How to Study for the PCI-ISA Exam and Pass!
If you are reading this post, you are either considering taking the PCI-ISA Exam, or are already on your way studying. Unlike other IT exams, this one does not come with much supplemental study material. When I searched online, I found next to nothing on the topic, and no major training organization offers practice exams or study tips, how un-IT. The recommendations I make are for those that chose the online option as I did.
HOW SHOULD I STUDY?
Lets start with the obvious. The Fundamentals Course, fundamentals exam, and the online course are your best and only study materials to pass the PCI-ISA Exam. To prepare, I took notes on each slide and wrote verbatim the content of each slide into a document. As someone who has not lead an PCI audit, I needed to do this as each slide was essentially new information. If you have experience with PCI Audit, you may not need to go to such lengths to prepare. I also made flashcards to memorize the basics, i.e. Acquirers, issuers, SAQ types, PCI PA-DSS etc.
I think what also helped a lot was the fact that I was reviewing and preparing for this years audit by looking at our companies previous years audit. In going line by line and reviewing all the information, I think I learned more about PCI-ISA exam study topics this way than studying from the online course. Go figure, doing something in practice is the best method of to commit things to memory. I was about 70 pages through the 200 page ROC template which really solidified my knowledge of Requirements 1 – 4. In total I would say I put 30-40 hours into the experience over a 3 week period.
WHATS THE EXAM LIKE?
The PCI-ISA exam is 75 questions over 90 minutes and conducted at a Pearson VUE exam facility. Bring your own earplugs because the facility is hit or miss and the one I was at must have been next to a frat house because loud EDM music was playing the entire time. A tip I learned studying for the GMATs, write down the number and the answer choices (a,b,c,d) for each question and cross out answers you know to be false, and underline ones that you think have a chance of being true. When you flag questions for review, you can go back and concentrate on picking between 2 options, vs all 4, which helps to save time. Over the 90 minutes allotted, I finished in 60 minutes. My first run took 45 minutes and I had 30 questions flagged for review that took 15 minutes to clean up.
WHATS ON THE EXAM?
Thankfully, the PCI-ISA Exam is not a test that asks, what is requirement 8.3.2, pick from these choices. Its more an exam that asks, according to requirement 8.3.2 how many times can a user enter their password incorrectly before locking out the account. The difference is that you are being tested on the content, and the requirement numbers are just there as reference. To those of you who think you need to know all these requirement numbers by heart, you do not , but you do need to know what all the requirements are to some degree. As you have likely read before, 75% is the passing threshold and you get a pass/fail and that is it. You receive instant results once you complete the exam and receive a printout as proof. Actual certificate will be mailed to you in 2 weeks time.
Off the top of my head, here are a few things I recall being tested on the PCI-ISA Exam.
- Track 1 vs 2 data
- Encryption (Key encrypting Keys and Data Encrypting Keys)
- Key Custodians
- Account Lockout times
- Data Retention of Card Holder Data on Backup Media
- Physical Security, Video Security retention period
- Secure Coding standards
PCIP-Study – A blog I found from 2013 talking about the PCIP Exam, which is very similar
ISA Fundamentals Questions Screenshots – Halfway through my fundamentals exam, i figured it would be good to screencap the questions for review later. you can use these to review and familiarize with the question format as they are similar to the real exam
PCI ISA Exam In Person Comments – Not the best review but something to read. Like I said, PCI ISA is not a well covered topic like a CISSP or Security+ exam.
PCI DSS Report on Compliance Template – If you have never seen this, you probably should print it out to understand the amount of material that will need to be covered.
I would say about 30-40% of the PCI-ISA exam are more general security questions and are pretty common sense. Alot of times even when I did not know something at all, 2 of the choices would be obviously wrong and I could guess and get a 50% chance of getting it right. The exam is also somewhat poorly written and did not always make sense grammatically. It does not however affect your ability to answer correctly.
As someone who previously took the CISSP, I can say this is about 35% the effort and difficulty. This is a much narrower focus in terms of topics discussed and there are no scenario based questions you really need to analyze the way the CISSP requires.
Good luck to those of you studying. If you have additional questions please comment below and I will do my best to answer them.