How to Pass Certification Exams

Getting ready to take the CISA, CISM, CISSP, CIA, PMP, MCSE, or other certification exams? Here’s what you need to do to pass those tests:

  1. If Shon Harris has a book for your certification (CISA or CISSP), get it. Her books are not only excellent, but quite humorous.
  2. Use the “official” (but usually really boring) book issued by the organization that issues the certification. Official books have the most focused content; they are just poorly written.
  3. Study at least one other book other than the official book to get a different viewpoint and help you understand the more difficult content.
  4. Take notes as you read the books to create your own cheatsheet on the topics you struggle with. It’s much slower, but it helps you digest and learn the material. Review your cheatsheet periodically. (A link to my CISA cheatsheet is at the bottom; I didn’t publish my CISSP cheatsheet as it’s too out-of-date, as that was looooong ago.)
  5. Use practice questions (in addition to those that come with the books). The more the better–you should use at least 1000 practice questions between the books and additional question kits. The “official” practice questions are your best bet. Note which questions you miss, review that material again, and test yourself again with just those questions.
  6. Make sure you take advantage of the free quizzes from at About 90 questions are available.
    – To start your quiz, use the small link at the very bottom of the page, called this link (free registration required).
    – When choosing the quiz options, make sure to choose only questions that are “closely related,” otherwise you will also get questions for other certifications.
  7. When reading a question, look for the limiting word(s) in the question like “preventive control” or “symmetric encryption” that help you weed out the incorrect answers.
    • Watch out for words like NOT, BEST, and UNLIKELY that might alter the question’s direction.
    • Note whether the question is focused on the process or who’s doing the action. That helps eliminate answers. For example, if a question asks what would an auditor do next, you can eliminate any answers involving tasks auditors don’t do, like applying patches, implementing controls, or moving code into production.
  8. After you read the question and pick an answer, read the question again, and all the answers again, and make sure the answer fits the question. Make sure you read the question AND the answer correctly.
  9. Pick the best answer, even if it’s not totally correct. Sometimes you’ll get 4 answers that are all wrong, but one is more right than the others–pick that one.
  10. Remember that management is ultimately responsible for everything. When in doubt, pick the answer that involves the highest level of management, including the board of directors.
  11. During the exam, answer each question as you go along. Don’t leave any answers blank in case you run out of time.
  12. Mark all questions that you’re not sure about. When you finish all the questions, go back and review those questions. Don’t be afraid to change answers on questions you’re not sure about.
  13. Study. Hard. Learn the material. If you study only to the pass the exam, it will catch up with you eventually.

Do you have any tips? Please leave a comment…



If your exam is the CISA, check out ISACA’s  own CISA Self-Assessment exam (get it here), but make sure you read my post entitled, Where is the IS in CISA?

Download my FREE CISA Study Guide!


Studying for the CISSP or have some advice for those studying for this exam? Check out the Least Privileged blog for this person’s experience with the exam (he failed the first time) and lots of CISSP resources. He tells it straight. Nice job, Durk!

Here’s another great resource, The Thrifty CISSP.


Related posts on this blog:

Top 10 Pay-Boosting Tech Certifications

CISA vs. CIA Certification

FREE CISA Study Guide

Where is the IS in CISA?

More on the CisA Exam

Fun CPEs for CISSPs



Filed under Audit, Certification, How to..., Security, Technology

12 responses to “How to Pass Certification Exams

  1. Pingback: Top 7 Reasons for Security Certification | ITauditSecurity

  2. A.A.M

    Just wanted to know whether CISA Certification is of any good, if you are a software programmer. I have no experience or degree in IT auditing, especially auditing.


  3. TT

    Passed my CISSP exam by studying “AIO”. Started reading a book named AIO for CISA today. Chapter 1: “IT Governance and Management” Oh, not again! Another torture starts…..:)


    • TT,
      Congrats. The All-in-One (AIO) book is great.
      After CISSP, CISA should be easier, assuming you understand auditing. If not, focus on the auditing side and go light on the IT side.

      The torture is worth it, and you know it. :)

      Go for it. Mack


  4. TT

    Thank you! Thank you! Thank you! Your encouragement is what I really need!

    Don’t have any auditing background although I have degrees from business schools. I will absolutely take your advise about focusing on the auditing side while studying my CISA.

    Regarding IT side, open-source technology is my comfort zone. I am a RHCE. Should I take some training for Windows Server now or I will be able to learn on the job ? Well, perhaps the question I should ask first is whether I can get an entry level IT auditing job without Windows Sever knowledge? I am perfectly ok to learn Windows, just want to plan my priorities.


    • TT,
      Your open source skills are very valuable. Lots of auditors still don’t understand UNIX or open source. Lots of open source concepts translate into Windows (cuz that’s where it all came from :).

      Download a free Windows server OS from Microsoft and play with it. Find some good Windows blogs and follow them.

      Yes, you can get on the job learning. Tell interviewers that you understand technology and open source, and can learn what you need on the Windows side. So much of auditing is stuff you’ve never encountered before, so you have to research and learn as much as you can quickly before you do the audit. That’s the way new technology is, and companies are always adopting new stuff, so sell that.

      I work with IT auditors all the time who don’t understand an Active Directory group from a rabbit’s foot. The trick is to ask good questions without letting the auditee know that you lack a lot of background. Lots of IT folks love to share their knowledge and show you how important they are. Soak it up.


      • TT

        Appreciate your advise. I guess that an IT auditor should always be a generalist whose IT background is a mile wide but an inch deep. Is it correct?

        You are right about “Lots of open source concepts translate into Windows (cuz that’s where it all came from :).” With a strong open source back ground, I am very confident to learn any IT technology, at least an inch deep :o)


        • TT,
          If by generalist, you mean well-versed in most aspects of IT, yes. Too many IT auditors I’ve worked with really don’t understand IT, just a little bit more than the average person.

          It is similar to a person who can put gas, oil, and antifreeze properly in a car trying to do a brake job. Just because you can do minor things doesn’t mean I trust you with my brakes.

          I think you’ll do much better than an inch, and surely better than the average IT auditor. Wish you the best. Mack


  5. Deniss

    I used exam practice software to help prepare myself to take the certification exam. I had tried other sources for test prep, but found them to be far superior. I passed the exam with no problems, because I went into the exam as prepared as anyone could be. They provide you free 60 questions exam simulation of all Products. You can have a try of Exam training products before you make your decisions to buy it. Also you can like another webpage, here you go for free dumps


  6. Deniss,
    I assume you mean you found the braindumps superior to the others.
    Thanks for commenting.

    Note to everyone else:
    1) I am not familiar with these sites, so I can’t vouch for them. Surfer beware.
    2) The one downside to braindumps (and to be fair, my own study guide on my blog) is that you are depending on the person doing the braindump (or study guide) to be accurate. The person who put it together determines the quality, so you have to be circumspect when you consume such items.

    While this is also true with official books like Shon Harris or the official CISA guide, they have editors who go through the material several times to reduce the likelihood of errors…


Leave a Comment

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.