W00t! I passed my CISM exam. Below are just some tips on what I did to pass the CISM exam.
Before I get into the details this exam for the most part is not a super technical exam. There are technical concepts you will need to know, for example What is:
- A screened subnet
- Two factor Authentication
- SQL Injection.
It is primarily a business focused exam dealing with security management. So you will need to know concepts like What is a
- Balanced Scorecard
- Policies vs Standards
- Businesses Impact Analysis (BIA) vs Risk Assessment
The test is written in a way that if you have held a security management role dealing with the four domains in the below table then you already have a leg up.
The CISM exam is broken into the below sections. You have 4 hours to answer 200 questions.
|Domain 1||Information Security Governance||24 Percent||48 Questions|
|Domain 2||Information Risk Management and Compliance||33 Percent||66 Questions|
|Domain 3||Information Security Program Development and Management||25 Percent||50 Questions|
|Domain 3||Information Security Incident Management||18 Percent||36 Questions|
The 2015 CISM manual is 236 pages of content which needs to be digested. If you give yourself a 3 month study timeline you have 12 week to learn the content. We will remove the last week and make it our review week. So this leaves you with 11 weeks or 77 days before review week starts. In other words you have to read 4 pages a day and comprehend the content for 11 weeks.
The other thing I did besides reading the book was I signed up for a 3-day CISM Boot Camp and the 2-day CISM Prep Exam Training from Megamind Institute. Now there are many boot-camps out there so why did I pick Megamind? The reason is simple. The class is taught by Krag Brotby, who is the principal author and editor of the ISACA Certified Information Security Manager (CISM) Review Manual (since 2005). Aka the “King of CISM.” The other camps had people but they did not have Krag. The other great thing about Megamind is that I did not need to fly somewhere for a week, I attended all the session via Webex from the comfort of my own home. The classes are held over the weekends so only 1 work day is lost at most (Friday before the weekend for the 3-day boot camp). Due to popular demand, Megamind now offers pre-recorded subscriptions to their CISM trainings so you can attend on-demand, whenever you like.
During my boot camp I took a lot of notes but later I fine tuned them and came up with 16 “Krag-ism” —- these 16 tips helped me a lot on the exam. It helped to weed out wrong answers or help look for key terms on possible correct answers. From what I recall, each of the 16 Kragism showed up my exam between 2-3 times so that is 32-48 questions or 24% of the exam. In other words every 4th question was answered with the help of a Kragism. On top of that, Krag also has sample mock quizzes and explains why certain answers were correct over others. And provides an additional 100 sample mock exam questions and answers at the end of the training, along with a BIA example and his personal help with any additional questions I may have had (even after attending the training).
If you are still reading then you are wondering Vivek WTF is an Kragism. Well due to confidentiality terms you agree with Megamind I can’t explicitly say them, but I can obfuscate one and share it. One Krag-ism is “In all my years working with ISACA on the CISM ___ ____ has rarely, if ever been the correct answer.” Want to find out the missing words??? Sign up for the class via Deb Murray (email@example.com). Tell them Vivek sent you.
So we are reading the review manual, we have signed up for Megamind’s boot camp and prep exam training ….what’s left? The LAST thing I did was I purchased a subscription to the CISM Review Questions, Answers & Explanations Database from ISACA. This was a no brainer for me since it has past exam questions with a basic explanation on what is the correct answer. This Q&A database will help you put your brain into the CISM test-taking mode. This is important because the CISM exam is not like a normal multiple choice exam. Nine times out of ten you will end up with 2 answers which seem correct but one is the better answer. The Q&A database along with Krag helped me zero in on what is the best answer.
I hope this post helps others in getting CISM certified.