Passed CISM — sharing what worked
Just passed CISM. Wanted to share what worked, since posts like this helped me when I was prepping.
## Background
16+ years in IT and information security across SL, UK, and AU. Coming in I had: - CISSP - ISO 27001 Lead Auditor + Lead Implementer - MSc Information Security - MBA (Business Analytics) - AWS Solutions Architect Associate. Strong CISSP-style technical/security foundation, but CISM is a genuinely different beast. Don't assume CISSP experience carries you. The mindset is different. CISM is about what a manager does and prioritises, not what a practitioner would technically do.
## Materials that actually worked
- Prabh Nair (YouTube)** — non-negotiable. Watch his full CISM domain series. The biggest takeaway wasn't the content itself but his **qualifier keyword framework** for reading questions (BEST, FIRST, MOST, PRIMARY etc.) and the ISACA mindset. Once that clicks, the whole exam gets easier.
- Peter Zerger (YouTube)* — great for review and consolidation. More concise than Prabh, useful for refreshers near exam time. His domain summaries are gold.
- Official ISACA QAE Manual (10th edition, physical book)** — essential. I went through it cover to cover. No online scoring/tracking since it's the book version, but you don't need a score to learn from it. The real value is in the **explanations** for both correct and incorrect answers. Read every single explanation. That's where the ISACA thinking pattern lives, and once you internalise that pattern, ambiguous questions become much less ambiguous.
- Pocket Prep** — daily practice in short bursts. Habit-forming, mobile-friendly, decent question quality. Two days before the exam I scored **91% on a full mock here**, which gave me the final confidence to go in.
## Approach in short
- Watch Prabh first to build the mental model, then grind through QAE methodically
- Don't memorise — internalise ISACA's logic
- For every question: ask "what would a manager do?", not "what's technically correct?"
- Practice questions > re-reading material. Always.
- Use qualifier keywords to narrow down before even reading all options - Read **every explanation** in QAE, even for questions you got right — that's where the ISACA pattern emerges
## Exam day
- 150 questions, 4 hours. Finished comfortably with time to review flagged items.
- Some questions felt ambiguous on first read, but applying the qualifier keyword logic almost always made the "best" answer obvious.
- Trust your prep. Don't second-guess yourself into changing right answers to wrong ones.
## My actual scaled scores
For context
Information Security Governance | 423 | | Information Security Risk Management | 705 | | Information Security Program | 686 | | Incident Management | 611 |
Total = 611
## TL;DR Prabh Nair + ISACA QAE book (read every explanation) + Pocket Prep is the holy trinity. Peter Zerger is the polish. If you're hitting 70-80%+ consistently on practice questions and internalising the *why* behind each answer, you're ready. Good luck to everyone prepping. Happy to answer specific questions in the comments.