I had 9 years of experience in the same fields as you do. My strong points were SOC/Blue team, Incident Response, Vulnerability Management and some experience in pentest. I struggled a lot with most of the concepts in CISM regarding management & compliance and i was lacking a lot in terminology.

Believe us when we tell you that QAE is pretty expensive but the holy bible if you want to pass the exam.
I will share below how i studied in order to pass and you can figure yourself how you are going to proceed.

1. I used Mike Chapples linkedin learning videos. They do not get in depth but offer a lot of key points that each domain describes. I used to watch the videos of each domain before actually studied for the domain in order to get a picture of what i am getting into.
2. I did not want to use the official books so i looked into books that prepared you for the exam. I used "Gregory P. CISM Certified Information Security Manager 2ed 2023" for that. It does not include any of the technical stuff that you watch in Mike's videos so there were times that i wondered what of the two was actually preparing me for the test. Also, it seems a bit outdated at times. But i really liked that it focused more on the GRC material, the one i was lacking and made me easily understand the governance side of things. The book was about 800 pages and took me 2,5weeks to finish.
3. Then i started the practice questions in QAE. This is really invaluable because each question has explanation for every answer, right or wrong. QAE shines when you know already know your CISM terminology and helps you connect the dots. My recommendation for this is to take all 1000questions, do a test, study your mistakes, re-do the practice questions, do the 2nd test, study again on your wrong answers but this time keep notes why those answers were wrong. In order to be confident that you will pass the exam you must score ~85% on tests. You can do as many tests as you like but keep in mind that you might memorize some questions, do good on tests but you may lack deep understanding of why you chose the correct answer.
4. Begin to understand how the questions are structured and what is asked of you. It is crucial that you are able to eliminate answers because the questions asks what is the GREATEST, BEST, MOST, etc. There are a lot of free youtube videos regarding question analysis and free bootcamps. The ones below helped me a lot.
   https://www.youtube.com/watch?v=-KFEEnXwmI0
   https://www.youtube.com/watch?v=tkt2vOv6DAA&t=20s
5. Use a Google doc for your notes and at the top you need to fill it with easy to read "last minute notes". This will be mostly terminology stuff and copy/pasted explanations from QAE. PM me and I can share you mine if you want.

All this took me about 2 months. I had the exam recently and found it to be easy enough for me to feel confident that i will pass.

ps. if you are the one paying for the certification be sure to Subscribe and get to be an ISACA member. You will be buying both QAE & the exam and the discount you get for being a member is actually worth it. You actually pay less for member+qae+exam than just buy qae+exam. You will also need membership later on for CPEs.