How I Passed the CISM Exam (2023)
As someone who has come from a very technical background and had to learn the business side of information security, I feel this experience is very relevant to those with similar backgrounds.
As this was my first ISACA certification, I wasn’t exactly sure how to approach the studying aspect of the CISM exam. I was referred ISACA QAE which is a database of sample questions, where access is sold for a 12 month period. I found by doing a few rounds of the practice questions there were areas I was good at and others where I was missing something. The thing about the QAE is even if you read the correct answer after getting questions wrong, it can be really difficult to understand the larger reason as to why that might be the case. There were also a bunch of terms that I needed to have clear definitions on. At this point I was averaging around 60% on QAE, and I’d been told that I needed to be getting at least 70% on average.
I had also never used Cybrary as a resource for study, but I felt I needed to try something different to QAE to hopefully fill the gap in my knowledge. I found it to be a surprisingly good resource and was a healthy break from feeling like I didn’t understand why I was still getting answers wrong on QAE. There were lots of things I knew already, somethings that weren’t even really covered on the exam but that were still interesting. The most valuable thing I learnt from this course is that everything related to Information Security needs to first and foremost align with organisational goals and objectives, and stakeholder requirements. This shifted my mindset to be more aligned with that of the creators of the exam. The focus is very top down, which can be a learning curve for those coming from a technical background.
However, if large enterprises are something you know really well, don’t assume you’ll pass the CISM exam. One of the four domains it focuses on is Digital Forensics and Incident Response (DFIR). Understanding the incident response process, and how to approach situations where you are seeking to preserve evidence and ensure it can be submitted in a court of law is really crucial to being able to answer questions in this domain correctly. In my exam there were also several questions across other technical areas of Information Security, including:
- Application Security / Secure Software Development Practices
- Securing Change Control
- Penetration Testing
- Security Awareness
So either way, whether you have a more technical background, or the other way around, there is lots to learn.
Once I finished the Cybrary course, I went back to QAE where my total average boosted to 75% on the practice questions and the practice exams. It was at this point where I felt ready to sit the exam. I was also given a copy of the CISM last minute review guide, which was a good pre-exam resource, to help give me a pre-exam memory boost.
The exam is a grueling 150 questions, where you have 4 hours to complete the exam. While the length is one thing, you have to read the questions really thoroughly to ensure you answer questions correctly. Often two answers can seem equally right, until you reread the question and realise that one word is what gives away the answer. So read questions several times.
I ended up passing the exam on my first attempt, and spent about 1.5 hours sitting it. So it seems like these resources really helped.
All in all, the more resources you have access to the better prepared you’ll be for the exam. Unfortunately, this translates to the more money you’re willing to spend. I wouldn’t suggest this exam if you have less than 5 years of experience, as you need 5 years to actually get the certification, and also if you aren’t exposed to large enterprises. Having experience as an internal infosec employee in large enterprises gave me a lot of knowledge I needed to pass this exam.