How do I Prepare for the CISM Certification Exam?
How can you give yourself the greatest chance of passing your CISM exam? We want to help you.
Help yourself get certified by following our tips and guidance.
For most, there’s a lot riding on a certification attempt. You might need it for your job, or as part of your professional development. It might be something that everyone knows you’re doing so there’s a lot of peer pressure. And it might be attached to promotions and salary increases. Sitting for a certification also requires a significant investment of time and energy to learn, study, and master new material, when we’re all at full stretch. And finally, it can be really scary if you’ve not done an exam for some time… which is most of us.
But, it is great to learn about an area important to our day to day jobs or which we want to move into. It gives us a common language and approach that we can share with other practitioners. It shows your commitment to security and, if you do your CPDS and pay the maintenance fees, you won’t have to do it again. And when you pass, the feeling is amazing!
The CISM Exam
But first … what’s involved with sitting for the exam? Some basic facts:
- You can do the exam at an exam centre or at home.
- All exams are computer based.
- The exam is 4 hours long.
- There are 150 multiple choice questions, with four multiple choice options to pick from.
- All questions are scaled. Scores range from 200 to 800; however, a final score of 450 is required to pass.
- Exam questions are derived from a job practice analysis study conducted by ISACA. You must be really familiar with the CISM Job Practice Areas
For more on how to register, what the exam will be like and what you need to do after you’ve passed, see our other blog post here.
Review the CISM Body of Knowledge
The very first thing you should do is have a look at the CISM Job Practice Areas and the certification requirements and make sure this is the right certification for you. If it is, and you’ve got the time, then go for it.
I like to refer back to the CISM Job Practice Areas regularly to make sure that my preparation is covering all of the material I need to be across.
Have a CISM study plan
Once you’ve decided to go for it, pick an exam date ideally not too far out. Somewhere between 4 weeks – 3 months should be sufficient, depending on your base level of knowledge.
After you’ve got your target exam date. then create your study plan. Don’t wait to get started or procrastinate til the day before the exam. You need to plan this like any project and work out a realistic study program that will get you ready by the target exam date.
I suggest breaking the material down by domain, and allow yourself time at the end to focus on exam question prep. Ideally you should give yourself 1 – 3 weeks for each domain (depending on how familiar you may already be with the content), studying on weekends with a bit of revision during the week. I suggest around 5 – 15 hours per week.
When putting together your plan, try and work out the learning methods that work best for you. It might be by reading but it could be by listening, or probably a combination of both. Ideally try and mix up a combination of listening to training recordings plus reviewing the key study materials, highlighting important ideas and concepts, making notes and then reviewing those notes again plus also doing some practice exams.
I like to keep on summarising the material down til all four domains are on a single sheet, with words and phrases acting as reminders of the key concepts. For me, the process of summarising helps embed the knowledge and means you can review more efficiently when you have prompts to remind you of more detailed content.
Set up a regular study schedule with dedicated blocks of time each week. Think about what time of day works best for you and plan accordingly. Sometimes, an hour first thing in the morning before everyone else is around the emails start coming in, is the best time. Consider the setting – do you need to be in a quiet office, or can you study successfully with your family around?
Whatever method of learning you follow and time and place you choose to do your exam prep, make sure you have a plan and do your best to stick to it.
Buy the text ISACA CISM book
It’s almost impossible to sit the exam without reading the ISACA textbook. It covers each of the domains comprehensively plus includes some practice questions. Make sure you get hold of that text book somehow, plus another text if you like reading.
Here’s a review of some of the other CISM texts.
Do a CISM training course
It can be helpful to back up the text book with training – either one of the free courses that are around or you can train with us. This is particularly the case if you have problems finding the time in your busy work/homelife schedule or if you get distracted easily. Taking yourself away and doing a dedicated training course might be the only way to go.
BUT if you do the training, try and do some prep beforehand so you know the areas you are weak in and where you need to pick the trainers brain.
If you do invest in training. don’t delay in booking your exam. The longer you leave it between the training and taking the exam, the more you forget and the less helpful the training will be.
Use other CISM resources
There’s a list of ISACA published resources that are helpful. There’s also lots of other resources around. Here are some training course options:
- LinkedIn Learning
- CISM Masterclass | CISM – Domains and Scope | Best resources for CISM by infosec Train – YouTube
Prepaway have some practice exam questions.
And don’t forget the short free ISACA CISM exam you can do, which is available here.
Do lots of practice CISM certification exam questions
After you’ve gone through all the materials (text book plus training plus other background prep) and started on your summarising, take your first real practice test. This helps identify the level of knowledge you need to have for each domain. It can also let you know how prepared you are: do you need to do a bit more work in a particular area.
By the end of your study period, you should have done lots and lots of practice exam questions. Don’t wait until right before your exam attempt deadline, you may not have enough time to work on areas of improvement or to prepare your brain for the rigours of 4 hours of multiple choice questions.
Some tips for practice exam questions:
- Read every question very, very carefully. Sometimes the answer will come down to the use of a word or phrase in the question;
- Get rid of the answers you know are wrong so you can focus on the working out which of the others is right;
- Sometimes the answer is the most right or the least wrong. That may not make sense now, but it will when you’re trying to pick one out of three answers which are either all wrong or right.
- Don’t panic if you don’t know the answer. Leave the question and come back to it. Some times you can luck out and come across the answer later. But it’s a better strategy to not get rattled and continue on. There will always be a couple of questions you’ll never know the answer to …
- But if you finish with lots of time, take care before going back, reviewing all your answers and changing them. Rely on your brain working properly when it’s fresh to get the answer right. If you can, it can be good to just review once to make sure you’ve not made any silly mistakes, have a last go at the questions you’re not sure about and then sign off.
- Don’t overthink it. Try and balance being careful about reading and understanding against tying yourself in knows. Often, the most obvious answer is the right answer.
There is a practice exam on the ISACA site that is worth doing early in your study prep to help focus your study. It can also give you an insight into how ISACA think. Remember, often there are different views of the same question. If you want to pass the exam, then try and think of what might be the ISACA view, even if you personally may hold a different opinion.
And maybe don’t tell anyone when you’re sitting that exam. That way you can avoid any awkward questions.
Taking the Exam
On exam day, do your best to get enough sleep. Make sure to have your identification, your exam registration details and anything else you might need.
During the exam, take things one question at a time. If you can’t work out an answer – move on and come back to that question later. Stop and take a deep breath if you’re getting overwhelmed, and if needed, take a break.
Make sure you manage your time properly. There should be ample but don’t let yourself spend too much time on those tricky questions.
Don’t forget, everyone is nervous, and not many people love doing an exam. If you’ve done the work, manage your time properly and keep the nerves under control, you will put yourself in the best possible position for a successful exam outcome.
And it is worth it to be able to put those letters after your name.
Good luck with the study!
Information security governance
- Information Security Governance: Guidance for Information Security Managers
- Accountability for Information Security Roles and Responsibilities
- Info Security Chiefs: Communications Is Key to Mitigate Risk)
- Code of Professional Ethics
- The Business Model for Information Security
- Return on Security Investment
- Differentiating Key Terms in the Information Security Hierarchy
- How to Measure Security From a Governance Perspective
Information security operations
- Information Security Architecture: Gap Assessment and Prioritization)
- Nonsense Compliance
- Enterprise Security Architecture—A Top-down Approach
- The Benefits of Information Security and Privacy Awareness Training Programs
- Checking the Maturity of Security Policies for Information and Communication
- Framework for Protecting Your Valuable IT Assets
- Developing an Information Security and Risk Management Strategy
- Risk Management Process
- Vulnerability Assessment
- Enterprise Risk Monitoring Methodology
- A Risk-Based Management Approach to Third-Party Data Security, Risk and Compliance
Information Security Incident Management
- An Introduction to Information Security Incident Management)
- Internal Control – Key to Delivering Stakeholder Value)
- A Business-integrated Approach to Incident Response
- Incident Management and Response
- Evaluating Security Incident Management Programs)
Audit and monitoring
- Strengthening Internal Audits Influence and Impact
- Security Monitoring as Part of the InfoSec Playbook
- Information Security Management Audit Program)
- Integrating KRIs and KPIs for Effective Technology Risk Management
Other ISACA Resources:
- CISM Certification Guide
- CISM Certification | Certified Information Security Manager | ISACA
- CISM Planning Guide (isaca.org)