Tag: Certification

Update: CISA Certification and Frequently Asked Questions

CISA logoIn August 2014, I published a post about my experience with the CISA exam and the required experience. Even 3 years later, it is still the most popular post here and not so long ago, I was always seeing more requests after the exam dates. However, it seems that exams are not on specific dates anymore but within 3 specific testing windows throughout the year. I am still surprised by the number of comments I received on this post and I wanted to do an update with some recurrent questions.

Exam Before the Required Experience

It is absolutely possible to pass the exam before having the required experience. I would even recommend it to show your interest toward this field. Your current or future employer will recognize the effort invested in passing the exam. However, you have to keep in mind that you will have to obtain the required work experience and send your certification application within 5 years from the date of the exam. If you really need 5 years of experience and it is not possible to have any waiver, maybe the timeframe is unfortunately too short. But if you only need 2 to 3 years of experience, it is a good plan, in my opinion.

Even if you can’t introduce yourself as being CISA certified, it will definitely be an advantage to mention during an interview that you passed the exam. You will also receive a letter from ISACA with your passing score that you can use as a proof.

Substitutions and Waivers

You will need a minimum of 5 years of work experience in order to obtain the certification. It goes without saying that you need to pass the exam too with a score of 450 or higher. However, it is possible to obtain 1 to 3 years as substitutions and waivers of this experience. In any case, you will always need at least 2 years of work experience related to CISA domains.

  • One year : Any work experience in information technology (IT) or any work related to auditing. For example, financial auditing or compliance work experience such as SOX would be a valid auditing experience.
  • One year : For 60 completed university credit hours which are normally 2 years as a full-time student. The credit hours could be for an undergraduate and/or graduate degree. There is also no mention that you actually need to have obtained the related degree, as long as you have proof that you have completed the courses. It could be from any recognized university, on-site or distant learning.
  • Two years : For 120 completed university credit hours which are normally 4 years as a full-time student.
  • One year : With a master in information security or information technology.
  • One year : With a bachelor or a master degree that enforces the ISACA-sponsored Model Curricula.


The easiest way to obtain the work experience for the CISA certification is obviously to be an IT auditor. But it is not always possible for everyone and it is definitely not a requirement. It is important to carefully read all the job practice areas including the task and knowledge statements. There are many candidates who are surprised by these statements. The CISA practice areas include many work fields in IT and not only IT audits.

CISA Application

You will have to get the work experience 10 years before the certification application or within 5 years from the date of the exam. You only have to send your application to ISACA when you actually have all required experience. In any case, you absolutely have to submit your application within 5 years from the passing date of the exam.

Financial to IT Audit

If you are already performing financial audit with a CPA designation, it is absolutely possible to do the transition to IT audits. You could simply ask to be more involved with IT controls. You will already have the advantage to have an understanding on how audit works. There are many IT General Controls (ITGC) that don’t require advanced IT knowledge in order to be adequately audited. The Big 4 use an army of interns to audit these IT controls.


There are many more jobs related to the CISA than being an IT auditor. Many positions related to IT risk and compliance, even information security. However, there are other certifications if you want to work in information security and a candidate with the CISA would not be my first choice. I would recommend doing a search on a job posting website such as Indeed.

Worldwide Recognition

ISACA and the CISA certification are well recognized worldwide. A quick search on a job posting website and you will probably have many results. Furthermore, there are more than 200 local chapters worldwide.


When you are officially awarded with the CISA certification, you will then have to complete your continuing professional education (CPE) credits. The ISACA membership is not a requirement. However, I would recommend it to have access to many free resources in order to obtain your CPE credits.

ISACA Website

All information provided here could change anytime and the reference must always be the ISACA website. The page “How to Become CISA Certified” is mainly the reference about common questions related to the CISA certification. If you are unsure about your experience and possible waivers, I would recommend validating directly with ISACA and/or your local chapters. Each application is different and they are the only one able to validate your application.

CISSP: Passed, and One More Milestone Completed

CISSP By (ISC)² [Public domain], via Wikimedia Commons

Done. The 6-hour exam with its 250 questions is finally in the past. Yes, I am talking about the famous CISSP or the “Certified Information Systems Security Professional” exam from ISC2. This is the certification that most information security professionals will try to obtain at one point in their career. Why? For most recruiters and companies that are looking for a professional in information security, the CISSP is now the golden ticket for employment in this field.


I would say that it all started in 2015. Back then, I decided to pursue the SSCP or the “System Security Certified Practitioner” from the same organization. This was a shorter exam, which is a little more technical, but not deeply technical either. It helped me have a first experience with an ISC2 exam before pursuing the CISSP. Both exams share some similar domains, but not necessarily at the same level.

For studying, I only bought the official study guide, the CISSP (ISC)2 Certified Information Systems Security Professional Official Study Guide, which I think is really well written. Knowing that I perform much better when I have the occasion to practice beforehand, I used the official practice tests, the CISSP Official (ISC)2 Practice Tests and even the mobile application, which is really great to use during daily transit. There are many resources available with thousands of questions.

The exam itself is as with any exam, just longer and more expensive. What about the duration? In about 4 hours, I was able to answer the questions and review a few trickier ones.


There are some criticisms on this certification among professionals in information security. There seems to be a misconception about the knowledge and experience obtained with this certification. These days, a company will look first for a candidate with a CISSP for any kind of role related to the world of information security. It could be from the typical information security analyst to any technical role such as penetration testers, security architect, encryption specialists, security cloud specialists, etc. This is the biggest mistake.

In my opinion, this certificate is a management level certification giving better insight into policies and standards. The CISSP will be able to guide and manage the information security objectives of an organization. However, the person in this role will be supported by people with technical know-how. It is not a technical certification. Obviously, it depends on the person’s professional background since it is possible to have a CISSP holder with a deep understanding of the technical concepts.


Well, it is now the waiting period. I will hopefully obtain the CISSP certification some time in 2019 after I have completed the required experience. Every holder must have 4 to 5 years of direct information security experience in at least 2 of the 8 domains. However, I must admit that this is a great advantage for this certification. There is a one year waiver possible depending on previous academic experience and other certifications. I also had a similar situation with the CISA where there is a 2 to 5 year requirement.

What’s next after the CISSP?

I am still unsure about the next step. I think I have completed the majority of relevant certifications. On the other hand, I am always curious in privacy matters and I would like to be more proficient in questions related to privacy law. There is indeed a certification that piqued my interest from the International Association of Privacy Professionals but it will be for a different post…

Why did I do the OSCP certification?

I am more an IT auditor, and on the business side of information security (at least, in theory, I still like doing many technical projects). However, it was still important for me to pursue the Offensive Security Certified Professional (OSCP) certification. At first, I was maybe interested in a career as a penetration tester (pentester) and it was indeed a good way to confirm, or not, my interest.

The OSCP certification is unique among other IT certifications. Students don’t have to “simply” learn theories and pass a multiple choices exam. To obtain the certification, students have 24 hours to gain privilege accesses to 5 servers. After that, a second 24 hours to write a report. Basically, it is a simulation of a client engagement to perform a penetration testing.

Students will learn by studying the Penetration Testing with Kali (PWK) which will introduce different methods on how to compromise servers. There is an electronic book and also really good videos. The material with allows students to have an overview of each concept. Kali is the Linux distribution maintained by Offensive-Security, previously known as BackTrack. In any case, the most important part is definitely having access to the virtual lab, Offensive Security Penetration Testing Labs. The lab is where students can exploit many machines with different types of attack. It is almost impossible to be able to pass the final exam without an impressive amount of time in the lab.

I must admit that I thought at first that it would have been easier to get through that intensive training. If you are interested in this certification, and the field of penetration testing, this is an amazing experience. However, you will need a lot of determination. You will get frustrated many times, and be stuck on many servers in the lab. Not just an hour or two, but probably for many days. It is possible to get through all servers, well, most of them… The solution is often kind of simple enough when the attack vector is discovered. After the first few servers, it is more and more an addiction to find out a way to get into a new machine.

You can always ask for help on their IRC channel, but they will never give out the solution or simply respond to… “Try Harder!”. And, yes, they are serious about it. I was not sure to really understand the meaning of those two words at first. I never really ask questions in class since I prefer to figure out things on my own. Most of the time, it is simpler and resources are available online. With the OSCP, it was not the case at all. They will be happy to guide you, but their responses are still vague, even if you have solved part of the problem. You will need to be ready to learn by yourself. The PWK will not give you the solution, it is just some tools to help you after in the lab.

I did the exam in January 2016, more than 1 year ago, and I still remember the exam. Probably more difficult than most exams during my university or other certifications. When I see someone with a certification from Offensive-Security, I know that they have gone through a lot. I don’t think that I would become a pentester in my professional life. However, it is definitely an important asset to anyone working in information security. I would recommend it without hesitation.