A Strategy for Tackling ISACA Certification Examinations

Sunil Bakshi
Author: Sunil Bakshi, CISA, CRISC, CISM, CGEIT, CDPSE, AMIIB, MCA
Date Published: 27 October 2021

ISACA offers several certifications in technology areas related to IT governance, information security, information system audits, privacy, risk management and emerging technologies. These certifications are globally popular because they provide an independent evaluation of a candidate’s knowledge that helps organizations identify qualified and well-prepared candidates. However, passing these exams often requires extensive studying and preparation.

ISACA’s certifications focus on testing conceptual knowledge. The questions are designed so that each question tests one concept. Once you understand the concept, you can answer the question quite easily. Questions, Answers & Explanation (QAE) manuals are provided to get candidates acclimatized with exam-like questions and provide confidence about their preparation.

However, please note:

  • The QAE database is not a comprehensive set of questions. These questions have been drafted to help you gain a view as to how the exam questions will look and what kind of answers will meet the question’s ask. Repeated practice sessions of the database will be helpful, and candidates will be able to answer more easily due to familiarity. This will improve mock test scores but could also put you in a false comfort zone. 
  • The examination question bank is different from the QAE database. Examination questions are from the exam question bank, not the QAE database. In other words, no matter how many practices questions you solve, none of them will appear on the actual examination.
  • It is essential to focus on understanding concepts from the review manual. Once you have mastered the concepts, then schedule a mock test. Evaluate your scores. Once again, refine your understandings of the concepts in areas in which you made mistakes in the mock test. If you focus only on the QAR database, it may not prepare you for all concepts. 
  • ISACA certification exams are typically multiple-choice questions, and you may not find any question with NOT, EXCEPT, MINIMUM, etc. This means all options are applicable answers to the question, with a differentiating factor of keywords like MOST, BEST, MAJOR, GREATEST, etc. We must be careful in understanding the question’s ask and then selecting the most appropriate option.
  • QAE mock test results are never to be extrapolated because the circumstances are different, and questions are different. Mock test results must be analyzed for:
    1. Why have we answered wrong and
    2. Why have we answered correctly? Why check the correct answers? For two reasons:
      1. You may have answered a few questions by making the best guess.
      2. You may have answered correctly due to familiarity with the question that was solved earlier. This may elevate your score, but it may put you in a false comfort zone.

Preparing for exam day
Attending a four-hour examination can be strenuous and your concentration will start waning. Always take one-minute breaks every 20-30 minutes. For one minute do not think of the examination; think of something that will refresh your mind. This can also apply as you prepare for exam day.

After reading one concept, I will try to think of what kind of question will test my understanding of this concept. So, I will try to make my own question. What I found is you can write a question and correct answer quite easily, but the challenge is coming up with “distractors” that are not correct but still relevant and in line with the concept tested by the question. We have to write distractors that sound plausible (none of the above and all of the above are out). 

You will generally find that there will be three types of questions based on your preparation level. The percentage indicated in brackets below may vary depending upon your preparation and experience. The number I quoted is my own experience:

  1. Questions you are confident that you know the correct answer (about 45-50 percent)
  2. Questions that are a completely unfamiliar concept (about 5 percent, irrespective of preparation level)
  3. The rest are questions where you can easily eliminate two out of the four options but are confused between the remaining two options. This confusion is due to conflicts between best practices and your experience. 

The strategy I adopted to answer these questions is:

For the type 1 question, answer confidently and move forward.

For the type 2 question, make a best guess (there is no negative scoring).

For the type 3 question, think carefully about the concept and then mark your answer. 

However, please do not forget to manage your time judiciously. In case you feel you are spending more time on one question, make the best effort to answer the question and then flag it for review. If time permits, you may review them again before closing the examination. 

Understanding concepts
What do we mean by understanding concepts? Every certification is focused on applying concepts while working in an organization.

Let me illustrate with examples:

  1. Suppose your organization does not allow connecting an external device to an internal network. This may happen when the consultants, auditors or vendors are working for the organization and use provided laptops and other devices -. The concept here is to safeguard internal data and systems from unauthorized access. Now suppose a business head requested to connect the vendor’s devices to the internal network because they need to test the software developed by the vendor in the organization’s environment. What will be our decision?
  2. An organization does not allow end-users access to social media from the organization’s network. Now due to the pandemic, organizations have allowed employees to work from home (WFH). What will be the best course?
  3. And one of my favorite exam-like questions:

Q: A power outage in a geographic area is between 1 to 8 hours. Which of the following is the BEST solution? 

  1. Uninterrupted power supply
  2. Power generator
  3. Power from two different grids
  4. Power from two different suppliers

Now try to find solutions and then check my views below:

  1. The objective of “not allowing to connect external devices” is to prevent unauthorized access. However, the business requirements must be met. Therefore, to achieve both, we can provide one of the organization’s devices and suggest uploading the software to be tested on that device. Verify the software is free from malware and then monitor the activities of testing to ensure it is safe.
  2. The current pandemic situation has forced organizations to adopt a “new normal.” In this situation, enforcing old policies may not work. We need to reassess the risk associated with the current situation and revise the policies and procedures so that organizations shall achieve their objectives by optimally managing the risk.
  3. Most of us are aware that the UPS supporting 8 hours may not be technically and/or economically feasible. Therefore, we implement a UPS that provides an uninterrupted power supply for 30 minutes and then provide backup to UPS with the power generator for a sustained power outage. However, the question does not provide this option. And in confusion, many candidates choose other than the right answer because an 8-hour UPS backup is not feasible. To answer such questions, we must not deviate from the concept. The concept here is the availability of the system and, in the case of power outages, it is only UPS – all other options cause interruption or fluctuation in power supply. Though it may only be a fraction of a second, it might be sufficient to crash some systems. Also, the question is not asking about the feasible or cost-effective solutions, it is only asking for the BEST, which is UPS. Now if we face such a situation, we will select UPS, and then we will look to make it feasible for a sustained power outage.

I hope the mindset and approaches discussed above will assist you in whichever ISACA certification exams you pursue.

Editor’s note: Find out more about ISACA’s credentials.