Skip to content

How I Passed The ISACA CISM Certification

Published: at 09:52 AM

Table of contents

Open Table of contents


Earlier this year I decided to take on the challenge of obtaining a security certification. I have over 15 years of experience in the IT, Consulting, and Cybersecurity space and wanted to get one that tied all my previous experience together but also applied to my current job.

My current role entails aspects of auditing, governance, cloud, security, risk management, and technical aspects of cloud computing. I initially leaned towards ISC2 CISSP as I’d heard of it before and know it is a major certification in the field. Upon further research, I found the Certified Information Security Manager (CISM) from ISACA to be more aligned with my current job and decided to dive in.

I studied on and off for about six months with the last two months being more intense as I ramped up to take the exam. In late October I passed the exam, applied for the certification, and became certified.

In this post, I’ll cover the details of how I passed the exam on my first attempt.


ISACA offers the Certified Information Security Manager (CISM) certification as a specialization in information security management. The certification is intended for system administrators and IT experts who assist build and maintain an enterprise’s security program. An applicant must have five years of experience in the information security industry to pass the examination. You must meet two prerequisites to become CISM certified. First, you must pass the CISM exam, and second, you must show that you have the requisite work experience.

To achieve the second criterion, you must have five years of engagement in information security experience in three or more key areas indicated by what ISACA calls job practice. These key areas include:

Not to fear though! There is some leeway. For example, certain certifications can be used to replace years of experience, and having an advanced degree can factor in as a waiver for work experience. However, this is certainly not an entry-level certification. Work experience must be verified by a third party such as a previous coworker or manager that attests that your application and experience are correct and valid.

Going back to the exam, the CISM exam content outline provides all the details on the key domains and secondary topics. The exam can be conducted online or in person and has 150 questions, graded on a range of 200 to 800, with 450 being a qualifying mark. It’s worth noting that the score represents a conversion of individually weighted raw scores based on a common scale. As such do not attempt to apply a simple arithmetic mean to convert area scores to your total scaled score. There’s no specific percentage to pass the exam. ISACA only publishes what I’ve stated above.

My Experience And Recommendations


First, I’d like to highlight the resources I used. I purchased (through work) the following:

Study Approach

My approach with the resources was to read at least one book outside of the official materials as well as a video course. Based on reviews, I knew the official materials were the most crucial to passing but I also wanted an outside perspective.

I started by reading Mike Chapple’s book to get a good understanding of the material. I read a minimum of 25 pages a day and finished the book within a week. After that, I began to skim the review manual and started going through the QAE database test questions.

Once I started going through the practice questions I immediately noticed this would be the most valuable resource I had. Sure, these are the official test bank, but I found a ton of value in looking at why the wrong answers were wrong. Doing more questions and looking at all the answers put me in the right mindset and helped me go back to the review manual for a refresher on that topic. If there were one resource I’d recommend above all else, it’s the QAE database.

The week before taking the exam I watched the WannaBeA CISM video course. This is a recorded BootCamp or live training course. I found it to be very practical which gave lots of real-world scenarios vs. just strictly reading off definitions. There were lots of valuable tidbits thrown in about taking the exam too. One of which was reading the answers from the bottom up (D-A) and not from the top to bottom (A-D). I’m not sure why this works, but it does! I started to see an improvement in my scores on the QAE tests after implementing this strategy.

The final part of my study approach was taking the “mock” exam and looking at the domains that needed improvement. I exported the results and went back to those topics and read and re-did the test questions.

The Exam Experience

The exam experience is pretty typical of all other certification exams I’ve taken. I did this one in person as I’d heard of oddities and other horror stories of online proctored exams. The process is a check-in with the proctor, a brief training on how to take the exam (flag questions, etc.), and a survey at the end. I always hate the survey at the end because you don’t know if you’ve passed or not. You end the exam, then take the survey not knowing. After completing the survey, the result is posted on the screen. In my case it showed the exam, time started, time finished, and the result showed “Passed”.

There is a fine print that says your official results will be processed and emailed to you in 10 business days. The result is a “Provisional” passing result.

Exam Strategy

I knew going in this was a 150-question, single-answer, multiple-choice exam that allows you to flag and revisit questions. With that in mind, my strategy for the exam consisted of the following:

This strategy worked well for me and in the end, I felt confident in my answers.

Wrap Up

Preparing for any exam can be nerve-wracking. In the beginning, I felt anxious about undertaking such a big certification. Going through the resources above helped me gain a massive amount of knowledge and made me much more confident going into the testing center on exam day.

In the end, I highly recommend getting the CISM certification. It is a fantastic method to demonstrate you are serious about information security. It shows that you have advanced information security experience and expertise, as well as the necessary knowledge and skills to build and manage a comprehensive information security program.

I wish you the best of luck!