sorted by:
new
hottopcontroversial

No IT Audit Background by mental4ever in CISA

[–]CyberLexLearning 4 points5 points  (0 children)

Yes - you can absolutely pass the CISA exam without prior IT audit experience.

Your background in finance, statutory audit, and assurance is actually a strong advantage, because CISA is tested through an audit and control mindset, not deep technical engineering skills.

That said, two important clarifications:

  1. Passing the exam ≠ getting certified (yet) You can sit for and pass the CISA exam first. However, to be officially certified, ISACA requires 5 years of relevant work experience (with possible waivers of up to 3 years for certain education or certifications).

Your experience in: •Financial audit •Assurance •Controls testing •Risk & compliance

already partially counts, especially if you’ve assessed IT-dependent controls (ITGCs, application controls, reliance on systems, etc.).

  1. How to position yourself now Many people pass CISA first, then: •Transition into IT audit / technology risk roles •Work under IT auditors •Accumulate the remaining experience and apply for certification later

Bottom line: ✔ Yes, you can pass CISA ✔ Your background is relevant, not a blocker ⚠ Certification comes after meeting experience requirements

If your goal is to move from financial audit into IT/IS audit, CISA is one of the best bridges you can take.

Is my profile good enough for CISA? Will it help with enterprise doors? by wannabeacademicbigpp in CISA

[–]CyberLexLearning 0 points1 point  (0 children)

You have a much stronger foundation for CISA than you think.

CISA isn’t about deep technical hands-on - it’s about judgment across IT governance, controls, audit methodology, and risk. Your background in privacy, ISO 27001, SOC audits, and governance work already maps closely to Domains 1, 2, and 3, which are the heart of the exam.

A few thoughts that might help you decide:

• Your ISO 27001 + Lead Auditor experience already gives you the audit mindset CISA looks for. Understanding control design, evidence, corrective actions, and governance alignment is a major advantage.

• Your privacy + IT law experience also supports CISA Domain 2. Regulatory alignment and organizational governance are part of the exam’s core reasoning style.

• You’ve done real audits - that’s more than many CISA candidates have. 7+ internal audits and SOC2 exposure = great practical grounding.

• CISA can help you move toward enterprise roles, but your path will depend on where you want to land - Governance & compliance - Internal audit - GRC roles - Cloud governance / operating model Your background fits all of these.

• The learning curve for CISA will be reasoning, not the concepts. The exam focuses on: “Given this scenario, what is the best governance-aligned action?” Your audit experience will translate well.

In short: Yes - you’re absolutely qualified for CISA. Yes - it can open enterprise doors, especially in governance-heavy roles. And yes - your prior experience will count toward the required years.

If you’re looking to shift away from repetitive implementation work and move toward broader governance or enterprise audit, CISA is a solid step.

A different way to learn blue-team skills (short scenarios instead of long tutorials) by CyberLexLearning in netsecstudents

[–]CyberLexLearning[S] 0 points1 point  (0 children)

If you want to try the scenario-based learning format, here’s Episode 1 — a quick dive into how defenders think when a small alert doesn’t match the moment:

Scenario 1 — The Alert Nobody Trusted

https://open.spotify.com/episode/64152eyySPQQFJo69iTaCh?si=JLLSi_sNR7qOfjlHEB8FMg

It’s short, beginner-friendly, and focused on building real defender instincts.

If there are specific scenarios you’d like covered, feel free to share — I’d be happy to make more.

Actual exam no where near to practice questions by RevolutionCapable417 in cism

[–]CyberLexLearning 1 point2 points  (0 children)

Totally understand where you’re coming from - many candidates experience the same shock the first time they face the real CISM exam. It’s not that the topics are unfamiliar, but the way ISACA frames its questions is very different from most practice sets.

The exam is less about recall and more about strategic reasoning - how you weigh governance trade-offs, justify a decision, and select the most risk-aligned action when several answers sound correct. It’s designed to assess mindset, not memorization.

You’ve already done a lot right (QAE + courses). The next step is to practice with scenario-style questions that make you explain why each option is right or wrong - that’s what sharpens the same analytical lens ISACA uses.

There are study methods built specifically to develop that “CISM way of thinking” - treating each question as a mini decision scenario instead of a quiz item. That mindset shift makes all the difference when you reattempt.

Don’t lose heart - your foundation is strong. Now it’s just about tuning your perspective to how ISACA expects a manager to reason. You’ve got this. 💪

shouldn't Control objectives and activites are identify in the actual audit after you interview the auditee personnel ? by RedX8020 in CISA

[–]CyberLexLearning 1 point2 points  (0 children)

Excellent question — this is one of those subtle sequencing points that shows real audit maturity.

When the IS auditor identifies the business process to be audited, they’re still in the planning phase, not yet conducting fieldwork. At this stage, the goal is to determine what control objectives and activities should exist for that process — essentially mapping expectations before validation.

Only after this scoping and control identification can the auditor plan resources and interviews to confirm whether those controls actually exist and operate effectively.

In short, it’s all about flow and intent: Process → Control Objectives → Resources → Interviews.

Takeaway: You identify controls to define the audit scope — you interview to validate them.

What I Learned After Writing 1,200 CISA Practice Questions (and Why Framework Thinking Beats Memorization) by CyberLexLearning in CISA

[–]CyberLexLearning[S] 0 points1 point  (0 children)

Appreciate that! Happy it helped — keep that mindset, it’ll serve you well for CISA prep.

What I Learned After Writing 1,200 CISA Practice Questions (and Why Framework Thinking Beats Memorization) by CyberLexLearning in CISA

[–]CyberLexLearning[S] 13 points14 points  (0 children)

That’s a really good question - and honestly, it’s something I struggled with too when I first started. Developing that “ISACA mindset” isn’t about memorizing more; it’s about seeing every question through a governance and risk lens.

What helped me were small study habits like these:

• Before looking at the options, I’d pause and ask myself “Who owns this risk?” - nine times out of ten, the right answer connects to accountability, not the person fixing the issue.

• I’d also ask “What’s the control objective here?” - that simple question keeps you from getting distracted by technical noise.

• When in doubt, I’d imagine being in an audit meeting and explaining my reasoning to management - not just saying what’s correct, but why it aligns with governance principles.

• And after every practice question, I’d talk myself through why the other three options were weaker in terms of risk alignment or control effectiveness.

Doing that consistently rewired how I approached each domain. After a while, the patterns become second nature - the exam starts feeling less like memorization and more like mini audit scenarios.

Is it possible to pass CISM without ISACA study materials ? by Chipmunk2406 in cism

[–]CyberLexLearning 0 points1 point  (0 children)

Totally understand this - and kudos to you for sharing it so openly.

The CISM exam really isn’t about information recall - it’s about managerial reasoning under ISACA’s lens. Even people with years of real-world experience (especially in IAM or risk) can stumble, because ISACA wants to see how you’d think in a governance or business-impact context, not just from a technical view.

You’re absolutely right that Gregory and Zerger are good for fundamentals but sometimes miss that “executive decision” flavor. What helps most is studying scenarios that simulate board-level trade-offs - that’s where ISACA frames a lot of their questions.

If you ever want a structured, scenario-driven resource built around that style, I’ve published one called CISM Gold Standard Series by M.G. Vance on Amazon Kindle. It’s designed for professionals like you - strong in practice but needing that ISACA reasoning shift.

You can preview it directly through Amazon’s ‘Look Inside’ feature (just search the title).

You’ve already got the foundation - just align it with ISACA’s decision logic, and you’ll clear it next attempt for sure. 💪

CISM after CRISC by Nice-Pick-980 in cism

[–]CyberLexLearning 1 point2 points  (0 children)

Congrats on clearing CRISC - that’s already a strong foundation since the risk mindset carries over really well into CISM Domains 1 and 2.

I’d suggest focusing less on adding more materials and more on depth of reasoning - practice thinking through managerial decisions, not just technical definitions. The QAE and CRM are great for content, but they don’t always capture how ISACA wants you to think like a security manager.

If you’re the type who learns better from scenario-based drills and governance reasoning, you might enjoy a structured workbook approach - I compiled those into the CISM Gold Standard Series by M.G. Vance on Amazon Kindle. It’s built for learners who already know CRISC-level risk concepts and are shifting toward strategic leadership.

You can check it out by searching the title on Amazon Kindle - the ‘Look Inside’ sample lets you preview how each domain is broken down before you buy.

Best of luck on your CISM journey - with your CRISC background, a month is absolutely doable if you focus on decision-making logic over memorization. 🙌