​As per the title, I received provisional pass today. I'd like to share my experience and provide some advice for people who are anxious about spending big on supplementary training material.

For some background, I have a broad ops background and more recently 5 years in infosec, but very little hands-on auditing. I have been fairly anxious about the whole thing and I really only think I properly grasped some of the key concepts a couple of days ago. I started studying earlier in the year but didn’t really get into the swing of it until a couple of months ago. Had concentration and confidence issues initially which I resolved with some light exercise and some whacko ginkgo+bacopa supplements (I’m not into the woo - to be honest I think they just helped me sleep better and hence made me more on the ball in general).


As for material, buy the QAE and CRM only. I’ll admit the CRM was a bore (literally put me to sleep on several occasions) but I ploughed through it once the reality of an impending deadline kicked in. The QAE results were initially depressing, going from 60-70% in adaptive mode, but jumped to 80-95% once I reached standard mode and resolved my trouble questions. Remember to keep a positive reflective attitude with the QAE - disappointment will not help you learn the concept outlined in the explanation. See them as opportunities to learn something you didn't know previously, rather a reflection of your ability to learn.

The best method IMO is:
  1. Skim through the CRM table of contents for concepts that don't look familiar and read those chapters.
  2. Only do 20 questions at a time in the QAE for the first few weeks.
  3. Use the rubric to map out prescribed reading based on your results.
  4. Read.
  5. Cycle through steps 2-4 a dozen or so times
  6. Do some 100 question tests.
  7. Cry.
  8. Return to step 3.
Don’t worry too much with other books unless you’re really having problems getting through the concepts in the CRM. If you want moar, cycle through throwaway email accounts for 1-week trials of Safari Books Online. This will give you access to the older Sybex book, the All-in-One books and a set of videos by Sari Greene. I didn't look at those books, but the videos are okay. You can also get access to the Wiley test banks if you're not sold of the QAE.

Pluralsight has a good set of videos. You can either run on a trial, or get a free three month subscription through Microsoft’s excellent Visual Studio Dev Essentials benefits. I think Pluralsight have a good thing going on, the content is no-nonsense and they have a high standard of presentation - no riff-raff.


Both Safari and Pluralsight mobile apps allow you to run videos like audiobooks. This is good while driving, but for the love of our lord and saviour play them on 2x speed - listening to CISA content at normal speed may cause drowsiness and present a traffic hazard (this kills the candidate). Videos are great for getting a grasp on the concepts but they aren’t a suitable replacement for the official books.

Don’t bother with the CBT nuggets videos, the guy is lively but I just found it silly and if I've learnt anything from studying for the CISA exam it is that auditing is a serious task that should be performed with a furrowed brow at all times. As far I know, there are no legal means of getting access to the full CBT Nuggets suite without subscribing, so this is contrary to the needs of the starving law-abiding auditor.


If I could give myself some advice 12 months ago: don’t keep trawling the web looking for the ‘best resource’ or 'that killer cram sheet' - it’s just procrastination. There is a lot to get through, so it’s tempting to think that you might have missed some gem of knowledge... it’s all there in the CRM so read it.


All in all I am pretty chuffed. Now I just need to determine what I used to do with all that time I had before I was studying 7 hours a week.