CISM - not impressed

I'm sitting through a boot camp for CISM. I plan to test tomorrow and the overall theme I'm getting from the database, instructor, and others is that questions are purposefully obtuse.

CISM feels more like a reading comprehension test than actually learning anything security related (beyond what I already know and posses).

It's not a terrible course and I can see how someone could gain knowledge from it, but I'm not overly impressed at all.

Am I off?

Find more posts tagged with

SAVE $250 on Your ISACA Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View ISACA Boot Camps

Comments

gespenstern

I argue that you are.

While I agree that some questions could have been simplified and it looks like they were designed specifically using various inverse logic with many "NOT"s, I believe that the main idea is somewhat different -- it is to teach you to notice slight differences between the similar concepts.

To give you an example, here's a question of this type. You do an investigation in a typical enterprise and you learn that remote workforce who aren't on VPN cannot use Kerberos for authentication which breaks some application functionality. Your options: a) publish Kerberos AS/TGS to the Internet b) force always on VPN because Kerberos isn't secure over the Internet c) Publish it as in a), but configure it to use mandatory pre-authentication as without it it's not safe d) Make sure that the users logon with Kerberos at least once while on-premises so they can cache a TGT which can be used when they are offline to logon to their application.

It can be argued that all answers except maybe one are technically correct. And majority of people would choose b, because of two reasons: 1) it's a common practice to not publish Kerberos and force the remote force on VPN and 2) ADDS is by far the most popular Kerberos implementation and it is officially recommended by Microsoft not to publish it.

Seems plausible, but this would be a wrong answer. First, Kerberos isn't ADDS. We don't know all the reasons why Microsoft advises against publishing ADDS services, but most likely they have to do with publishing RPC and SMB which are required for ADDS to function. But people when they hear "Kerberos" almost automatically assume Active Directory. Wrong. Second, Kerberos was specifically designed to function in insecure untrusted networks and there's no issues with publishing it to the Internet if the application relies on it. But many people don't know that because it's not a common industry practice.

As you can see this question is specifically designed to collide the common and well-known notion that isn't true with a less known but true notion. Is it tricky and obscure? Sure. Was it designed to be obtuse on purpose? Not really.

I have many other examples like that covering various areas, not necessarily technical. People for the sake of simplicity just like to assume things, these assumptions lead to incorrect and damaging decisions in some scenarios and these questions are designed to teach you to not assume things.

sunto

I'm waiting for the screenshot to be approved, but some answers are just incorrect in any context, yet are being noted as correct. My post is subjective based on my opinion, but as I eluded to, it's not value-adding to someone with experience in cybersecurity, especially if they already have something like the CISSP.

I'm sure I'll pass the exam, but I hope I have the opportunity to interact with ISACA about my concerns.

JDMurray

sunto, your screenshot of the ISACA CISM Q&A database has been rejected. If you make any attempts to post copyrighted material in violation of the owner's licensing agreement you will be banned from TE.

pgupta101

I agree with you sunto. I have the same feeling with CISA Q&A. Questions have been designed to be tricky and test the insignificant differences in answers, which in many practical scenarios today doesn't make any difference. some questions ask about which things to be done first or which is best, where in choices given to choose from may make no difference in the outcome.

ger_saf

Mine is scheduled end of july, still reading "CISM Certified Information Security Manager All-in-One Exam Guide" once done,
I will start CISA QA DB. Any other advice.

sunto

Passed his morning. Database seems to have been the most aligned with passing.

ger_saf

Hey....Congrat....can u share yr preparation tips and material?

sunto

ger_saf wrote: »

Hey....Congrat....can u share yr preparation tips and material?

I took a one-week boot camp from Trainingcamp.com and spend the extra money to get the official ISACA Q/A database.

roxer

Congratulations!! CISM is a business/management decision certification and not necessarily a cybersecurity test in and of itself. It is more of a "what decision will you make that encompasses risk and businesses continuity" instead of "what technology are we using." Although the answer may involve technology, the correct answer might be a process instead because it has a better cost benefit to the business. I agree the questions can be cryptic.

sunto

For those interested, I think the CISSP is better overall and if you already have one, the CISM is made easier by it. I don't feel as though I gained any additional knowledge having completed CISM, but that doesn't mean it's terrible. For me, it's an added merit badge.

LordQarlyn

Interestingly enough I have been hearing the same thoughts being said about the CISSP recently - and by more and more people, that the cert has become, for lack of better term, watered down or devalued in terms if the security knowledge it teaches while obtaining it. Others have said that the vetting process of ISC2 has become lax that it is really just a formality at this point.

That may or may not be true, but there is no argument that having a CISSP can open doors for you and many security jobs desire candidates who have it. The same can be said about CISM, with a good security background you may not have gained much of an increase in knowledge while preparing for the exam, but it is a cert that is reasonably marketable.

So, congrats and well done! That is on my to do list.

lucky0977

I just went through a CISM bootcamp last week via Infosec Institute. I took my CISSP a couple years ago so I felt that I didn't learn anything new and most of the content was still fresh in my memory. The ISACA practice questions db were just as frustrating as ISC2s but so far it helps to see ISACAs mindset. I'll be taking my exam on the 13th of this month so we'll see if the ISACA db aligns with the exam.