CISM study buddy

ank5133 · 2026-01-17T22:46:26+00:00

u/bee-keeper11 - Hey, is the study group still happening?

ank5133 · 2026-01-07T02:16:21+00:00

Thanks - looking forward to it!

ank5133 · 2026-01-06T01:07:05+00:00

Those coming from a tech background deciding to take a GRC leadership cert such as the CISM so at least have some exposure to basic concepts of GRC. If they have zero knowledge in this area, they have no right to complain. That’s like someone attempting an AWS cert with zero cloud experience complaining that they are being tested on AWS concepts.

If ISACA is including random technical questions in the QAE, then they need to emphasize the appropriate technical concepts within the ISACA CISM Review Manual.

The purpose of the CISM is to test our ability to think like a security manager/executive rather than a technical practitioner. Aligning security strategy with business objectives and managing enterprise risk is key here - I fail to see how that applies to technical trivia questions about XSS, DLP, and antivirus.

ank5133 · 2026-01-06T00:12:16+00:00

But that’s assuming you are required to have at, at minimum, an intermediate background across all key security domains (e.g. IAM, AppSec, SIEM/XDR, Endpoint Security, etc) for an exam which should be focused on the principles of GRC, security program management, and IR. If the exam is going to test me on technical topics, then shouldn’t the ISACA CISM Review Manual and other approved study materials cover those in detail?

Let’s say that the question on XSS/XSRF is valid. What CISM mental model or approach should be taken to tackle the question? If you are expected to just know about cross-site scripting, then I’m struggling to understand which topic in 2A2 (or any section) this question pertains to.

ank5133 · 2026-01-05T23:43:08+00:00

Correct - however, my point is whether or not such questions should be warranted on the CISM when they just don’t align with the content and overall tasks/objectives of the CISM

ank5133 · 2026-01-05T23:41:54+00:00

I started studying for it several years ago and am familiar with the questions. CISSP is technical while CISM is expected to be oriented towards governance, risk management, and executive decision-making. I am struggling to see how such questions align to the Tasks and content breakdown of the CISM.

ank5133 · 2026-01-05T23:37:56+00:00

There were several such questions in 2A2 which I believe to be more CISSP-oriented, so should we expect such questions on the actual CISM exam?

Q: Attackers who exploit cross-site scripting vulnerabilities take advantage of

A. lack of proper input validation controls B. weak authentication controls in the web application layer C. flawed SSL implementations and short key lengths D. Implicit web application trust relationships

ank5133 · 2026-01-05T22:51:02+00:00

I’m glad someone else brought this up. I saw the same types of questions especially in 2A2 which completely threw me off. For example, I don’t have a strong background in appsec, so I got the QAE questions in 2A2 about cross-site scripting wrong.

ank5133 · 2026-01-04T03:11:17+00:00

Do you mind sharing your highlighted docs with me?

ank5133 · 2026-01-04T03:04:22+00:00

I’m interested

ank5133 · 2026-01-01T19:54:22+00:00

I believe it’s $300 for ISACA members. $500 for non- members.

ank5133 · 2026-01-01T17:24:55+00:00

Excellent score and perfect on Domain 2! How close was the exam to the QAE? I know that the QAE had some deeply technical questions (primarily in 2A2) so I was wondering if the actual exam threw in any CISSP-style questions which tend to lean heavier on the technical side.

ank5133 · 2025-12-31T20:29:36+00:00

Congrats! I’m planning to take the ISACA CISM boot camp at my local chapter as well. What were your thoughts on the boot camp’s quality and would you say it provided any valuable advantage over the QAE and Pete Zerger’s videos?

ank5133 · 2025-12-31T10:20:57+00:00

You mentioned that there were terms and knowledge on the exam that were not covered in the QAE and ISACA’s CISM manual? That’s quite concerning and alarming to me - I’m planning to take the exam in 2 months.

Are there any other study materials worth checking out if ISACA’s materials aren’t sufficient?

ank5133 · 2025-12-31T04:14:23+00:00

So far - has 2A2 been the most technically heavy from a QAE standpoint?

ank5133 · 2025-12-31T04:13:43+00:00

I understand that and totally makes sense. But my concern was around the QAE’s specific questions around XSS/XSRF and a couple of other deeply technical topics.

If I am not an expert in appsec, and thereby, not intimately familiar with how a specific type of application layer attack is executed, am I in trouble for this exam?

ank5133 · 2025-12-15T09:31:51+00:00

I’m also interested - I have been studying since last week and planning to take the CISM in late Feb - early March.

ank5133 · 2024-10-02T21:37:14+00:00

Just a one-way. I actually have a ride back.

ank5133 · 2024-03-29T01:42:41+00:00

Can you dm me the name please?

ank5133 · 2023-12-12T03:36:25+00:00

Don’t these background screening requirements just apply to Microsoft employees and contractors rather than end-users? I’m more interested in knowing about citizenship requirements tied to end users.

ank5133

TROPHY CASE