CISA Dec 2016 Study session in Johannesburg

It’s that time of year again when the CISA December exams are looming large. There are just a few weeks left until the exam and if you are writing you should be getting into the thick of things.

It is always much easier studying in a group than trying to do it alone.

A study group has been established in the Gauteng area and EY has been kind enough to provide the venue. The group (currently around 12) are getting together each Saturday morning at the EY offices in Sandton.  The first session was held last Saturday and covered a general intro (slides attached) and going through some questions from the database.

We are getting together each Saturday until the exam day. Message me if you want more details or come meet with us at the EY offices around 9 (for 930 start).


CISA 2016 Self Assessment Model Answer

If you are writing CISA this year and have completed the self assessment on the ISACA site you will see that although you get a score you dont get to see where you went wrong or the correct answers.

Below is the model answer so you can see what is happening. Thanks to Grant for helping compile this. Around 10 questions have changed from the 2014 version.

(apologies for not having clickable link, seems to be issue with my wordpress install I need to resolve)


Writing CISA? Save cash by becoming an ISACA member

Over the years I have liaised with many people writing the CISA exam. This can be quite a costly exercise. Many people don’t realise that they can save (a little) cash by becoming an ISACA member before they register for the exam, buy the study guide and Q&A database.

I put together a comparison of the options, as shown below, using South Africa as the example country. Country dues vary from country to country so the saving (or not) needs to be recalculated for your country if you aren’t living in South Africa.  These country membership dues can be found here :

what does cisa cost


Hope this helps you in your registration process, saves you some money, and gains ISACA a membership. Don’t forget that with the membership comes a whole host of benefits, including access to your local chapter, research materials, the ISACA magazine,  discounts on ISACA material such as COBIT 5 and access to an on-line library.


Tips for CISA studies and questions answered

I have recently received a few mails and had a few discussions around tips for the CISA exams (thanks MacVite Chadza, Sunil Nangare and others). During the CISA sessions we held earlier in the year there were a number that covered this, with session 14 explicitly doing so. Go and take a look at this post : Session 14  I would suggest you download the slides from the link and then also watch the YouTube video where we discuss the slides. Finally, download and read Shirish Deshpande & Rafeq’s excellent Tips guide :  tipsforcisaexam

In addition to all of that, a few final comments.

Firstly, try to start preparing at least 3 months ahead of the exam to give yourself sufficient time for each section. I would suggest spending two weeks on each Chapter, and then an extra week or two on those on which you are struggling. Set yourself a specific timetable to ensure you spend the requisite time studying. Take a look at the schedule we included in each week’s slides as an example. Feel free to update your schedule as required, but keep to the general plan. Keeping the discipline when studying alone can be very difficult so try to find one or two (or more) people in your area who are doing the exam and set up a study group. Getting together on a regular basis to discuss progress and issues is a good way of forcing yourself to keep on track.

Try and do all of the questions available. Personally I prefer the on-line questions database. It is configurable to give you what you need at the time you need it, whether you have half an hour here or there, or want to do your questions in an hour or two-hour stretches.  If you are using the Q&A books, try to get all of them, with the supplemental questions. See some further thoughts on this in my answers to the questions below.

A mail I received from Sunil Nangare from India asked some more specific questions which I list below with my suggestestions. Thanks for the feedback and questions Sunil, I hope this helps.

Q1. For Domain 2 , on the segregation of duties matrix,any tips/ short-cuts to remember the matrix .
Further , whether it is important to remember all the roles to identify the SOD or incompatible

I don’t have a specific trick to learning this table of duties. Personally I struggle to learn things off by heart, I need to understand the concepts and principles in order to be able to remember. For matrices like these, try to understand the job functions that each of these roles should be performing. Understand the principles of which functions should not be done with other functions and why. This can then assist in answering questions on which functions can and can’t be performed together. In practice we also see that many organisations struggle with staff shortages and it necessitates that people double up (or more) on the job functions being performed. Many times this results in incompatible functions being performed. Try and stick to the theory in answering questions on this area rather than base your answers on what you are seeing in practice. Also try to think about what compensating controls could be put in place to allow people to perform what otherwise may be considered conflicting roles.

You will not have to reproduce a table like this, but would most likely get one or two questions on this, either directly or through a case study type questions. So you don’t have to know all the roles in order to be able to list them but could be asked about any of them.


Q2. In addition, whether its is a good idea to solve all the questions in the online database after
revision of each chapter or we need to space it out in a sample of 50 questions. Further, what is a
good score from the online database which will give a comfort on the preparedness.

I would do this on a sample basis. Read each chapter, do the revision questions in the Review Manual, do some of the questions from the database, make sure that you read all of the answer explanations regardless of whether you got the answers right or wrong, identify areas where your knowledge is lacking and then revise those in a bit more detail. The online database keeps track of the questions you get wrong so can be used to come back to those.

Q3. If the sample method is to be followed. How do we revise and work upon the questions which have been incorrectly answered.

As above, read all of the explanations for all of the questions, regardless of whether you got them right or wrong. Revise from the Review Manual on those areas where you had a number of incorrect answers. I used the database to first give me “new questions” that I had not previously answered. I would do a few batches of these. Then I would set it to only give me questions I had answered incorrectly the previous time, and work my way through answering these questions again, and hopefully getting them right the second time. If I still got a few wrong I would flag those for extra attention. In doing this, by the time I got to the exam, I had answered every question in the database at least once, and the last time I had answered the question I had answered it correctly.

A number of people suggest using a lot of supplementary material to the Review Manual. I would agree with this, however, only after you have been through the manual at least twice, in detail, and answered all of the review questions. I would suggest extra material (than what is in the review manual) where you are struggling to understand concepts. Areas I have seen people struggle include things like cryptography, networking and firewalls, sampling techniques amongst others.

If you go through the on-line videos I posted on YouTube, or download the PDF’s of the slides, you will see that in some cases there are links to supplementary videos and extra material to download. I would suggest you watch these and download the material. The ISACA CISA glossary of terms is an extremely useful document. Download it and use it throughout your studies. Even print a copy that you can then highlight as you come across each term and flag those you may be struggling with. By the time you have finished your studies you should have used / understood all of the terms.

Should you have any further questions or comments, please feel free to mail me, or to use the comments section below.  Good luck with the studies.

Main Security Challenges with Convergence of IT & OT ISC2 SecureJohannesburg

I had the privilege of presenting at the (ISC)2 SecureJohannesburg event last week on “The Main Security challenges with the convergence of IT & OT”.

The Abstract for the presentation was :

“In critical infrastructure shared across public and private sector organisations, we have seen an increase in interconnections between operational technology (e.g. SCADA, ICS etc.) and information technology.
Previously air-gapped systems which control key processes with potential loss of life consequences when compromised, are now exposed to the organisation’s internal networks and sometimes even the public internet. Most of these systems are managed entirely differently than typical IT assets, and by a distinctly different organisation.
The two top priorities in OT are up-time and safety, making things such as patching and even monitoring much more complicated than in IT. Currently, as with so many matters related to information security, the operational technology security conundrum is too often dismissed as a technical challenge.
This presentation will zoom in on the main organisational and often political challenges that will need to be overcome prior to successfully addressing the technical and process changes required for combining IT and OT in a more unified approach to cyber security.”

Below is the PDF of the presentation. Questions and discussion welcome as always.