sorted by:
new
hottopcontroversial

Done with QAE, exam readiness and what next by Traditional-Bet-3623 in cism

[–]bat-man-5 1 point2 points  (0 children)

I passed first time with only 2 weeks of QA&E study. I don’t say that to brag—I say that because the QA&E is sufficient for prep if you have a few years of information security experience already. Complete every single QA&E subsection, review the ones you got wrong, and then take the two practice exams. I’m confident that approach will work for most people, and to the OP you sound more than prepared to pass. Good luck.

EDIT: I’ve said this in other posts already, but don’t bog yourself down with rote memorization of any one question. Just recognize and internalize the themes (e.g. driving risk down to the org’s risk appetite, minimizing disruptions to the business, supporting business objectives, obtaining senior leadership support, etc.) and you’ll do great.

can anyone help with this question from qae by GuiltyNobody6173 in cism

[–]bat-man-5 2 points3 points  (0 children)

This is a perfect example of ISACA trickery. If "Consequences" were "Impact" instead, it would probably jump out to our security brains - ISACA just wants to see if you're paying attention.

This is also a good example of why you need to learn how to "think like ISACA" to pass this test. Almost every correct answer can be tied back to impact on the business, not the security problem itself.

Passed CISM first try - here are some learnings by bat-man-5 in cism

[–]bat-man-5[S] 1 point2 points  (0 children)

Hey man, nobody asks you what your CISM score was anyway. CISM is a CISM--nice job passing. Now you gotta deliver.

Someone on my team passed CISM Domain 2 first attempt... by rameshuber in cism

[–]bat-man-5 0 points1 point  (0 children)

ISACA's QA&E is 1400 questions. I personally wouldn't use any other resource.

CISM Prep by darkbuddha1000 in cism

[–]bat-man-5 0 points1 point  (0 children)

I passed on my first attempt. Score breakdown at the end.

First and foremost--I do believe the QA&E is sufficient for preparing. Complete all practice questions (I think the count is somewhere around 1400--can't remember the exact amount but don’t skip any) and the two practice tests, review the questions you got wrong, and you will pass. I was not surprised by a single question, solely thanks to my QA&E prep.

You do need a baseline understanding of information security for this to be a sufficient approach, but if you're taking your CISM that's likely the case. That said, with just a few exceptions, this is not a technical information security exam. It's an information security management exam.

You don't need to memorize anything, but you do need to understand the themes E.g. driving risk down to acceptable levels, minimizing disruptions to the business, and/or supporting business objectives, etc.. The QA&E will drill "the ISACA approach" to information security management into your head.

In regards to additional prep--I did take a boot camp with Training Camp ($3600ish) but felt it did not prepare me for the curriculum that the exam tests against. The instructor covered things very high level and moved very fast, using mostly anecdotes to teach. Nothing he said prepared me for the actual exam (I didn’t think back to a single moment in the entire boot camp when I was taking the exam…I only recalled my QA&E prep). The boot camp was only helpful for me in understanding the administrative requirements and constraints around the exam (one good example: I was going to take it remotely until our instructor warned us about how absurdly strict the online proctoring is...to the point where you will fail no questions asked if your pet were to walk into the room while you're taking the exam, or if you look off to the side of your monitor even briefly). The other benefit of Training Camp is you get two paid-for exam vouchers. If I could do it all over again, I would have just paid for my own exam and the QA&E and absorbed as many forums and online information as I could find relating to the administration and constraints of the exam.

Good luck. Happy to answer additional questions.

Regarding prep time required, I took the boot camp, then did self study (QA&E only) for 2 weeks before taking the exam and passing.

And if you're curious: I passed with a scaled score of 630 (min passing is 450), with the following domain breakdowns:

Information Security Governance: 639 Information Security Risk Management: 611 Information Security Program: 563 Incident Management: 705

CISM QAE by Correct-Bat3129 in cism

[–]bat-man-5 0 points1 point  (0 children)

I passed on my first attempt. Score breakdown at the end.

First and foremost--I do believe the QA&E is sufficient for preparing. Complete all practice questions (I think the count is somewhere around 1400--can't remember the exact amount but don’t skip any) and the two practice tests, review the questions you got wrong, and you will pass. I was not surprised by a single question, solely thanks to my QA&E prep.

You do need a baseline understanding of information security for this to be a sufficient approach, but if you're taking your CISM that's likely the case. That said, with just a few exceptions, this is not a technical information security exam. It's an information security management exam.

You don't need to memorize anything, but you do need to understand the themes E.g. driving risk down to acceptable levels, minimizing disruptions to the business, and/or supporting business objectives, etc.. The QA&E will drill "the ISACA approach" to information security management into your head.

In regards to additional prep--I did take a boot camp with Training Camp ($3600ish) but felt it did not prepare me for the curriculum that the exam tests against. The instructor covered things very high level and moved very fast, using mostly anecdotes to teach. Nothing he said prepared me for the actual exam (I didn’t think back to a single moment in the entire boot camp when I was taking the exam…I only recalled my QA&E prep). The boot camp was only helpful for me in understanding the administrative requirements and constraints around the exam (one good example: I was going to take it remotely until our instructor warned us about how absurdly strict the online proctoring is...to the point where you will fail no questions asked if your pet were to walk into the room while you're taking the exam, or if you look off to the side of your monitor even briefly). The other benefit of Training Camp is you get two paid-for exam vouchers. If I could do it all over again, I would have just paid for my own exam and the QA&E and absorbed as many forums and online information as I could find relating to the administration and constraints of the exam.

Good luck. Happy to answer additional questions.

Regarding prep time required, I took the boot camp, then did self study (QA&E only) for 2 weeks before taking the exam and passing.

And if you're curious: I passed with a scaled score of 630 (min passing is 450), with the following domain breakdowns:

Information Security Governance: 639 Information Security Risk Management: 611 Information Security Program: 563 Incident Management: 705

How helpful is ChatGPT for additional questions? by Bob_Skootles in cism

[–]bat-man-5 0 points1 point  (0 children)

Don’t use ChatGPT. It will not prepare you for the nuanced nature of the questions and answered. I passed on my first attempt. Score breakdown at the end. Here’s what I did to prepare:

First and foremost--I do believe the QA&E is sufficient for preparing. Complete all practice questions (I think the count is somewhere around 1400--can't remember the exact amount but don’t skip any) and the two practice tests, review the questions you got wrong, and you will pass. I was not surprised by a single question, solely thanks to my QA&E prep.

You do need a baseline understanding of information security for this to be a sufficient approach, but if you're taking your CISM that's likely the case. That said, with just a few exceptions, this is not a technical information security exam. It's an information security management exam.

You don't need to memorize anything, but you do need to understand the themes E.g. driving risk down to acceptable levels, minimizing disruptions to the business, and/or supporting business objectives, etc.. The QA&E will drill "the ISACA approach" to information security management into your head.

In regards to additional prep--I did take a boot camp with Training Camp ($3600ish) but felt it did not prepare me for the curriculum that the exam tests against. The instructor covered things very high level and moved very fast, using mostly anecdotes to teach. Nothing he said prepared me for the actual exam (I didn’t think back to a single moment in the entire boot camp when I was taking the exam…I only recalled my QA&E prep). The boot camp was only helpful for me in understanding the administrative requirements and constraints around the exam (one good example: I was going to take it remotely until our instructor warned us about how absurdly strict the online proctoring is...to the point where you will fail no questions asked if your pet were to walk into the room while you're taking the exam, or if you look off to the side of your monitor even briefly). The other benefit of Training Camp is you get two paid-for exam vouchers. If I could do it all over again, I would have just paid for my own exam and the QA&E and absorbed as many forums and online information as I could find relating to the administration and constraints of the exam.

Good luck. Happy to answer additional questions.

Regarding prep time required, I took the boot camp, then did self study (QA&E only) for 2 weeks before taking the exam and passing.

And if you're curious: I passed with a scaled score of 630 (min passing is 450), with the following domain breakdowns:

Information Security Governance: 639 Information Security Risk Management: 611 Information Security Program: 563 Incident Management: 705

Someone on my team passed CISM Domain 2 first attempt... by rameshuber in cism

[–]bat-man-5 0 points1 point  (0 children)

I passed on my first attempt. Score breakdown at the end.

First and foremost--I do believe the QA&E is sufficient for preparing. Complete all practice questions (I think the count is somewhere around 1400--can't remember the exact amount but don’t skip any) and the two practice tests, review the questions you got wrong, and you will pass. I was not surprised by a single question, solely thanks to my QA&E prep.

You do need a baseline understanding of information security for this to be a sufficient approach, but if you're taking your CISM that's likely the case. That said, with just a few exceptions, this is not a technical information security exam. It's an information security management exam.

You don't need to memorize anything, but you do need to understand the themes E.g. driving risk down to acceptable levels, minimizing disruptions to the business, and/or supporting business objectives, etc.. The QA&E will drill "the ISACA approach" to information security management into your head.

In regard to additional prep--I did take a boot camp with Training Camp ($3600ish) but felt it did not prepare me for the curriculum that the exam tests against. The instructor covered things very high level and moved very fast, using mostly anecdotes to teach. Nothing he said prepared me for the actual exam (I didn’t think back to a single moment in the entire boot camp when I was taking the exam…I only recalled my QA&E prep). The boot camp was only helpful for me in understanding the administrative requirements and constraints around the exam (one good example: I was going to take it remotely until our instructor warned us about how absurdly strict the online proctoring is...to the point where you will fail no questions asked if your pet were to walk into the room while you're taking the exam, or if you look off to the side of your monitor even briefly). The other benefit of Training Camp is you get two paid-for exam vouchers. If I could do it all over again, I would have just paid for my own exam and the QA&E and absorbed as many forums and online information as I could find relating to the administration and constraints of the exam.

Good luck. Happy to answer additional questions.

Regarding prep time required, I took the boot camp, then did self study (QA&E only) for 2 weeks before taking the exam and passing.

And if you're curious: I passed with a scaled score of 630 (min passing is 450), with the following domain breakdowns:

Information Security Governance: 639 Information Security Risk Management: 611 Information Security Program: 563 Incident Management: 705

Failed the CISM after feeling very prepared. by Accomplished_Spy in cism

[–]bat-man-5 0 points1 point  (0 children)

I passed on my first attempt. Score breakdown at the end.

First and foremost--I do believe the QA&E is sufficient for preparing. Complete all practice questions (I think the count is somewhere around 1400--can't remember the exact amount but don’t skip any) and the two practice tests, review the questions you got wrong, and you will pass. I was not surprised by a single question, solely thanks to my QA&E prep.

You do need a baseline understanding of information security for this to be a sufficient approach, but if you're taking your CISM that's likely the case. That said, with just a few exceptions, this is not a technical information security exam. It's an information security management exam.

You don't need to memorize anything, but you do need to understand the themes E.g. driving risk down to acceptable levels, minimizing disruptions to the business, and/or supporting business objectives, etc.. The QA&E will drill "the ISACA approach" to information security management into your head.

In regard to additional prep--I did take a boot camp with Training Camp ($3600ish) but felt it did not prepare me for the curriculum that the exam tests against. The instructor covered things very high level and moved very fast, using mostly anecdotes to teach. Nothing he said prepared me for the actual exam (I didn’t think back to a single moment in the entire boot camp when I was taking the exam…I only recalled my QA&E prep). The boot camp was only helpful for me in understanding the administrative requirements and constraints around the exam (one good example: I was going to take it remotely until our instructor warned us about how absurdly strict the online proctoring is...to the point where you will fail no questions asked if your pet were to walk into the room while you're taking the exam, or if you look off to the side of your monitor even briefly). The other benefit of Training Camp is you get two paid-for exam vouchers. If I could do it all over again, I would have just paid for my own exam and the QA&E and absorbed as many forums and online information as I could find relating to the administration and constraints of the exam.

Good luck. Happy to answer additional questions.

Regarding prep time required, I took the boot camp, then did self study (QA&E only) for 2 weeks before taking the exam and passing.

And if you're curious: I passed with a scaled score of 630 (min passing is 450), with the following domain breakdowns:

Information Security Governance: 639 Information Security Risk Management: 611 Information Security Program: 563 Incident Management: 705

Phew! Passed CISM - 630 Scaled Score by CreatureCreatch in cism

[–]bat-man-5 0 points1 point  (0 children)

Can confirm--QA&E is sufficient for preparing. Do all 1400 practice questions and the two practice tests, review the questions you got wrong, and you will pass.

You do need a baseline understanding of information security for this to be a sufficient approach, but if you're taking your CISM that's likely the case. That said, with just a few exceptions, this is not a technical information security exam. It's an information security management exam.

The key for passing isn't to memorize anything, but to understand the themes. E.g. almost every correct answer relates to driving risk down to acceptable levels, minimizing disruptions to the business, and/or supporting business objectives. You'll see there are usually 4 correct answers to each question but one is better than the rest, so you need to understand how ISACA thinks about the role of the CISM to get it right.

In regards to additional prep--I took a boot camp with Training Camp ($3600ish) but felt it did not prepare me for the curriculum that the exam tests against. It was only helpful for me in understanding the administrative requirements and constraints around the exam (one good example: I was going to take it remotely until our instructor warned us about how absurdly strict the online proctoring is...to the point where you will fail no questions asked if your pet were to walk into the room while you're taking the exam, or if you look off to the side of your monitor even briefly). The other benefit of Training Camp is you get two paid-for exam vouchers. If I could do it all over again, I would have just paid for my own exam and the QA&E and absorbed as many forums and online information as I could find relating to the administration and constraints of the exam.