Preparing for CISM

I will dedicate this thread to follow up my whole journey towards -hopefully- being a CISM.
I am an Information Security manager, with over 7 years of experience in networks and Information Security, I currently hold the following certificates: CCNP R&S - CCNA Voice - CCNA Security - ITIL Foundation - CEH - CISSP - CCSP

The most recent was CCSP, and I decided to take it from there as CCSP covers a lot of the topics within CISSP, and CISSP and CISM have a good over-lap percentage, I have done several test exam and been scoring 75-80% before starting the preparation.

I am yet to decide when to book the exam I just plan to go through the chosen material and book it three weeks after am done. Will update this thread accordingly.

Resources I have;
- CISM Review Manual, 15th Edition
- CISM Review Questions, Answers & Explanations, 9th Edition
- Cybrary Videos (Obviously) and old CBT Nuggets videos (Outdated)

I started to read the Review Manual, loved the covered topics but didn't like the book at all, it is boring and I just kept getting out of focus everytime I started reading! I am considering to have a different approach, rely on videos (Cybrary maybe?) and do a selective reading from the Review Manual on topics that I feel require further understanding.

How would you rate Cybrary videos in CISM? Are there any less boring material?
Any general advises or guidance please..

Find more posts tagged with

SAVE $250 on Your ISACA Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View ISACA Boot Camps

Comments

DZA_

There is a definitely a lot of overlap in the Cybrary material as it's done by Kelly Handerhan and much of the content is reflected in her CISSP videos. If you still want to go through it, you might want to put it 1.5x as the content may be redundant. A lot of folks here will tell you that the QAE database for a couple weeks is all you need but personally I did both the manual and the QAE before passing the exam.

As an alternative method of studying, try going through the QAE DB first (I think its like 500-800 questions if I remember), and then supplement the wrong questions by reading the manual so that way you're not constantly reading the book.

I spoke to soon as I was writing this post but when I was writing the CISM exam, they didn't have the updated McGraw AIO CISM guide out, but you can find it here: https://www.mheducation.ca/professional/products/9781260027037/cism+certified+information+security+manager+all-in-one+exam+guide/

SDee

Reading a lot of posts suggesting only studying the Q&A, what is the rational behind this? Is it like a "Du m p s" mindset where actual exam questions are similar?!!! or is it just educating myself on 'What ISACA wants?"

Honestly I find a lot of topics in the CISM material interesting and I would like to read about, but I don't like the dry language of the official material.

For CISSP/CCSP & CISM holders, how would an ISACA's mindset differ from ISC's? If I treated ISACA as an ISC am I good to go? I find them to be really close so far, ISACA seems to more into doing the action compared to the passive, patient mindset of ISC, but still very close

kaiju

Actually, read the official study guide and then take the QA&E. If your score is subpar, read the material again and then retake the QA&E. The questions are NOT exactly like the exam questions but they do put you in the correct frame of mind to take the test.

lucky0977

The CISM contains roughly the same information you learned in the CISSP. You have to use the Q&A database because you'll be scratching your head at how the questions are structured come exam day if you don't. Going through the CISM course, the instructor always said you have to "drink the ISACA kool-aid". You'll understand if you've passed the CISSP and then start practicing CISM questions.

DZA_

SDee said:

Reading a lot of posts suggesting only studying the Q&A, what is the rational behind this? Is it like a "Du m p s" mindset where actual exam questions are similar?!!! or is it just educating myself on 'What ISACA wants?"

Honestly I find a lot of topics in the CISM material interesting and I would like to read about, but I don't like the dry language of the official material.

For CISSP/CCSP & CISM holders, how would an ISACA's mindset differ from ISC's? If I treated ISACA as an ISC am I good to go? I find them to be really close so far, ISACA seems to more into doing the action compared to the passive, patient mindset of ISC, but still very close

I haven't read the CISM AIO so I can't comment on the whether it's the same dryness as the official manual but definitely give it a go you find that you need to read another resource. As you said previously, the Cybrary videos are good videos to study from. In terms of the quality of the QAE DB, I found it rather useful as any official question banks provide a mindset that they're looking for when you write the official exam. They have a good chunk of questions that will mold your thinking into the ISACA way that will assist in passing the exam.

If I could take a stab on the subtle differences between the ISACA vs the CISSP mindset is that both gravitate towards a managerial mindset first off. IMO ISACA's answers are geared towards more of the business and risk based outcomes from a security manager vs. CISSP comes from the perspective of what is best answer in that scenario (regardless its a technical/administrative). I hope that helps clarify things. When do you plan on taking your exam?

SDee

Thanks a lot for your input, I am yet to decide on when to sit for the exam as I am just gathering information. I honestly want to feel that a value has been added from being a CISM by learning the covered topics that I feel I have a weakness in, so will basically do the practice tests and do targeted reading or watching videos on relevant topics.

One question regarding some .VCE files available, I am aware that there is no du-m-p-s for CISM and obviously not looking for any, but are the available .VCE files useful and help preparing for the exam? I like the way you can interact with .VCE files, tracking the progress, ... etc.

cyberguypr

That tracking is exactly what the QAE will do for you.

lucky0977

The vce files are more than likely older practice questions from previous versions of the Q&A database. But if you get the digital Q&A database from ISACA, it tracks your progress in the same manner as one of those vce files.

DZA_

BOSON has another exam simulator for CISM: http://www.boson.com/certification/cism

I am not sure how you feel about BOSON but I had a positive experience with their CISSP exam simulator.

scada

I like BOSON and if you watch their facebook page , you can find discount codes.