How to pass the CISM Exam in 30 days

By Hemanth Gajula

Background

I cleared the ISACA’s CISM(Certified Information Security Manager) exam on the 20th of April 2020, exactly one year and one day after I failed the exam on the first occasion.

To brief about my professional experience, I had about ten years of work experience in the Fraud analytics working in Banking, Retail and Consulting industries. I also possess the CFE (Certified Fraud Examiner) Certification obtained in 2015. I work a full-time job of 40 hours a week plus a part-time student studying Cyber Security at the time of giving the exam.

Disclaimer:

This is the approach I used to clear the exam the second time, Please do your due diligence as your situation may be different from mine and also following these techniques would not ensure you pass the exam. With that aside let’s move forward to what constitutes the exam.

About the CISM Exam Domains and Weightage

The CISM consists of 4 significant areas in Information Security management.

  • Information Security Governance (24%)
  • Information Risk Management (30%)
  • Information Security Program Development and Management (27%)
  • Information Security Incident Management (19%)

*These percentages were of April 2020

Study Materials I bought/used for the exam

Books

1) All-in-one CISM Exam guide by Peter H. Gregory

2) All-in-one CISM practice questions by Peter H.Gregory

3) CISM Review Manual 15th Edition.

QAE Database

1) 1000 Questions and Answer & explanation Database from the ISACA Website

Video Courses

1) Thor Pedersen from the Udemy Platform

2) Kelly Henderson from the Cybrary Platform

Others

1) Self Prepared Running Notes

2) Whiteboard One Page Summary of the entire Domain

The Necessity of having a plan and wisdom from the first attempt

On my first attempt a year earlier, after hearing scholars suggesting that the CISM is a cakewalk, I attended a CISM Bootcamp for 4 days with minimal knowledge of the certification before it and I even booked my exam within a week after the Bootcamp. I failed with flying colors with a passing score in only one of the domains Risk management. I felt miserable and was waiting for the right moment to retake the exam the next time.

My second attempt at the CISM with an Exam Study Plan

This time, I should say I meticulously planned and understood the exam thoroughly and developed a strategy to tackle the exam which helped me save time. Let me take you through a timeline

Time spent on Weekdays – 2 hours in total divided into mornings and evenings before and after work.

Time spent on Weekends and Public holidays – 6 to 8 hours a day

Day 1

I went through the Domain-1 videos in Cybrary and Udemy; this gave me a framework understanding of the themes and topics in the Domain.

Days 2 to 4

I read Domain 1 from the Official review manual while reading; I also make my running notes, I create a list of hypothetical examples in my head and diagrams to represent what a definition or key term would mean.

Days 5 to 7

Did approximately 200 Questions present in the QAE Database, re-read the concepts on the questions where I went wrong.

Days 8 and 9

Cybrary and Udemy video course for Domain 2

Days 10 to 12

Read Domain 2 from the Official review manual, Used my running notes again to make diagrams, flowcharts and hypothetical examples so I can understand the concepts better and in a method I know.

Days 13 and 14

Did the 250+ Questions on the domain from the QAE database, re-read the concepts for the Questions I went wrong.

Day 15 and 16

Cybrary and Udemy video course for Domain 3.

Day 17 to 19

At this point, I had a realization that I would be consuming time reading the book for chapter 3 as this chapter in the book is long. So didn’t read the book for the chapter, instead did the 350 odd Questions from the QAE database through the knowledge earned from the Video courses.

But to be on a safer side, I did read the summary of the chapter, and if I came across a topic I didn’t see in the QAE DB, I would go back and read that specific topic. Apart from this, I would also read any issues which I would get wrong or if the concepts weren’t clear while doing the QAE DB.

Day 20 and 21

Revisited Domain 1 and 2. Did the Udemy videos for both of them again at 1.5x speed and did 50 random Questions from the QAE DB again to check how good was I.

At this point, I was scoring about 85-90% plus in the QAE DB, and I had covered 81% of the exam content (24% Dom 1 + 30% Dom 2 + 27% Dom 3). On the actual exam, remember that you need a score of 450 overall of 800 to pass.

I still had to do the 4rth Domain, but I was confident about the approach I followed and went ahead and booked my exam in a week from that day.

Day 22 and 23

Went through the Cybrary and Udemy videos for Domain 4 before starting to do the 160+ questions on the QAE database, achieving about 70% accuracy on these questions for the Domain. In this chapter specifically, there were a lot of key terms to be understood. So I went through the glossary from various sources including Cybrary, All-in-One and the Official Review manual and more importantly was making my notes with diagrams and examples.

Day 24 to 27

(One Domain a day and the most critical part of my study)

Created a one Page Summary of an entire Domain on a White Board, cramped a lot of information on it. Strictly one Domain a day, I used a flowchart way of representing the flow of information like A to B to C so I can use this to eliminate answer choices. This takes a while but worth it. Checked the notes I made earlier to go through the hypothetical examples and other diagrams I made to understand the concepts again.

I felt these notes were one of the highlights of my study. Now, after a couple of months after the certification, these diagrams and the notes are what I most remember. I would suggest you create your notes, diagrams, flowcharts etc. whatever you feel would ensure your mind will create a mental connection to the concepts.

Day 28

Gave a similar to a full-length Practice test from All in One Practice book, the book doesn’t have a full-length physical examination as such, but I picked the first 40 Questions each (160 Questions in total) from each chapter and answered them.

I scored approximately 80% in the test. The Questions I got wrong, I again went through them from the official book.

Sadly this was the only day I used the book for; the book was an expensive purchase, I later realized that the book had useful resources such as an explanation of the answer choices and why they are correct/incorrect.

Day 29

Wasn’t stressing too much, I did about 100 Questions from the QAE Database and that’s it.

Day 30 – Exam Day

My exam was in the evening, so I spent time with my family played a few quick chess games during the day. I saw some videos (probably an hour or lesser), just to remind myself I knew those concepts (Improves Self-Confidence) and boosted my morale and kept me in the right frame of mind before the exam.

The Exam

During my exam the first 60 minutes or so were tough, I was behind on time had barely completed about 25 to 30 questions, and I had marked a few of them for review. Even the answers I had finished, I was not a hundred per cent sure. Yet even at this period, I was confident and assuring myself that I will clear the exam, not that I was overconfident, but just encouraged myself that I have prepared adequately and I should make it.

After completion,  I was given a preliminary pass. I was so happy seeing this, all the hard work, burning the midnight oil, it was hard, and this was a special moment to appreciate all of that.

Next Steps at the time of this writing to obtain the certification after you clear the CISM exam

1) Apply for the certification it was USD 50 for the application.

2) A) Demonstrate you have the necessary work experience, applicants required five years of IT security experience with a minimum of three years of professional experience in 3 or more of the CISM domains/job practice areas.

B) If you hold any of the other ISACA certifications such as the CISA etc. or the CISSP from ISC2  you may be eligible for a waiver of work experience for two years. You will also qualify for an exemption if you hold a Post Graduate degree, however, do check in the ISACA website for the latest information.

3) Once applied, it takes a few days for ISACA to review and assess your application, and you will be notified once it is done and you can display your certification in LinkedIn and other preferred social platforms.

Which books/Materials I used the least

1) All-in-one CISM Exam guide by Peter H. Gregory – The book is lovely. I feel he goes deeper and has a broader scope than the official review manual, nothing negative about the book at all, but I didn’t read it as much as I should have and with time being a significant factor I focussed more on CISM review manual. If time is on your side, I would suggest going through this book as well.

2) All-in-one CISM practice questions by Peter H.Gregory – I only did a part of the book and only for a day. This book I later realized that has about 250 odd Questions also with an explanation of why a question is right and a description of why the other answer choices are incorrect, (I could have utilized this book much better).

Which Books/materials I used the most

1) 1000 Questions and Answer & explanation Database from the ISACA Website.

2) Self Prepared Running Notes.

3) Whiteboard One Page Summary of the entire Domain.

4) Thor Pedersen Course – Udemy

5) Kelly Henderson Course – Cybrary

6) CISM Review Manual 15th Edition to get the concepts clear.

Tips and what worked for me

1) The One-Page Summary of the entire Domain and my self prepared notes filled with Diagrams/Flowcharts. These I believed was the most useful self-prepared medium and gave me an understanding of the flow of concepts from one topic to another- This also helped me to eliminate answer choices. For example -: If there is a Question relating to Risk Assessment you can eliminate an answer choice or a topic you covered during Risk Identification (Again these are my thoughts/suggestions, and it worked for me, please do your due diligence).

2) QAE Database – The most useful tool out there for the exam moreover covers the topics you need to comprehend it. The exam may and in most case will not contain the same question from the Database, but the Database will cover all elements necessary and also use the most similar language used in the exam.

3) Video Courses in Udemy and Cybrary – These gave me a quick start to understand what the exam covers, I recommend the videos by Thor Pedersen and Kelly Henderson, not in any order.

4) CISM Review manual – Useful when it came to understanding the concept a bit more in detail and in-depth. Also whenever I went wrong on similar type of Questions I would refer the book to understand it comprehensively.

5) Confidence and belief – Though this is obvious, restating it that it is a Crucial factor, especially during the last few days of study and in the days before the exam.

6) Join a Local Study Group/session – Check for any Local study groups the ISACA local chapter is organizing or any other groups. Though this was brief during my study, it did help.

Failed the CISM exam??

1) Do not lose hope; book the exam again as soon as you can, don’t take a lot of time and make the same mistake I did. It took me a year to find the right time to give it, by the time trust me; I didn’t remember most of the concepts I had learnt a year earlier.

2) Also, if you had only failed by a couple of questions like I did, you should just give it soon as probably you failed because of a couple of fewer days of preparation.

3) Next time plan it accurately and focus on what went wrong the first time and improve on them; Confidence played a key factor for me; it helped me in devising my approach towards the exam.

Feel free to reach out to me through LinkedIn for any questions or clarifications you may need and hope this read was useful and would help you clear your CISM exam. All the very Best!!!