r/cism

I won't make this too long because I do not know my score yet, but I received my provisional pass about 30 mins ago, roughly 30 days after failing my first attempt by 15 points.

Long story short, I recently got my CISSP, and I believed what everyone said about having the CISSP and then taking the CISM, and I did not do a great job preparing the first time...lesson learned.

u/icy-shine-6621 sums it all up here..I had the same mindset originally: https://www.reddit.com/r/cism/comments/1slj3jl/passed_on_2nd_go_lessons_learned/?utm_source=share&utm_medium=web3x&utm_name=web3xcss&utm_term=1&utm_content=share_button

The second time, I used Hemand Doshi's course (some was outdated, but it helped with CISM mindset and questions), I went through all 1138 QAE Database questions (averaged 80% but studied any area where I had a 70 or below), did both practice tests, scoring 93 and 88, and just deep dived into why I got questions wrong and why my thinking was causing me to get not understand the ISACA mindset and get 50/50 questions wrong.

All in all, it was a better experience. I did have one moment during the test when my internet just randomly went out...it scared the life out of me (ATT or Netgear owes me a new set of underwear). I was doing well on the test and feared I would "be failed" or lose the use of my voucher. Luckily, it came back up after a quick restart, and I just had to reperform the environment scan and authentication. Normally, I would elect to take the test at an on-site testing center, but there were none in my area, and it would have required a lot of logistics to get to one. That being said, my goal is always to use the testing center specifically so I don't have to worry about those types of issues.

TLDR: Trust the QAE, ISACA/CISM mindset over everything, test at a center if you can, and just give the CISM the respect it deserves.

Good luck to everyone, trust your process, you got this...now a very long ten-day wait.

I’d like your opinion. I’m currently scoring around 80–85% in both adaptive mode and practice tests, and I’ve made significant progress in understanding the underlying logic.

However, I have one concern that affects my confidence. At this point, I feel I almost know every answer in the Q&A, which makes me unsure whether I truly understand the material or if I’m answering correctly simply because I’ve reviewed the questions many times.

Since I don’t feel there’s much more, I can gain from the Q&A right now, I’m wondering whether I should move to Pocket Prep to cross-check my knowledge and enhance my confidence, or just go ahead and book the exam for next week. I’d appreciate your opinion on this.

Just passed CISM. Wanted to share what worked, since posts like this helped me when I was prepping.

## Background

16+ years in IT and information security across SL, UK, and AU. Coming in I had: - CISSP - ISO 27001 Lead Auditor + Lead Implementer - MSc Information Security - MBA (Business Analytics) - AWS Solutions Architect Associate. Strong CISSP-style technical/security foundation, but CISM is a genuinely different beast. Don't assume CISSP experience carries you. The mindset is different. CISM is about what a manager does and prioritises, not what a practitioner would technically do.

## Materials that actually worked

1. Prabh Nair (YouTube)** — non-negotiable. Watch his full CISM domain series. The biggest takeaway wasn't the content itself but his **qualifier keyword framework** for reading questions (BEST, FIRST, MOST, PRIMARY etc.) and the ISACA mindset. Once that clicks, the whole exam gets easier.
2. Peter Zerger (YouTube)* — great for review and consolidation. More concise than Prabh, useful for refreshers near exam time. His domain summaries are gold.
3. Official ISACA QAE Manual (10th edition, physical book)** — essential. I went through it cover to cover. No online scoring/tracking since it's the book version, but you don't need a score to learn from it. The real value is in the **explanations** for both correct and incorrect answers. Read every single explanation. That's where the ISACA thinking pattern lives, and once you internalise that pattern, ambiguous questions become much less ambiguous.
4. Pocket Prep** — daily practice in short bursts. Habit-forming, mobile-friendly, decent question quality. Two days before the exam I scored **91% on a full mock here**, which gave me the final confidence to go in.

## Approach in short

- Watch Prabh first to build the mental model, then grind through QAE methodically

- Don't memorise — internalise ISACA's logic

- For every question: ask "what would a manager do?", not "what's technically correct?"

- Practice questions > re-reading material. Always.

- Use qualifier keywords to narrow down before even reading all options - Read **every explanation** in QAE, even for questions you got right — that's where the ISACA pattern emerges

## Exam day

- 150 questions, 4 hours. Finished comfortably with time to review flagged items.

- Some questions felt ambiguous on first read, but applying the qualifier keyword logic almost always made the "best" answer obvious.

- Trust your prep. Don't second-guess yourself into changing right answers to wrong ones.

## My actual scaled scores

For context

Information Security Governance | 423 | | Information Security Risk Management | 705 | | Information Security Program | 686 | | Incident Management | 611 |

Total = 611

## TL;DR Prabh Nair + ISACA QAE book (read every explanation) + Pocket Prep is the holy trinity. Peter Zerger is the polish. If you're hitting 70-80%+ consistently on practice questions and internalising the *why* behind each answer, you're ready. Good luck to everyone prepping. Happy to answer specific questions in the comments.

I am scheduled to take my examination tomorrow morning, with approximately nine hours remaining. My performance in the Pocket Prep mock exams has consistently exceeded 90%. My preparation strategy involved completing all questions on Pocket Prep, identifying areas for improvement, and utilizing official slides, a review manual, and ThorTeaches Notes for CISM.

Could you please advise if the actual examination presents a higher level of difficulty compared to the QAE and Pocket Prep materials?

Hello everyone,

I'm facing difficulties solving questions stated in QAE - Domain No 4 (Incident Management), unlike other domains, i feel myself confident in them. Is it only me who face such kind of issues related to Domain 4? For those who can solve QAE domain No.4 easily, any advices or guidance would be high appreciated.

Finally ready to post my journey.

Started in January 2026.

CISA earned on 23 January 2026

CRISC earned on 10 April 2026

CISM earned on 8 May 2026

Never say you can't and always be ready to learn and grow. I have over 20 years in Cybersecurity and over 15 years in GRC. Still growing and learning every day

I am a little bit confused about this question & I need input, please. The question is specific for when developing an IS strategy. Thinking the ISACA way and most importantly as a manager, one would assume that the logical answer would be B. The possible responses for A and B are out. I was thinking that C is out as well. The only possible answer would be B. The step of being compliant w/ legal and regulatory constrains precedes and sets the bar for the risk response, in this case the decision was to mitigate against that risk. I am a bit confused.

https://preview.redd.it/b5it79vf620h1.png?width=1746&format=png&auto=webp&s=a30fff9dfa0cd8b9bc1bc6cce24b1058a8360b27

Hello there..

I've gotten no time to study for cism in full except for some pdf files I got from a course over YouTube and then I solve the official questions of isaca..

Is that enough? Can I pass with this strategy despite being very simple?