The first trouble spot for exam candidates is the sheer scope of material. Without actually knowing the scope, someone may shrug off the exam as simply a non-technical, IT auditing exam. But after a few minutes reviewing the scope, that opinion may change to overwhelm they read through the exam’s 5 content areas and grasps the depth of each area.
After a review of all five content areas, or domains, the structure and pattern takes shape. In time, a candidate can associate their own strengths and gaps against them. So, what may appear overwhelming at first will fast create a list of priority areas to study.
The CISM exam covers 5 domains. Those domains are as follows:
- Information Security Governance
- Information Risk Management
- Information Security Program Development
- Information Security Program Management
- Incident Management and Response
Experience Pays Off
With ISACA being an auditing-centric association, you might fear the CISM is loaded with auditing related questions. Not true. Instead, the exam has a large base of information risk management. This gives anyone with experience in information risk a strong advantage. Almost equally so, anyone with experience in information security program management will also have an easier time.
To possess an introductory level across a few of the 5 domains requires a few years of relevant experience. Let’s say, for example, you have 3 years experience in information risk management and 2 years with incident response, and then you will have enough hands-on knowledge to be quite familiar with 2 of the 5 domains. Any experience in information security program development and management should raise your confidence even higher. Confidence in the material will increase motivation to study more unfamiliar areas. So experience definitely pays off in time and motivation during your study.
Covering Both Operational and Policy Levels
Another trouble spot is the combination of both low-level and high-level understanding of the domains required of the candidate. Be aware, a candidate having a few years of experience in a domain does not guarantee they know the entire domain. Each domain covers job duties and knowledge that spans multiple levels of a job. For example, let’s consider Domain 4, covering systems maintenance. On an operational level of systems maintenance, a candidate will be more familiar with questions about procedures and implementation. On a higher, more management level of systems maintenance, the candidate is more familiar with policies and standards. Domain 4 spans both levels and much more.
No person is expected to know all areas solely based on experience. This means you must study and should not rely on experience alone for any domain.