How much time should I need to prep for the CISM?

Gawyn210Gawyn210 Member Posts: 9 ■■□□□□□□□□
I'm a currently an InfoSec and Compliance Manager with nearly 10 years experience. I took the ISACA CISM evaluation prep test and scored over 65% without ever having studied.

I think that I could I purchas the official study material (book & BD questions) to brush up on ISACA terms and definitions, dig into weak areas, and hit the DB pretty hard, I could be ready to sit for the Dec exam. It is currently 9/25 so I would have about 2 and a half months to prepare.

Is this wishful thinking? I really don't want to wait until June of next year. Can I get some input from people who have taken the exam?


  • soccarplayer29soccarplayer29 Member Posts: 230 ■■■□□□□□□□
    Take the plunge.

    You have the experience, register for the exam and follow through with a study plan. Absolutely do the cism DB engine.
    Certs: CISSP, CISA, PMP
  • westbrookj1westbrookj1 Member Posts: 5 ■□□□□□□□□□
    You would not have to wait till june of next year- ISACA is going to digital format in 2017. so you could take the exam probably earlier than that.
  • Gawyn210Gawyn210 Member Posts: 9 ■■□□□□□□□□
    Thanks for the reply. I think I'll jump on it.
  • Gawyn210Gawyn210 Member Posts: 9 ■■□□□□□□□□
    @westbrookj1 - This is true...

    I wonder if all the kinks will be worked out. It would be nice to have the immediate pass/fail feedback. :)
  • ScottFiestaScottFiesta Member Posts: 19 ■□□□□□□□□□
    With substantial experience under your belt you'll probably find a lot of the answer are fairly intuitive and obvious to you..... ONLY IF you are a manager in a well governed organization that has fully integrated risk and information security processes within its strategic and operational decision loops. The CISM exam will expect you to know how to manage specific incidents from the perspective of a CISO, which process owners to engage and how, and under what circumstances you would engage the Steering Group, C-suite or Board members and what information you should have at your disposal as you do so. In plenty of cases the 'correct' answer is going to be different than what many people will have been exposed to in the average corporate environment.

    If you're organization is technically and culturally mature and well governed, and if you have substantial quality management experience, and maybe even a CISSP under your belt, you could get away with two or three weeks of study. How much extra time you may need on top of that is directly proportionate to how much your work experience differs from what I've just described above ;)

    All the best!
  • Gawyn210Gawyn210 Member Posts: 9 ■■□□□□□□□□
    ScottFiesta, Thanks for the input. I believe my organization and specifically my security program should be considered mature. We are in the finance industry as a SaaS provider. We are SSAE 16/SOC 1 compliant with a fully developed and formal security program. While I have been in the industry a while, I am pretty much home grown. I read quite a bit and try to keep abreast of the industry, changing technology and emerging threats... but since my experience is all with my current employer I always feel like there are gaps in knowledge.

    Well.... I guess that's what the study process is for. I've scheduled the exam and purchased the materials. We will see. Thanks for the encouragement!
  • ScottFiestaScottFiesta Member Posts: 19 ■□□□□□□□□□
    No worries. I specifically recall encountering a question or two where I thought to myself "ok, I know that in my last job we would have done x but the answer here is definitely Y". It definitely worth noting the variances in lessons from experience and what ISACA describes as best practice. I'd be surprised if most people don't have a few similar experiences during the whole CISM study/exam process. Best of luck.
Sign In or Register to comment.