ISACA CISM: Why you should do it and how to pass the certification exam!

The current state of cybersecurity is quite simple: each day presents a new set of threats/vulnerabilities. Business have discovered – the hard way – the costs of not investing in an experienced InfoSec Team, and certifications such as ISACA’s CISM, Certified Information Security Professional.

This new perspective has been gradually changing the information security market, and papers like ISACA’s State of Cybersecurity: Implications for 2015 show that cybersecurity in general has been getting more support from upper management (really?) and bigger budgets (R U SERIOUS?). Paradoxically, there is a huge cybersecurity skill crisis, experienced professionals are short on the market.


ISACA – 2014

I agree that experience is something you only get on the field, but there are countless options in terms of professional certifications that should make you stand out in the infosec crowd. Personally, I always invested my time and resources on vendor free certifications, mostly from internationally recognized institutions like, ISC², EXIN e APMG. The results have been much better than I expected.


Source: ISACA

ISACA’s CISM, Certified Information Security Professional is one such case and one of most in demand certifications of 2016. Still unsure? Ok, look at this quick list of open positions that mention information security certifications:



If you already have some years of experience with information security and began thinking it is time for a managerial role, this certification is one of the best ways you could improve your resume. The exam itself may still looks a bit scary, but let me be clear: With adequate preparation and some dedication, anyone can achieve a great result on the first try.

I attended the CISM examination last June (2015), and here I share the methods and some practical tips I used for my preparation. Again, the results were excellent!


The CISM is not a technical certification, it actually focus on management aspects of information security. Since 2002, around 23,000 professionals have obtained the certification, and most of them are the ones managing, designing, overseeing and assessing enterprise’s information security. The current average salary on the USA is something between $52,402 and $243,610. Not bad at all!


In order to be certified, there are three basic steps:

  1. Score a passing grade on the CISM exam;
  2. Agree to ISACA’s Code of Professional Ethics to guide professional and personal conduct.
  3. Submit verified evidence of a minimum of five years of information security work experience, with a minimum of three years of information security management work experience.

The exam costs $525.00 (if you have a standing ISACA membership, you get a $75.00 discount) and you will be facing 200 objective multiple-choice questions that must be answered in 4 hours. A minimum score of 450 out of 800 points is required to pass. ISACA uses some obscure scale, so you will never really know how many questions you need to get right. From my personal experience, if you score something between 75% and 80%, your success is almost guaranteed.

It is also important to understand that some of the examination questions are for research/updating purposes, and they have no influence on the final grade. In addition, here is my very first tip for the CISM (it also applies for CISA, CGEIT and CRISC): There is no way of knowing with questions are not valid. Treat each one as a valid question, even the most unusual.

The exam’s objective is to test your knowledge in four functional areas of information security:

  • Domain 1—Information Security Governance (24%)
  • Domain 2—Information Risk Management and Compliance (33%)
  • Domain 3—Information Security Program Development and Management (25%)
  • Domain 4—Information Security Incident Management (18%)

There are two kinds of questions:

  • Fact based – technology, infosec standards. No specific technology related questions. For e.g.: SAP, Oracle, SQL, etc.
  • Analysis based – context and decision oriented. These questions require you to understand the scenario and formulate your opinion/judgment.


  • THE STUDY PLAN: The moment you realize the official CISM guide has 236 pages (at least the 2015 version) full of content, it become obvious that, without adequate planning, you might not have enough time to review everything. My recommendation is to study at least 2 hours per day during the 2 months prior to the exam date. During weekends, you should also include some more time for mock exams.
  • START WITH THE EXAM CANDIDATE INFORMATION GUIDE: The exam can be quite overwhelming for newcomers, you can find a lot of information here, but it is always a good idea to start with the candidate information guide. It will provide you with current information on topics like the exam domains, dates, available languages, how to register and some basic exam rules.
  • IF YOU CAN, USE THE OFFICIAL PUBLICATIONS: When I attended the CISA exam back in 2010, I decided to save some money and did not buy ISACAS’s official review manual. That turned out to be a really bad move. My study was based on a book with a terrible didactic and it certainly costed a few questions. For the CISM I did not repeat this mistake and invested $105.00 ($135.00 for non-members) and it really paid off. Sure, there might be some non-official publications with great content, but my personal view, both as student and trainer, is that sticking with the official ones is always a good investment.
  • TAKE YOUR TIME TO FAMILIARIZE WITH THE OFFICIAL GLOSSARY OF TERMS AND DEFINITIONS: Many questions may require an understanding and even interpretation of ISACA’s CISM® Glossary. Do you really know what an Acceptable use policy or Fall-through logic is? The glossary can downloaded HERE free of charge! It is also included in the official review manual, in case you bought it. READ IT. SEVERAL TIMES. At least until you fully dominate most definitions.
  • QUESTIONS, QUESTIONS AND SOME MORE QUESTIONS: Just to be clear on the subject: I do not profit on official ISACA material sales (thought I would not mind it at all!). That said, I must to recommend you buy the official review questions. Sure, these questions will not be present on the exam, but they are a mirror image in terms of structure and how the content is tested. The question bank has 1015 questions, and last June I solved most of them at least twice.

The idea is not to memorize every question – far from it! If you wish to pass this exam, it is necessary to understand the way ISACA will test your knowledge. Many have failed not because lack of familiarity with the exam content, in many cases failure comes from not understanding how the questions are structured, and missing the small nuances that can completely change a sentence or even the whole question itself.

You can choose between the printed version or, as I did last year, go for the online option. The CISM Review Questions, Answers & Exp – 12 Month Subscription costs $ 185.00 and it was my most valued companion during the exam preparation. One of the advantages of the online version is the fact it can be accessed from any internet enabled device with a compatible browser, so it was easy to solve some questions during my lunch time at work, and review them latter at home. It is also very easy to track my progress and identify domains that needed more attention.


There are some basic reports that show how many questions were answered and missed, some basic trends, time records. It sure is a very good tool to have at your disposal, since this can influence your study plan.


Since we are on the subject of the study plan, it also allows you the set the exam date, study days, how many hours per day you plan to study. Again, very nice! Very nice indeed.


In terms of simulating the exam, there are several options, including creating customized exams for specific domains or knowledge areas and, of course, having a full practice exam with 200 questions and a 4-hour time limit.



You should try the full simulation at least a couple times. It should test not only your knowledge, but also your capacity of keeping focused during the 4-hour run.

  • THINKING LIKE A DISTANCE RUNNER: Surely, the examination will completely test your understanding on most domain topics, but with 200 questions and a 4-hour time limit, the CISM will also test your ability to maintain focus, resilience, patience, you get the idea. For me, the best way to be prepared is to simulate this very scenario.

Ask yourself: When was the last time a distance runner prepared for a marathon doing ONLY 100 meters sprints? Your preparation should have the same philosophy. Some of the people from my CISA study group back in 2010 only tested themselves with small blocks of about 50 questions. I can assure you that most of them, including the ones with a very good understanding of the exam topics, failed miserably.

As I said before, you should go for a full 200 questions simulations a couple times. Try to find a place where you can mimic the exam conditions: some isolation, little noise and, specially, no one to interrupt you.

  • HOW ABOUT GOING FOR AN OFFICIAL COURSE: Ok, since I have been an official instructor for ISACA courses for the last couple of years, you may thing my view is biased. It is not. Along with other expert certifications the CISM requires a profound knowledge of several domain areas and a keen understanding on ISACA’s views on these very topics and what consists of Information Security good practices. Some of these interpretations are quite different from what most of us do on a daily basis.

The official course is 40 hours long, and here in Brazil it costs about $ 2,500.00. It is not cheap if you are on a tight budget, but you get the chance to spend some time with people in your same situation (preparing for the exam, not the tight budget!) and an experienced instructor with firsthand knowledge on how to beat the exam. It is an excellent opportunity to get all of your questions answered, share experiences, strategies and do some networking. This all amounts to a greater success rate on the exam.

Of course, the official training is not mandatory. My point is you should not be afraid of investing if you need help. For the CISM (and other top certifications from ISACA or ISC2), the return is a sure thing and, I dare say, almost immediate.


Ok, here are some practical advice I use quite a lot in the eve of exams:

  1. Make sure your exam kit is at the ready: Prepare an exam kit in advance of the exam and carry it to the exam. This kit could include your admission ticket, identity card, pencils, erasers, etc. Your ID must be a current and original government issued identification that is not handwritten and contains both your name as it appears on the admission ticket, and your photograph. Any candidate who does not provide an acceptable form of identification will not be allowed to sit for the exam and will forfeit their registration fee.
  1. Do not waste time with excessive readings: Last minute readings are usually not a good thing, and may leave you anxious. If you think important to do a final review, do a selective reading.
  1. Selective Reading: Well, if you insist on reading something, make sure you do a selective reading and do not focus solely on weakness. If you have not mastered a specific subject by now, you may prefer to focus on enhancing the ones you’re good. Whenever possible I like to read summaries or take a look at the glossary.
  1. Do not stress yourself physically before or during the exam: Do not stay up late! You will need to be well rested and relaxed during the exam. This is almost as essential as the study preparation you did for the last couple of months. Avoid ingesting (even small amounts) of alcoholic beverages and try to have a light meal. In the morning, a balanced breakfast and drinking plenty is a very helpful way to have a good exam.
  1. Do not be late: The exam proctor will read the exam instructions punctually at 08:30 and no candidate will be admitted to the site after it.
  1. Enjoy the moment! The idea may seem a little contradictory, but having some fun attending a difficult certification exam helps reduce tension and stress. Have some fun! After all is just a test, a challenge to be overcome.

DURING THE EXAM (how I did it)

The CISM is a lengthy exam and can be quite tiresome. Personally, after years taking similar tests, I found an approach that makes me feel very comfortable. I used this same tactic for the CISA and CISSP, in both cases I was able to finish the exam at least 20 minutes before the time limit.

  • First Run (about 45 min): I quickly read the entire exam and underline key terms like MOST, LEAST, NOT, ALL, also, eliminate options that are obviously false (distractors) and answer only the ones I am 100% sure of the answer (ample minority);
  • Second Run (about 2 hours): Again I read the entire exam, but this time I solve most of the questions, leaving only the ones I think will take more time than the normal (if you prepared correctly, you should be able to answer most of the questions in 1 or 2 minutes, more than that is an auto-skip at this point);
  • Skipped/trouble questions (about 30 minutes): Ok, now it is time to focus on the questions I skipped or had no clue how to solve. If you use 3 minutes for each, you will be able to review at least 10 questions (5% of the exam!). In the worst-case scenario, there is always the option of an educated guess. For most questions, you can eliminate one or two options. This means a 33% to 50% chance of a correct answer, not so bad.
  • Answer sheet (about 45 minutes): Do not underestimate the effort requires to fill the answer sheet, 45 minutes might seen as a little too much, but remember: you have to fill 200 questions and nothing is worse than getting a question right and missing it on the answer sheet.

Some final advice:

  • The CISM uses the “best answer” model. It means there may be more than one correct option. You must be able to understand and choose the most suitable for the given situation. This is why I emphasize so much on answering official questions.
  • If you are a professional with more technical background, try to think from a managerial perspective. The other way around is also very important, as some questions will require technical knowledge.
  • 200 questions must be answered in 4 hours, this gives about 70 seconds per question. Of course, there are questions you will answer in less than half a minute, but it is always very important to keep an eye on the clock. If a question is taking over two minutes to solve, you may want to skip it and try again after you solved other questions;
  • RTFQ! Please pay attention to each question and options. Understand what is asked and you have a good chance of solving it correctly. Terms such as MOST, LEAST, NOT, ALL require more attention, as they can change the context. Personally, I like to underline or circle them.
  • Keep the focus on the current question. Second guessing or thinking about questions already answered or marked to solve later will do nothing but disrupt your concentration.
  • Read all options, never mark as correct before reading the others. Never forget: you are looking for the BEST ANSWER. There might be cases that one or more questions seems to be correct. It is up to you to find the best one.
  • You must answer ALL questions. There is no penalty for getting a question wrong. If you are unsure of the answer, guess it! As I said before, in most cases there will be an obviously false option that can be immediately discarded. You can check the remaining options for conflicting information, opposition or contradiction. Generally, the correct answer is the one that has more information (but this does not means a longer sentence).
  • Stretch and relax: Sitting still for about four hours can be quite uncomfortable. The more you become physically stressed, the harder it will be to concentrate and think straight. I recommend short intervals, at least once every hour (or during moments of despair: D). Relax your muscles and your mind. If you can, find something to clear your mind from the exam.
  • Tip 42: Do not panic! Keeping calm is essential and will help your concentration. Try to see the exam as a challenge and have some fun doing it. Believing in yourself is essential, if you prepared correct it is likely the results will be great, if not, you will have a lot more experience for the next try!

AFTER THE EXAMINATION: Time to test your patience

Right after the exam, I strongly recommend relaxing and replenishing your calories:


 OK! No exaggeration!

Now it is time to test your patience. ISACA takes about 4 weeks to send the results. I followed all the tips above, and was quite happy when they arrived:


Final score: 647/800 – Top 5%!

After receiving the test results, you must complete the Application Form and send it back to ISACA. They will review the information and – if everything is all right – you will finally be a certified CISM.

Oh, and if you found this article to be strangely familiar, you are correct! Most of those tips come from an older post focused on the CISA certification (it is still only in Portuguese, sorry!)

Update: ISACA just send me an email informing I earned the highest score in the Central/South America geographical region on the June 2015 CISM examination. I’m pretty happy right now!

"you have earned the highest score in the Central/South America geographical region on the June 2015 CISM examination" \o/\o/\o/
“you have earned the highest score in the Central/South America geographical region on the June 2015 CISM examination” \o/\o/\o/

Update 05-31-16: And it finally arrived!

I’m really happy and proud to have received ISACA’s CISM Geographic Excellence Award for the highest score in Central America / South America region in June 2015.

CISM Geographic Excellence Award for the highest score in Central America / South America
CISM Geographic Excellence Award for the highest score in Central America / South America

When I prepared for the CISM I did my very best to earn a favorable outcome, but I never dreamed it would be so outstanding!

Thanks again to everyone who, somehow, supported me during this project. I dedicate this award to my father Francisco Dodt (in memoriam) and my dear Isabelle Araujo, who supported me immensely with love and patience.