CISM/CISA/CRISC/CGEIT December 2012 Feedback

CISPhD

TE,

I just got home from taking my CISM exam. Overall, I'd be surprised if I failed the exam in lieu of all the studying, boot camps, study groups, practice tests, etc... over the last 6 months. The exam environment was professional, and the ear plugs certainly helped. I wrapped up the exam in just over two hours, and can only recall about 10 questions that I was really on the fence between two answers. I am actually surprised at the number of people who took their cell phones into the exam room despite it being written everywhere (as well as being common sense). Out of the approximately 50 odd people in the exam room, 15 or so raised their hand when the proctor asked who still had a cell phone or other electronic device. The astounded look on the proctor's face gave me a good chuckle.

Does anyone else ever get that gloom and doom feeling that you failed your exam despite your best efforts? I may just be over critical of myself here, but it's always a fear that I didn't do well enough. While taking my test, I put a star next to any question that I was certain I had right. When I tallied them up at the end of the exam, it was only about 30 of them.

Anyone else have any other feedback on their exam experience?

JDMurray

Ear plugs? Were you taking your exam in an airport or a train station?

paul78

Maybe it's an east coast thing? The few exams that I've been at (both ISC2 and ISACA), ear plugs were always provided.

vasyvasy

The earplugs were a life-saver today.. just outside the test facility there was a construction site, and boy were they working with jack-hammers at 5-10 meters from the test site...
Just imaging that you are trying to wrap your head around this question: "What is the auditor main objective when... dum-dum-dum.... vrrrr-vrrr-vrrrr... !" ARGH!

CISPhD

Hah... The test was underground at a Marriott hotel downtown. I just prefer absolute silence when I'm trying to concentrate. I'm very much the extrovert, and reminding people of how annoying they are is a favorite past time. :P

wail.rahim

I did my CISA exam today in Toronto. It was nice and quite at the Hyatt hotel in downtown. Several people had their cell phone on them too lol. What a day this was.

Had my wife drop me off at the front entrance of the hotel , then I discovered that I left both my IDs and cell phone in the car as she drove off ... chased her for 4 blocks....

I feel the same way as you CISPhD. Despite my efforts, seems like the exam was tough and tricky. I hope I studied enough. Best of luck to everyone and hope we all pass. Now to wait for the results

paul78

Is it too early to start predictions on when results would be released? I'm guessing Feb 1, 2013.

sandiego_f

Hi,

i took the CISA yesterday and i must say iam very disappointed with the test. I studied 6 months, can nearly answer all the questions from the database correctly and studied the book. I also have more than 5 years audit experience and think that the questions in the test for the CISA were for another test...I really had to ensure myself more than twice if iam really attending the cisa exam or any other because i was so surprised...

Everybody that left the room attending the CISA was saying that it was more like playing lotto than asking questions about how to audit or any of the five domains. It was also not asking working experience or something like that, 90% of the quesitons were just random questions about anything else than IT or audit.

As i said iam not the only person feeling like this. Every other person that was attending the cisa test in my room and i talked to was feeling the same way. What can i do now? Iam so disappointed in the isaca because i studied so much for nothing...Even if i would say i´d attend again iam pretty sure if the questions are the same its again playing lotto...

Kind regards

bmac

sandiego_f wrote: »

Hi,

i took the CISA yesterday and i must say iam very disappointed with the test. I studied 6 months, can nearly answer all the questions from the database correctly and studied the book. I also have more than 5 years audit experience and think that the questions in the test for the CISA were for another test...I really had to ensure myself more than twice if iam really attending the cisa exam or any other because i was so surprised...

Everybody that left the room attending the CISA was saying that it was more like playing lotto than asking questions about how to audit or any of the five domains. It was also not asking working experience or something like that, 90% of the quesitons were just random questions about anything else than IT or audit.

As i said iam not the only person feeling like this. Every other person that was attending the cisa test in my room and i talked to was feeling the same way. What can i do now? Iam so disappointed in the isaca because i studied so much for nothing...Even if i would say i´d attend again iam pretty sure if the questions are the same its again playing lotto...

Kind regards

Unfortunately I completely agree. I have put a lot of effort into studying for this and I feel disappointed. According to the database I have answered 4994 questions and during the last 2 weeks was scoring between 90 and 100% on all my practice tests. Although I know this doesn't guarantee me an exam pass I thought that it would help. I felt the questions in the CISA exam were terrible, and similar to you I had to check that I was doing the right paper. I came up across quite a few questions that seemed to have nothing to do with what we were studying or didn't make much sense. Some of the questions seemed so vague that it was almost impossible to pick the correct answer because it could have been a few.

I feel like I haven't been tested on my knowledge of IS Auditing just on how well I can cope with terrible questions. It’s a shame really because even with my experience in IS auditing studying for this exam has really taught me quite a lot but I don’t feel the exam actually tested that knowledge.

One other problem I have noticed is terminology, it can be called one thing in the CRM, another in the questions database and then in the actually exam something completely different.

I've tempted to officially complain to ISACA. I'm going to hold off and see if it just me that feels like this.

I can't say I'm too confident about passing but we shall see.


Also, we were offered ear plugs in the UK. First time I've ever heard of that in a exam. No one took them that I noticed but it was on a University Campus so it was fairly quite.

bmac

paul78 wrote: »

Is it too early to start predictions on when results would be released? I'm guessing Feb 1, 2013.

Surely no later than 8th Feb. That would be a Friday as well so end of the week.

CISPhD

paul78 wrote: »

Is it too early to start predictions on when results would be released? I'm guessing Feb 1, 2013.

It's never too early! My money is on Feb 6th. It's the middle of a week, but life is about taking chances right? :P

An interesting note here. In speaking with my local chapter, I'm told they usually have a high scorer slide in the January or July chapter meetings to show the highest scorers in the region. They don't show the scores, but you can be sure if your name showed up on that list, that you passed. That could possibly get you an answer a bit early? Ping your local chapter to see if they do the same thing... Each chapter is different.

sandiego_f wrote: »

I took the CISA yesterday and....

bmac wrote: »

Unfortunately I completely agree. I have....

My sincere hope is that you would have taken something away from the exam to get a feel for where your study habits may have lacked. There were 20 some odd people taking the CISA in my local town, and many of them felt they did pretty will with similar study habits to what I have seen each of you describe. Should you find yourself having to retake the exam, see if you can find some of the people who passed the December CISA (through your local ISACA chapter), and speak with them on what their study habits where, where their expertise is (professionally), what their observations for the exam were, etc...

Also, check out your local ISACA chapter newsletters for a local CISA study group as time approaches for the next exam. The study session in my local city had about 2 dozen people in there. It would be very helpful to share in their experience for the 6 weekends preceding the June exam.

Just my $0.02.

paul78

Regarding the topic of ear plugs - I've always brought ear plugs into exams. I find that it helps with my concentration and it's a good risk control to address an threat of noise from other exam takers or the external environment.

Oh yeah - I took the CRISC and it will probably be a few weeks before I can stop discussing topics in terms of risk management.

As for the CISA, I have never written it. But I have talked with many others who described the CISA in the same manner. The CISM and CRISC did have similar traits.

With the CRISC exam, the body of knowledge isn't very broad so it was a bit amusing to see a lot of the same questions just worded very differently or using different scenarios. I personally am not very confident about my prospects of passing primarily because my preparation technique was somewhat non-existent. I completed the CRISC exam with only about 5 minutes to spare and I took no breaks. I probably marked about 85 questions which I wanted to review but didn't have much time to actually re-review questions during the exam.

@bmac - yes - Feb 8 does seem like a safe bet for the results.

mang109

sandiego_f wrote: »

It was more like playing lotto than asking questions about how to audit or any of the five domains. It was also not asking working experience or something like that, 90% of the quesitons were just random questions about anything else than IT or audit.

I took the CISA yesterday and felt similar. I found that for many of the questions I was purley guessing. All abit depressing really since I spent so long studying and had no problem with the practice questions, even on the first run through.

Nevermind, all that can be done is to wait for February and go from there!

Athens2012

Hi,
I also took the cisa exam yesterday and i feel the same way like most of the others.
Nearly 85% of the questions had nothing to do with IT or IT audit experience...iam very very disappointed. I asked one of the proctors if i really got the cisa or maybe the cism questions but that has been ignored and iam really depressed for putting so much effort and time into this..i read the whole Book, answered all the questions from the database cd with a score of more than 90% and all this had nothing to do with the questions they asked...
Is there anything i can do? Where can i complaint? Has someone an idea how i can prove this facts..?

bmac

I'm glad to see that I'm not the only one who thought the CISA exam had nothing to do with IS Audting. I did question myself towards the end where all the questions on domain 5 were.

I think you have to weeks to contact ISACA about the exam, not sure on the email address. I'm very tempted to email them to give my thoughts and see what they have to say about the exams content.

bmac

CISPhD wrote: »

My sincere hope is that you would have taken something away from the exam to get a feel for where your study habits may have lacked. There were 20 some odd people taking the CISA in my local town, and many of them felt they did pretty will with similar study habits to what I have seen each of you describe. Should you find yourself having to retake the exam, see if you can find some of the people who passed the December CISA (through your local ISACA chapter), and speak with them on what their study habits where, where their expertise is (professionally), what their observations for the exam were, etc...

I'm not sure it's about the study technique to be honest. I think my studying was fine, the main problem that i had was the content of the exam seemed to come from another area. A lot of the topics were new to me and i feel i know the CRM and questions database like the back of my hand. I don't want to put any of the questions on here obviously but i think if i did you might agree that they don't sit in the area of IS auditing.

CISPhD

bmac wrote: »

I'm glad to see that I'm not the....

The correct address to send feedback to is exam@isaca.org. In all reality, you're expectations of getting any movement from an international standards organization from the feedback of a single exam taker may be a bit unfounded. You might be a bit better of simply learning from your experience, hopefully recalling what it is that ISACA wanted you to be tested on (despite their CRM content), and study the appropriate material to become certified.

It isn't the answer you want to hear, I'm sure... but it's realistic feedback all the same.

rohitjain759

Hello Friends.... Even i gave CISA, the experience to say was no better than what was last Dec '11
I score 432 in Dec ' 11 and even this time round i am little shaken on confidence. What i have ultimately realised is how much ever effort you put in for CISA (CRM & Q&A) all are in-vein...
I lost ground in IS Audit and IT Governance topics last year, so i prepared hard on those topics but this time round chapt 3 & 4 were little shocking for me. Its all luck and shear guessing in few questions..


Guys i want to know one thing.... how many questions are suppose to be correct to ensure to pass in the exams??? am really worried since this is my second attempt and i cant afford to loose a penny over this now...


Pls Revert...

victor58

I gave the CISA exam as well. Not sure how it went, questions were too generic. But what I am hearing, ISACA tends to frame questions to make sure people do not pass the exam. This is not just my opinion but from those who have given the exam numerous times and still not managing to pass the exam. Again these were people who were well experienced and knew the material in and out however, the exam is a different story. I guess we have to wait and watch for the results but again the more people talk about their exam experience the better it would be to realize we are not the sole ones feeling this way.

D

cyclinglen

It is interesting to see the different feedback. I walked away feeling a bit shaky as well. I expected to feel more confident on more of the answers. I went back through all of them after I finished and changed 10-15 so I don't know if that is good or bad. I can't believe I have to wait until February for the answer!

F_A_H_D

i dont know if i done well or not !!... but my main problem was the time ! i dont know if they examining Audit skills or time management
to answer question you need at least to ready it couple of time and read the answers carefully

they need to know that people spent alot of hours studying the materials they should help them pass the exam not troubling them !

i never been in my life counting each second like that hours

anyway good luck for all

N2IT

I believe I read you need 3 years of managerial experience in a security function. Can certification or education waive a year or so of experience?

Just curious.

BTW I hope you passed!

paul78

N2IT- the work experience for ISACA certs vary a bit depending on the certification.

CISM requires 5 years of infosec experience and 3 of those years must be in infosec management. If you have a CISA or CISSP, or masters in related field it waives 2 years of work experience. 1 year can be waived for certain specific certs and fulltime teaching in a university. The 3 year minimum of infosec management cannot be waived.

CISA required 5 years of audit or infosec experience. Up to 3 years can be waived via various methods. I don't think any certs are accepted. 1 year can be waived for a degree but only specific degrees from specific universities are accepted. You can waive 2 years if you are a professor fulltime teaching certain degree programs.

CRISC requires 3 years of risk management experience. There are no waivers allowed.

I don't know much about CGEIT. But I am sure it is equally confusing .

CISPhD

victor58 wrote: »

But what I am hearing, ISACA tends to frame questions to make sure people do not pass the exam.

I doubt they would go so far as to try and make the questions impassable... That seems a bit counter intuitive to me. Exams are made to be difficult, to ensure you understand the concepts ISACA is trying to convey. That is not to say these "concepts" represent real world, but ISACA is a standards organization. They work to try and standardize and evolve what is happening in the industry much in the same way ISO or other standardization bodies do. While the exams may seem difficult, for reasons outlined, I doubt ISACA is trying to make the exams impossible. The more people they have CISA certified, the more funding they receive, and subsequently, the more work they can do to standardize the field.

The concept of what ISACA sees as correct versus what happens in the real world was something that was difficult for me to wrap my head around for several weeks. But looking at it from a standpoint of ISACA trying to "evolve" the industry helped. You also have to look at this like any other cert exam... There is the book answer, and then there is the real world answer.

N2IT wrote: »

I believe I read you need 3 years of managerial experience in a security function. Can certification or education waive a year or so of experience?

You do indeed need three years of managerial experiene. You require a total of 5 years of information security related experience, as defined by ISACA, including 3 years of managerial experience, and 2 years of practical application experience. The 2 years of practical application experience can be substituted with a graduate degree from a regionally accredited (not nationally accredited) university in a variety of majors. The specific majors are outlined in the CISM bulletin.

Thanks for the well wishes on the pass. I'm only two days into the waiting period and I'm already chomping at the bit!

outsider73

Whaooh I took the CISM exam too here in France. 3 hours and 50 minutes to complete it.
A few English words that I didn't know... too bad it's not like for CISSP you cannot bring your translation dictionary.

Honestly it was tougher than the different preparation tests done before.

Since I still can't understand how many correct answers or percentage you need to get to succeed, I cannot say whether I'm good or back to the exam room in June 2013! 200 points if you have a few good answers... what about everything is wrong what is the score then? 450 to pass... what does this mean? I hate this! this is not clear. Can't it be like Microsoft or ISC² 70% or something to pass?!?

I studied the CISM book of 2011 and there were very very few questions about mobile devices and the cloud so it was still a good resource.

N2IT

Thanks for the follow up

I'll stick to the MBA for the meantime.

paul78

I am curious...

For the folks that took the CISA who expressed that it was challenging, did you take the exam in your native language or English? And do you have infosec experience? I wonder if the CISA was skewed toward US English and infosec topics. I noticed when I took the CISM and CRISC, there were definitely questions which were judgement-based and I had to rely on my infosec experience versus anything in the Review Manual.

Falasi

I had few issues before this exam ; had 2 weeks of shifting and 2 other weeks of sickness . entered the exam and I was like "CISM studies should help on CRISC since I had high marks in Risk".

The exam was somehow funny , I'm not sure how I did as I followed common sense ... will know If i'll repeat it by June or do CISA. GL all

sandiego_f

paul78 wrote: »

I am curious...

For the folks that took the CISA who expressed that it was challenging, did you take the exam in your native language or English? And do you have infosec experience? I wonder if the CISA was skewed toward US English and infosec topics. I noticed when I took the CISM and CRISC, there were definitely questions which were judgement-based and I had to rely on my infosec experience versus anything in the Review Manual.

Hi,
I have more than 7 years of experience in information security. I would say i have a very deep and broad knowlegde in this field. I answered within my first try almost every question of domain 5 correctly. I was very disappointed having the feeling that this part has not been tested as planned with a percentage of 31%. I took the exam in english. At first I worked for 2 years in the UK as an it-auditor and had never any problems with my english. Now I work for a very large company (more than 200.000 employees) since more than three years and participate within a lot of global it-audits covering the whole world. I travel a lot etc. But this is not the topic. I think my experience is more than adequate for passing the CISA without and doubt.

This is why iam very surprised and extremly disappointed. The test did not test me in my knowledge about it auditing. Instead the questions were very vague about anything else than it audit and trying to trick me instead of trying to test the knowledge about it audit. But i dont want to say anything bad. Everything i say is just the feeling i had. A lot of people seemed to share this experience after the test.

ciphercodes

I took CISA exam in Raleigh, I was not surprised at questions at all as this is the way ISACA constructs their questions, infact I was expecting this exam to be more difficult. I think I did well on the exam but the results will explain how I REALLY did. I studied the CRM and went through the questions database once.

DavefromMD

I took the CISA test on Dec. 8th. I was also surprised about the questions. With IT back ground with lots of development, PM, security and auditing experience, I was hoping it will be more technical. Questions were similar to the V12 DB from ISACA. Not exact words repeated, but similar. The first 5 questions, I thought I had already seen before and that set the tone. I felt good about my performance. What really helped me was looking at the question from ISACA perspective and not from my experience. This I learnt while preparing for PMP. The books I studied and the forums I visited insisted look from PMI perspective. I did exactly same here. I fully agree with Ciphercodes above. I was not surprised about the question format, though I was expecting and wishing it to be more technical than general. Like BMAC, I also answered about 5000 questions and I knew exactly how the same question can be twisted many different ways. I registered for test on 10/3 and got study material a week later. So, I had less than 8 weeks to prepare. CRM and V12 DB are my main source. Well, I will know in 2 months, pass or not.