Your best approach to preparation is to break down your studying according to the 5 domains listed above.
On the ISACA website, under the CISM exam section, click on the link titled “Prepare for the Exam.” There will be a helpful guide called “The Candidate's Guide to the CISM Exam” available for free.
Proportion of Domains Per Exam
I mentioned earlier that the 5 domains are not covered equally in the CISM exam. The domain distribution is as follows:
- Domain 1Information Security Governance: 23%
- Domain 2Information Risk Management: 22%
- Domain 3Information Security Program Development: 17%
- Domain 4Information Security Program Management: 24%
- Domain 5Incident Management and Response: 14%
This distribution is called the Job Practice for the exam, as ISACA developed this using industry practitioners and subject matter experts.
In a figure taken from the ISACA website, they illustrate this distribution like this:
Use this distribution for studying. In other words, don’t invest equal study time for Domain 4 (24% of the exam) on Domain 5 (only 14% of the exam). A more reasonable strategy is to use study time in a similar proportion per domain.
Important: Because ISACA routinely updates the job practice areas, they already disclosed that the December 10th 2011 exam is the last CISM exam date that uses this exact distribution listed above.
Task and Knowledge Statements
“The Candidate's Guide to the CISM Exam” lists the several task statements and knowledge statements per domain. Task statements specify a job objective, while knowledge statements declare some specific awareness about an area. Between all domains, the CISM exam covers 45 task statements and 93 knowledge statements.
An example of a task statement would be “Ensure that threat and vulnerability evaluations are performed on an ongoing basis.” That’s task statement #4 of Domain 2: Information Risk Management. An example of a knowledge statement would be “Knowledge of risk assessment and analysis methodologies (including measurability, repeatability and documentation).” That’s statement #5 of the same Domain 2.
I strongly recommend you to read through these task and knowledge statements. To see them all, visit the ISACA website, go to the CISM section, under Prepare for the Exam / Job Practice Areas. Consider the task and knowledge statements as your recipe for mastering the CISM exam.
Study with Structure
Armed with the task and knowledge statements, you have a structured framework for studying. Depending on your preference, you may wish to check off the topics you feel already comfortable with, prioritizing the most unfamiliar areas to concentrate on. Or you may wish to briefly visit the most well-known areas, which may provide you more insight on the detail level expected across all areas. In any case, use the domain breakdown to your advantage, as a checklist and path to covering all required of you.
Important: ultimately, your strategy for studying should reflect both this domain proportion and your prior experience. And you can execute this strategy with a definite structure.
Study What Counts the MOST or What Comes FIRST
Know that CISM exam questions frequently use superlatives to distinguish the right answer. Superlatives like “best,” “most,” and “greatest” are common. In other words, from the four answers available there might be many correct answers, but there’s only one BEST answer.
Another common question type is to ask about priority or order. You’ll read questions asking for the primary goal or role. And it’s common to pose a situation, and then you are asked what would be the first step in a series of tasks.
So, just recognizing what steps are necessary is not good enough; know what order the steps should follow.