Information security and technology professionals, much like doctors and lawyers, are expected to stay apprised of the environment surrounding their profession. As part of my continuous learning process, the Certified Information Security Manager (CISM) was my next logical step after obtaining the Certified Information Systems Auditor (CISA).
Here is how I approached preparing for the CISM exam and what I would recommend to my colleagues:
My CISM Journey
- Determine the benefits to obtaining the CISM certification
- Take the practice test and review the ISACA Certification Exam Candidate Guide
- Purchase the study materials, plan study tactics and determine your timeline for taking the exam
- Register for the exam and schedule your testing appointment
- Take the test
CISM Benefits
The first thing about taking the CISM is to determine its benefit to you.
- Do you want to stand out among other professionals?
- Do you want a raise?
- Do you want to be more marketable and get a better job?
- Do you want to be more confident in your current role or be viewed as someone to promote?
The benefits for me were the added credibility the CISM would provide to my clients and the continuing professional education (CPE) hours earned. Additionally, the knowledge gained in studying for the exam helps in my role as a consultant and Information Security Officer to make informed and proactive decisions.
Practice Test and Candidate Guide
The practice test helps gauge your knowledge of the subject matter and determines how much time will be required to prepare for the exam. Next, review the ISACA Certification Exam Candidate Guide. The guide provides helpful information such as the experience required to become certified, the number of domains in the exam, the corresponding test percentage, available languages, the exam length and the number of exam questions.
Study Materials, Tactics, and Timelines
The two reference books I found most beneficial in preparing for the exam are the “CISM Review Questions, Answers & Explanations Manual” and the “CISM Review Manual.” The Review Questions, Answers & Explanations was my primary source of studying. Not only does the manual provide helpful and relevant content, but it also provides you with an understanding of how the questions are asked on the exam. Words you will become familiar with in the questions are “best” and “most.”
My approach to the exam was to take the CISM Review Questions, Answers & Explanations Manual questions and divide them into the amount of time allotted for studying. I gave myself three months to study, so I focused on 80 questions per week. When I missed the question, I would review the explanation of why those specific responses were correct or incorrect, and for further clarification, I would reference the CISM Review Manual.
Register and Set Your Examination Date
Most people have busy schedules filled with work, school and family obligations. Because of these obligations, it is easy to procrastinate and tell yourself, “I will register for the exam when I am prepared.” However, registering for the exam and setting an exam date is the equivalent of setting a goal. By setting this goal, you will increase your efforts and be motivated to achieve the knowledge required for the exam.
If life does get in the way, it is simple to reschedule the date. Just keep in mind you have 12 months from the registration to take the test.
Take the Test
The test can be taken one of two ways: either at a testing center or via online remote testing – both of which are proctored. I chose to take my exam at a testing center. Working remotely since 2020 has provided insights into possible distractions to interrupt your focus while at home. I didn’t want to be taking a test and have the doorbell ring, a child or pet run through my home office, or someone calling or texting. I prefer the quiet environment of a testing location. Be sure to choose the right fit for you.
Hopefully, my process is beneficial to you in preparing for the CISM. Where will my journey take me next? Most likely, to follow the same process again and take the Certified in Risk and Information Systems Control (CRISC).