of the credential in topic of the thread.

I am sorry to hear that your experience was bad. I have not heard others who had any bad experiences as you. I am glad you passed even after the problems you had before and during your exam.

I think some test centers are not run as well as others. When I took my GCIH, I had to inform the proctors that I has an open book exam.

I have been in others where I have been padded down like I was going through the airport.

The proctors may have problems with the process and that is the biggest point of frustration that occurs when we may be a little on edge when we take an exam. It just exacerbates the poor experience before the exam.