I passed the ISACA’s CISM exam on May 10, 2018, and since then have received a number of messages asking about the preparation strategy and schedule, especially from the fellow students. Before I begin, please be informed that my preparation strategy could be very different from that of yours since I was juggling with semester midterms/exams, assignments, part-time 20/40 hour work week and additional responsibilities of CCIS Masters Council. I started the preparation in mid Jan’18 and was very much on schedule until the end of the exam.
Pre-requisites and course material:
- Please watch this video by Sean Hanna and make notes/preparation strategy before you start preparing for the exam: CISM exam webcram
- Read this blog post by Claudio Dodt: ISACA CISM: Why you should do it and how to pass the certification exam!
- CISM Review Manual, 2015 edition*
- CISM Review Questions, Answers & Explanations Database – 12 Month Subscription*
* Both can be bought from CISM exam resources: Link
I divided the complete preparation strategy into 4 phases:
Phase 1: Read the CISM review manual (CRM) end-to-end
Timeframe: Mid Jan’18 to Feb’18
In the 1st read, I underlined the key points. This came handy during the 2nd and 3rd reading, where I just brushed through the concepts. I also realized that after a period of time, I could connect the dots with the roles I previously worked on and how I could have done them differently. I thoroughly read the content and retained ~60% of the concepts.
Phase 2: Re-read the CRM and solve the questions from Q&A database
Timeframe: Mar’18
I started the 2nd read in Mar and read only the important content I underlined in the first reading. In this read, I highlighted the content which required further pondering and another read (e.g. concepts of RPO, RTO, AIW). Simultaneously, start solving at least 30 questions daily. Aim for at least 60% in every test.
Phase 3: Re-re-read the CRM and solve the questions from Q&A database.
Timeframe: Apr’18
Only read the ‘underlined+highlighted’ content and make sure you understand each of the concepts by-heart. Solve at least 50 questions on a daily basis and make sure 20 of them are trouble questions. Check the detailed results for each of the exam areas and give special attention to the domain where you’re scoring less (I called it ‘Targeted domain’); for me, it was ‘Information Security Incident Management’ since I never had the first-hand opportunity to work in this domain. Aim for at least 75% in every test.
Phase 4: Glossary and practice tests
Timeframe: 01 – 09, May’18
The CRM has a rich glossary of all the important terminologies and serves as a quick refresher during the final phase of the exam. [Glossary link] I also started solving practice tests every weekend, which I think helped a lot during the real exam. It’s much difficult to sit for 4 hours straight (and stay concentrated) than we think it to be. Try giving the practice tests in different moods and environment.
Tips I found helpful:
- Develop a plan before starting the preparation, the exam is called Certified Information Security ‘Manager’ for a reason.
- Solve Practice tests every weekend in different conditions after phase 2.
- Dedicate extra time and become aware of the rationale for choosing the correct/incorrect answers and ponder about why you chose that answer. [it’s more important to know the reason for an incorrect answer than the correct answer]
- Read every question twice, no matter how familiar/simple the question looks, before jumping on the answer.
- Consider the exam to be a marathon and not sprint. Become comfortable with sitting straight for 4 hours and staying concentrated. “You can not run a marathon by preparing for sprints”.
Please feel free to comment or drop an email to shobhit@grcmusings.com for any specific queries/questions you may have.
All the best,
-Shobhit