How long did you study for ISACA Cert?

idr0pidr0p Member Posts: 104
Let hear is CISA/CISM..etc holders.

How long did you study for and whats your background in the subject?


  • darkladdiedarkladdie Member Posts: 25 ■□□□□□□□□□
    I studied for about three weeks but I should of studied more; I should of studied at least for 5 weeks.
    I had my CISSP and Security+ and ITIL v3 foundation certificate and 14+ years of IT experience.
  • idr0pidr0p Member Posts: 104
    Removed Unnecessary Quote

    Awesome thanks for the info I think i am going to start studying end of oct. for the dec 11th test.
  • badrottiebadrottie Member Posts: 116
    For the CISM? I barely studied, as there is a lot of overlap with the CISSP.

    In case you are wondering what my study plan was for the CISSP, I did not go through the gruelling process of reading the AIO or OIG cover-to-cover either. I just read a few topics that I have not directly worked with in order to fill in a few knowledge gaps. (Honestly, if you know the material from having had to work with it extensively, studying is ancillary. As with all things, your milage may vary.)

    10+ years information security experience, spread across all 10 CISSP CBK domains.
  • idr0pidr0p Member Posts: 104
    Nice, thanks for the input badrottie
  • badrottiebadrottie Member Posts: 116
    idr0p wrote: »
    Nice, thanks for the input badrottie


    Please bear in mind what worked for me may not apply to you. We all bring our own experience and knowledge into the exam. I have had to work extensively doing risk analysis, information security program development/architecture/governance/management, incident response, DR/BCP, etc. As it turns out, those are the job practice areas that the CISM focuses on.

    So, when I say that I have barely studied for the exam, it does not mean that I have not had not studied those topics previously in my career. In fact, I had to do a deep-dive in all of them. Otherwise, I would have been studying like anyone else to bridge a gap in knowledge/experience. icon_study.gif

    Gnothi Seauton ("Know thyself").
  • shaqazoolushaqazoolu Member Posts: 259 ■■■■□□□□□□
    I studied for about 8 weekends for the CISM. I had been performing risk assessments as a consultant for about 8 months prior. The guy that proofed my work and trained me had the CISM already, so the study material was pretty much right in stride with what I was already doing. I would suggest at least 3 months of serious prep time if you have never touched those topics professionally.
  • tpatt100tpatt100 Member Posts: 2,991 ■■■■■■■■■□
    I really need to figure out a study schedule for the Dec CISA exam. I think I am just going to spend four weeks on it.
  • Inbahrain2011Inbahrain2011 Member Posts: 9 ■□□□□□□□□□
    i went to a one week class, then studied for 3 weeks after the class leading up to the exam. I thought the test was harder than the class made it seem. How mch you need to study honestly depends on how well you get the material. If you get it you may not need to study as hard, if not, lock yourself in the basement and start studying.
  • NeriKuttaNeriKutta Registered Users Posts: 5 ■□□□□□□□□□
    For CISA June 2011 exam, I just answered the practice questions for about 5 weeks. Went through each question 3-4 times and read the answer explanations for those that were not quite obvious. As far as general terms (like private keys, public keys, secutity certificates, etc.) that I encounted in the questions, I looked them up on Google/Wikipedia. Not once did I open the study guide (the big fat book).

    As far as experience, I have over 15 years in CAAT and application development.

    Hope this helps. Best wishes!!
  • colemiccolemic Member Posts: 1,568 ■■■■■■■□□□
    Similar to NeriKutta here - I mainly used the practice questions (altthough for a lot longer than 5 weeks. I scraped by. I haven't convinced myself that CISM is worth the effort in December, with WGU eating up time as well...
    Working on: CCSP, definitely, maybe. On the twitters: @mcole1008
  • contentproscontentpros Member Posts: 115 ■■■■□□□□□□
    For the CISM barely any study time. Like Badrottie I have 15+ years of infosec experience. I read the official review guide once skipping the first section of each chapter and did a review course (3 Saturdays) with my local ISACA chapter. As a bonus the review course earned me 24 CPE's that everyone including SANS seems to accept and the course was around $100.
  • JDMurrayJDMurray Admin Posts: 12,963 Admin
    ... and did a review course (3 Saturdays) with my local ISACA chapter. As a bonus the review course earned me 24 CPE's that everyone including SANS seems to accept and the course was around $100.
    That is a great deal! I must remember to check if my local ISACA chapter has a course like that if I ever do their certs.
  • Dani1982Dani1982 Registered Users Posts: 3 ■□□□□□□□□□

    I just found this forum today. I am a financial auditor and I'm considering taking the CISA in September. Just got the review material for the ISACA website. Would you consider 4 months enough time for someone that is not really familiar with IT auditing? I have some knowledge but I've not been practicing. Also regarding certification, It is not quite clear to me from the ISACA website whether my financial audit experience would be enough to demonstrate qualification once I pass the exam. Any insights? I have 6 years of experience (2 as an external auditor and 4 as an internal auditor) and a master in accounting. I would have the opportunity to be in both the IT and financial audit teams in my current job if I pass the exam.

    Thank you for your help,
  • badrottiebadrottie Member Posts: 116
    Removed Unnecessary Quote

    Your background in accounting, both internal and external, will help considerably. That being said, the CISA is definitely more focused on IT aspects of auditing, so 4 months of dedicated study may be sufficient to understand the material.

    I would recommend purchasing a copy of the CISA question database and testing yourself to measure yourself, however.

  • Dani1982Dani1982 Registered Users Posts: 3 ■□□□□□□□□□
    Removed Unnecessary Quote

    Thank you for your response that helps:)... I purchase CISA question database.
  • badrottiebadrottie Member Posts: 116

    I forgot to mention that the experience requirements for the CISA are a minimum of 5 years of professional information systems auditing, control or security work experience. You can substitute or waive up to a maximum of 3 years of such experience depending upon your education and work experience. Please see the ISACA website for more information: How to Become CISA Certified

    As you are a financial auditor, you would most likely need a minimum of 2 years of IS related experience before you could qualify.
    That being said, there is nothing to stop you from taking the CISA, and once you pass it, obtain the necessary work experience requirements to become certified.

    If you have any questions, ISACA is the authoritative source and I would recommend contacting them.

  • Dani1982Dani1982 Registered Users Posts: 3 ■□□□□□□□□□

    Thank you for your response. I was given the opportunity to be in both the Financial and IT audit teams in my current job so hopefully I will meet all requirements ASAP.

  • GoodBishopGoodBishop Member Posts: 359 ■■■■□□□□□□
    CISA - 8 hours
    CISM - 24 hours
    CGEIT - 16 hours
    CRISC - 16 hours

    For the CISA, I took a Friday for PTO and studied all day, then took the test on Saturday. Passed by one question. I had just finished doing 160 hours for the CISSP, so I was on the ball back then. Note - this is not recommended for normal people. Normal people should study more than 8 hours to pass the CISA.

    CISM took me a bit more - I wanted to refresh my memories and have some extra insurance, but it wasn't bad. Very similar to the CISSP - I scored the highest on this exam out of the four exams.

    CRISC I took next after working in a IT audit position for a year and a half. The most amount of time it took was going through the review manual. It was a very dry read. I crushed this exam as well.

    CGEIT was the final one - I took it after working in that IT audit position for another half a year. By this point, I didn't have any worries that I would pass. I did take the time to do 16 hours of study and crank through the ISACA review manual again.
  • aprilyichenwangaprilyichenwang Registered Users Posts: 1 ■□□□□□□□□□
    badrottie wrote: »
    Removed Unnecessary Quote

    Your background in accounting, both internal and external, will help considerably. That being said, the CISA is definitely more focused on IT aspects of auditing, so 4 months of dedicated study may be sufficient to understand the material.

    I would recommend purchasing a copy of the CISA question database and testing yourself to measure yourself, however.


    That's very encouraging. I am thinking about a career change from audit to IT audit. Hopefully by passing the CISA exam, I can get into the door BIG Four IT Audit entry level position. What do you guys think? Right now, I am working in a small CPA firm doing audit. I have my CPA, no IT Background.
  • LarryDaManLarryDaMan Member Posts: 797
    I work as a systems auditor and have worked with financial systems in the past. I passed with about 2 or 3 days of studying. I watched the CISA CBT Nuggets videos at about 1.7x speed and took 600-700 practice questions from the ISACA CISA database. I intended to read the review manual but was very busy at work and home and since I was doing well on the practice questions, I skipped the manual altogether. Risky, but I was lucky enough to pass in the top 5 percent.

    Experience should be taken into account in how much you study and perhaps how well you are doing on the practice questions.
  • wearingmyrolexwearingmyrolex Member Posts: 58 ■■□□□□□□□□
    Gents, can you help me with this question please?
    Dear All,

    I'm not hard of learning ;) I'm CISSP plus a number of other things, a CCIE candidate, yet for the life of me I cannot work out how to use the CISM Review Manual..

    I've tried reading it like a book. It's dry and pretty awful. I've left it this late to prep for my December 14th 2013 seat as I've had other commitments.

    I'm just not sure how the Section 1 and Section 2 work? Logic tells me to read and digest Section 2 only. I have no idea how/why I would need to digest the task statements to the knowledge statements and if we will actually be tested on that portion?

    Silly question, but I'm stuck. I WILL pay it forward in the future if one of you clever people helps me. I plan on reading 12 pages per day and testing using the official 900 q-set; covering the materials twice.

  • packetlogpacketlog Member Posts: 24 ■□□□□□□□□□
    Hi Rolex,
    Luminox fan here.

    Agreed that ISACA Review manuals are a bit dry. I am doing CISA this year, so I have only CISA Review Manual. I read Section One: Overview as a preview to what is to come (it is appropriately titled, in my opinion). I skip the TS -> KS mappings. However, I read KS Reference Guide and note the Key Concepts and I know that there is gold in them somewhere and I should dig in those surroundings. With this high-level 30,000-foot overview, I then dive into Section Two: Content.

    So, use Section One as a pedagogical aid to digest Section Two and you will be fine. Don't get hung up!!

    Best regards and good luck to your endeavor,
  • wearingmyrolexwearingmyrolex Member Posts: 58 ■■□□□□□□□□
    Hi Pkt,
    thanks for your reply. I'm a few days in now and I still can't stand to have to read this awful review manual.. but I'm persisting. I realize if I force myself to read just 5 pages per day, TWICE, I can complete the manual in 30-odd days and still get a lot of 900q engine time.

    I know understand why so many people leave this to the last minute, it's because it's awful..

    Good luck on the CISA! I hope to take that next year, another driver to pass 1st time on the CISM ;)

    I'll be sure to review the KS ref guide as you suggested. There has to be something there, as you say, otherwise the nice people at ISACA wouldn't have included it.. surely...
Sign In or Register to comment.