3 min read

Reflecting on My CISA Certification

I passed and am now certified as a Certified Information Systems Auditor (CISA). Now what?

I got the opportunity to go through the CISA course and pass ISACA's CISA certification. It was quite a long journey, and I carefully prepared before I took the exam and finally passed it in the first try. Nevertheless, I still felt a lack of knowledge and realized there is a gap between what I know theoretically and the practices in the industry.

Over the past two years, I have worked intensely as an auditor, specifically as a digital security auditor in the non-profit sector. In the non-profit sector, we mostly conduct audits for advocacy groups or local/independent media. We also have our own framework for this type of organization: Security Auditing Framework and Evaluation Template for Advocacy Groups (SAFETAG). Developed by Internews, SAFETAG adapts traditional pentest and risk assessment methodologies to be more suitable for medium or smaller organizations, especially in the non-profit space. I have also published two guidelines in Indonesia about conducting an audit for CSOs and online media. Still, I was thinking something was missing.

From that curiosity, I decided to participate in two ISACA mentorship programs simultaneously, the regular mentorship and the student mentorship program. I am still early in the process, but the amount of insight I have already gotten is tremendous. It is such a privilege and a valuable opportunity to meet my mentors. They are truly role models for audit jobs, bringing their experiences, hands-on knowledge, and practical work in the industry across sectors. Every bit of my interaction with them is filled with insight and widens my thoughts.

Before we dig deeper, I'd like to mention one thing. CISA is indeed a paper-based proof that I know something, but regarding what and how I work, that's a whole different thing. I remember my course instructor stressed not to make CISA an end goal or the sole proof of skill proficiency. Moreover, this was also highlighted by one of my mentors, who agreed and said direct and practical experiences are more essential. I took these things not to discredit ISACA's CISA certification or the competencies from the certification, and the curricula and material about the certification itself, but rather I take it as an opportunity and challenge to learn more and involve myself deeper in this field. Reflecting on how hard I worked preparing for the exam, and the awareness that there are skills I am lacking, are the sole reasons I joined the mentorship. Furthermore, learning from experienced mentors is indeed boosting my capacity and knowledge about auditing way more easier.

As a mentee, I remember shadowing audit work for the first time. I had no clue what to do or what to say, trying to figure out why the process flows were being conducted. A lot of things were unknown to me, but I could grasp them faster through direct and practical learning. Moreover, I could clearly realize on what I was still lacking in terms of skills. Both my mentors pointed out that soft skills, such as communication, are essential. I know I can learn the technical stuff by myself, I have learned that way mostly all my life. But, as a technical person, experiencing the intricacies of soft skills is challenging, and I am looking forward to closing that gap. All of that is helped by the opportunity to learn from my mentors, and their offers to let me shadow them.

I would like to thank my current organization and Pak Bonaldi Kresnanto and Mr. Asif Mumtaz for the privilege of learning from them as a mentor. Passing CISA is indeed not a final milestone, but I learned a lot. It allows me to apply my knowledge to serve communities better, giving them proper and suitable support. I also look forward to sharing my knowledge and skills with my peers and other CISA aspirants who are still aiming to get the certification. Lastly, to involve and lears more specifically in the for profit industry.

In audit jobs, different sectors in industries do indeed have specific know-how to do the job better. But by widening my general audit skills, I hope I can implement them to make non-profit organizations and communities more secure against the shrinking civic spaces and unique adversaries they face, and explore how I can expand my support to serve communities across multiple industries.

I look forward to sharpening my skills, improving my knowledge, and learning further to help organizations and communities become more secure. Onward.