Certified Information Security Manager

satiex_cism_logo
Certified Information Security Manager. An ISACA Certification.

Yesterday I took the CISM Exam and provisionally passed on my first attempt. This is what happened.

NOTE: I have not applied for and been awarded the CISM as of writing. I will update this post shortly.

The Journey

Shortly after passing the CISSP exam in 2019 I decided to pursue the CISM with the goal of completing it within a few months. I had read that a lot of the subject matter is similar to the CISSP and there is a lot of sentiment online that after passing the CISSP you should be able to quickly pass the CISM without much additional effort.

I purchased the exam and the Questions, Answers, and Explanations (QAE) Online Database from ISACA aaaaaaaannnnddd then nothing. I didn’t make any meaningful attempt to study, and although I had scheduled the exam for March 2020, ISACA allows you to easily reschedule exams without paying a fee. This is in contrast to the ISC2, who charge $50 USD to bump an exam (I bumped the CISSP twice before taking it).

My QAE access expired in November 2020 so I subscribed to another year but still didn’t make a conscious effort to study for the exam. I pushed the exam a few more times and suddenly it was 2021 and I logged back in to ISACA and I was no longer able to schedule the exam. Turns out, the exam ‘voucher’ had expired after a year from purchase. I spoke with ISACA support who told me that they will reinstate it, however I’d have to sit the exam by June 30th. This was the motivation I needed. I had about 6 weeks to prepare and take the exam.

I started using the QAE to study most week nights. Each test is about 30 questions and is on a particular topic. The QAE provides explanations for why the right answer is correct, and, importantly, why each wrong answer is incorrect. This was my main studying tool. I’d listened to Phil Martin’s Essential CISM on Audible a few times throughout the year, which may have helped retain a lot of the knowledge I learned during the CISSP study. My QAE scores started at around 70% and I got through all of the practice questions a few days before the exam with an overall score of 75%. I then took the two ‘exam practice tests’ in the QAE which are 150 questions like the actual exam, and, interestingly, scored 87% in both of them.

Image of the CISM QAE Dashboard showing average practice score of 75% and average test score of 87%. Satiex.net
The CISM QAE Dashboard.

With that, it was time to take the exam. I’d opted to take the exam remotely, which was lucky as since I’d booked it, Sydney became locked down due to a spike in COVID-19 cases. I cleared a space to take the exam and connected to the exam environment 30 minutes before my exam start time. The proctor asked me to show my photo ID, and pan the webcam around the room and under the desk. Amusingly, I was asked to throw blankets over two unused monitors and unplug a TV that was mounted to the wall. This is necessary to protect the integrity of the CISM certification and, while not fool proof, is a fair attempt to prevent cheating.

Photograph of the area used to take the CISM exam. Satiex.net
A tidy corner for me to take the exam remotely.

Like in the CISSP, I never quite felt like I was killing the exam while taking it. Plenty of questions I was able to eliminate two incorrect answers, but had a hard time determining the correct of the remainder.

Psychologically , it’s a very different feeling to taking any type of practice exam, where you’ll be able to review the correct answers and explanations at the end and think, “Of course that was the answer,  that makes so much sense now”. You understand that you’ll make your best attempt to answer and, pass or fail, you’ll never know which questions you answered correctly, and which you answered incorrectly.

The CISM exam allows you to flag questions you want to review later. I used this feature, what seemed like a few times, maybe 30 or 40, until I reached the final question and went back to review.

70 flagged questions. Just under 50%.

Oh.

I requested a 10 minute break and went for a walk outside. Partly, I wanted to just submit the exam and get it over with. But I still had 2 hours left of exam time, and half of the questions were contentious enough that I had to flag them and that was way too many 50/50 chances. I returned to the exam and went through each flagged question. Where I changed an answer, and I ended up changing maybe half, it was where a single word made all the difference – either in the question or an answer. Sometimes, the way another question was asked, and the answers that were presented, may have also influenced change in a previous question.

After going through all the flagged questions, I submit the exam. I was then asked to complete a two post-exam surveys but neither of them worked for me, and my proctor said just to click through and finish the process.

The next screen told me that I had passed the exam. The proctor congratulated me and terminated the session.

The CISM Mindset

  • Think like an Information Security Manager.
  • Human life is always the most important.
  • Everything we do supports the mission of the business.
  • Metrics allow control objectives to be met.

Materials

Review of each of these coming soon.

  • The Questions, Answers, and Explanations Database – 9/10

    This is the main resource I used to study for the exam. There is 815 questions organised into each topic that will be tested in the exam. For each question, there is an explanation about why each correct answer is correct and why each incorrect answer is incorrect. This was very helpful in understanding ISACA’s view of the world.There were many times where I disagreed with ISACA’s position on the answer. This is when my experience with what really happens in the industry as at odds with the view they were presenting. There were also a lot of questions that were written poorly without providing any context. I provided feedback for a lot of questions to share my opinion with ISACA.It comes in an online, interactive version which I used, and as a non-interactive hard copy. Use the interactive version, your life will be a lot easier. It’s expensive but worth the money.

    Unfortunately, it’s a subscription model and not lifetime access. I haven’t tested if you can open this on a phone.

  • Phil Martin’s Essential CISM Exam Guide on Audible – 8/10

    I listened to this at least twice while commuting and driving. I used his CISSP audio book as well and I think he does a great job in both. I plan on using his CISA audio book as well. Listen on 2x speed. You’ll definitely zone in and out but you’ll retain a good amount knowledge as well.

  • IT & Cybersecurity Pocket Prep on Android – 4/10

    You used to be able to make a one time purchase for the Pocket Prep CISM app. Then they changed their business model so there is now one app called IT & Cybersecurity Pocket Prep and it’s a subscription model, so you no longer get lifetime access, which I think is a really poor move. There are many spelling and grammar errors and there is no way to provide feedback directly through the app. Some of the answers were just wrong. Only explanations are given for why the right answer is right – there are no explanations for why incorrect answers are incorrect. I used this in the shower sometimes. I don’t recommend it.

  • CISM AIO Book

    I purchased this on Kindle but I’m not sure how much I read – not much for sure. I recommend using either this or the official CRM to read any topics that you’re not clear on, but I don’t expect anyone to be able to read it like a novel.

    What next?

    I’ve just purchased the Certified Information Systems Auditor and the CISA QAE. Hopefully it won’t take another 18 months..

I’m also planning on taking the Security+ shortly as the class I’m teaching focuses on Security+ subject matter.