ISACA vs (ISC)2

Can anyone shed some insight on the difficulty of ISACA exams compared to (ISC)2.

Find more posts tagged with

Comments

I thought that the level of difficulty was about the same. The question style was similar in both cases. The differences were really about content. The ISACA questions tend to be more process and business focused whereas the ISC2 questions had a little more technical interest.

My experience was with CISM, CRISC, CISSP so I imagine it could vary based on the other exam content.

Also - when I took the exams, they were only available as paper based. So if you took the electronic version of the CISSP, that would be one big difference which you may have to contend with. I believe that ISACA exams are still all paper based.

NimrodHunter

My I ask what you used to study/review for CISM and CRISC? I am looking to take both these and CISA with CISM probably last, since I already have CISSP

AverageJoe

I've taken the CISM and CISSP, and I agree with Paul78 that the difficulty level of questions themselves is about equal. I found the CISSP to be a little easier for me because I was more familiar with its domains going in.

In preparing for the CISM I used ISACA's CISM Review Manual and William Manning's CISM prep book, 2nd edition. I didn't find either book to be particularly riveting, but they did the job. I think there's a much better selection of highly readable CISSP prep books.

Also, Paul78 is right that the CISM is still paper-based. That didn't bother me a great deal, but I did feel like I was wasting a lot of time trying to get circles colored in right with my number 2 pencil. As it turned out, I finished with plenty of time to spare, so it really wasn't an issue... but I didn't know that early on in the test when I didn't know how long it would take to finish.

The biggest difference was after the tests! I left the CISSP knowing I passed. I left the CISM hoping I passed, but not knowing for sure until a month later when I received my e-mail notification that I passed. That wait the toughest part!

Good luck!
Joe

paul78

NimrodHunter wrote: »

My I ask what you used to study/review for CISM and CRISC?

I used the ISACA Review Manual and the ISACA Review Q&A. When I took the CRISC, I also purchased the online practice questions a few days before the exam. The actual online practice questions wasn't really very useful and redundant to the Review Q&A. I understand that the CISM practice database is decent but I didn't purchase it.

Also Joe brings up a good point - because it's paper based, there is a lot of time spent circling in the answers. I recall that for the CRISC, I finished with little time to spare.

dustervoice

I find Isaca exams to be more challenging not from contents of the domains but the wording of the questions. Isc2 questions are straight forward and clear, you know exactly what they are a asking. On the other hand, Isaca's questions are very confusing at times and the wording is really strange. when practicing the DB questions when an incorrect answer is explained you will think "i had no clue that's what they were asking". Also you must think the isaca way, forget all your real world knowledge! Dont ask why they continue to use PBT.

Remedymp

dustervoice wrote: »

I find Isaca exams to be more challenging not from contents of the domains but the wording of the questions. Isc2 questions are straight forward and clear, you know exactly what they are a asking. On the other hand, Isaca's questions are very confusing at times and the wording is really strange. when practicing the DB questions when an incorrect answer is explained you will think "i had no clue that's what they were asking". Also you must think the isaca way, forget all your real world knowledge! Dont ask why they continue to use PBT.

Your comment echo's word for word how I feel about ISACA exams. I couldn't agree more.

andhow

I felt that the CISSP exam included more facts about technology and the cybersecurity world. If you have traditional "old school" IT experience, you probably already have a lot of the knowledge from your work in networking, server setup, active directory, firewalls, and all the rest to the understand many of the ISC2 domains. Certainly there were a lot of questions designed to see if you were approaching issues from the perspective of a manager, not an analyst or sysadmin. Example:
What should a security manager do first when they believe a web server has been compromised?
1. Engage incident management protocols
2. Segregate suspected system from the network
3. Protect system security logs
4. Notify business of a possible breach
The answer is almost always to follow the established protocols. Management manages and should not start "fixing" the problem.

ISACA exams seem to reinforce certain points that they believe are key. For instance, if you get a question that is asking you to choose the most important factor in a security design, the answer is always that it meets the business goal. ISACA reinforces the idea that the business must prioritize legal, privacy, and other factors. The business is accountable for articulating the risk tolerance. The security manager (CISM exam example) is accountable to implement the relevant controls. A lot of people get hung up on this especially if they get a question that asked them what is most important. Example:
What should a security manager prioritize the highest?
1. Host nation legal compliance
2. Privacy
3. Business objective is met
4. Compliance with relevant international laws
Sounds like a no-win question, right? If in doubt, align with the business.

One thing to know when preparing for the exams is that while understanding the ISACA and ISC2 facts are important, you also need to understand how they expect you to apply the concepts or principles. If you get a question that doesn't have a clear answer, ask yourself if there is a ISACA or ISC2 principle that is relevant.

mokaz

dustervoice wrote: »

I find Isaca exams to be more challenging not from contents of the domains but the wording of the questions. Isc2 questions are straight forward and clear, you know exactly what they are a asking. On the other hand, Isaca's questions are very confusing at times and the wording is really strange. when practicing the DB questions when an incorrect answer is explained you will think "i had no clue that's what they were asking". Also you must think the isaca way, forget all your real world knowledge! Dont ask why they continue to use PBT.

Well you're correct and honestly i'd define ISACA by "vague and closed". There's only one source for any available study materials, ISACA (which for this only shall have raised my suspicions). You've got to understand the ISACA way, which between us is nowhere on my radar. On top of that the only real difficulty about their exam is that you don't really understand either the question nor the answers, it's like they've got straight questions filtered with old English and applied the vague plugin on top... So honestly i don't really understand any hype about it at all... Although maybe these certs aren't geared toward people in IT but more for the tied up finance folks or such...

I went through it once and i'm not planning to get back at it.

On the contrary, I've had a good time at my CISSP.

Remedymp

mokaz wrote: »

Well you're correct and honestly i'd define ISACA by "vague and closed". There's only one source for any available study materials, ISACA (which for this only shall have raised my suspicions). You've got to understand the ISACA way, which between us is nowhere on my radar. On top of that the only real difficulty about their exam is that you don't really understand either the question nor the answers, it's like they've got straight questions filtered with old English and applied the vague plugin on top... So honestly i don't really understand any hype about it at all... Although maybe these certs aren't geared toward people in IT but more for the tied up finance folks or such...

I went through it once and i'm not planning to get back at it.

On the contrary, I've had a good time at my CISSP.

It's geared toward IT people. The purpose of the CISA is to demonstrate the comprehension of the frame work of auditing information systems. Even if a candidate does not pass, the knowledge from the study guide is used to audit information systems. Which is very lucrative at this point with all the breaches happening in the enterprise.

mokaz

Remedymp wrote: »

It's geared toward IT people. The purpose of the CISA is to demonstrate the comprehension of the frame work of auditing information systems.

Of which, the framework, has to be applied through the ISACA gyroscope. Which renders things a little narrowed down if you ask me..

dustervoice

..... and if you do pass, don't forget to FAX

in your endorsement form!

andhow

dustervoice wrote: »

..... and if you do pass, don't forget to FAX in your endorsement form!

I wonder if the archaic way that ISACA manages the test (and endorsement) somehow keeps the certifications more rare and valuable. I sure hope that's not the reason why they resist coming to the 21st century...

Remedymp

andhow wrote: »

I wonder if the archaic way that ISACA manages the test (and endorsement) somehow keeps the certifications more rare and valuable. I sure hope that's not the reason why they resist coming to the 21st century...

From my understanding, it's so test takers couldn't do brain ****. But, I could be wrong...

JoJoCal19

andhow wrote: »

I wonder if the archaic way that ISACA manages the test (and endorsement) somehow keeps the certifications more rare and valuable. I sure hope that's not the reason why they resist coming to the 21st century...

I disagree, with every InfoSec newbie and their dog getting the CISSP nowadays I prefer if ISACA kept it how it is that way when I go for CISM and CISA next year, they keep their value

mokaz

JoJoCal19 wrote: »

I disagree, with every InfoSec newbie and their dog getting the CISSP nowadays I prefer if ISACA kept it how it is that way when I go for CISM and CISA next year, they keep their value

To be honest, i think that if i passed my examination with them, i might turn down the certification enrollment specifying that THIS is excatly what will make me outstand @ any HR where i'd be welcome to work for...

EasyPeezy

mokaz wrote: »

To be honest, i think that if i passed my examination with them, i might turn down the certification enrollment specifying that THIS is excatly what will make me outstand @ any HR where i'd be welcome to work for...

...ehmm! You are not certified until you apply for certification. Passing the exam is just one of the requirements, you are either in or out.

dustervoice

what about people who are contractors and get a new gig every 3 months do they have to chase down 20 past managers to prove years of experience?

andhow

dustervoice wrote: »

what about people who are contractors and get a new gig every 3 months do they have to chase down 20 past managers to prove years of experience?

I'd run that question by ISACA. I'd hope that they would ask you to document/detail the experience and list prior contacts. It certainly isn't unusual to run into a situation where a past contact is unreachable. I've run into that situation with past military experience where I was asked (during an interview) if they could contact a military office about specific experience. I had to point out that the base had likely completely turned over in the several years since I had worked there.