How I Started Preparing

How I Started Preparing

December 28, 2025 | Parul Sharma

Strategy Change

My original plan was to give CISSP first and then take up CISM. I was already preparing for CISSP when a personal situation made it impossible for me to travel to Brussels to write the exam. Waiting indefinitely did not make sense. CISM, on the other hand, could be taken from home through online proctoring. That single practical difference changed the order. I decided to give CISM first and move CISSP for later.

I Was Not Starting From Zero

By the time I made this decision, I already knew most of the core security concepts because of my CISSP preparation. IAM was familiar. Physical security topics such as fire safety and facility controls were familiar. Cryptography, security governance, and asset security from CISSP Domain 2—asset lifecycle, classification, and handling—were also already covered.

These same concepts appear in CISM as well, but they are distributed differently across domains and tested with a different emphasis.

The Real Gap: ISACA Thinking, Not Concepts

At this stage, my challenge was not learning new material. It was understanding how ISACA expects you to think. CISSP spreads content across eight domains and tests breadth. CISM compresses similar content into four domains and then tests depth—especially from a governance, risk, and program-management perspective.

Knowing the concept was not enough. I needed to understand how decisions are framed, prioritized, and sequenced in CISM.

First Stop: Cybrary (Good Mapping, Not Enough Alignment)

To understand what CISM actually covers, I first took a Cybrary CISM course. I went through all the domain videos and completed the course end to end. The course helped me map my CISSP knowledge into CISM domains, but I still did not feel confident. I knew the content, but I did not feel aligned with how ISACA expects candidates to reason through scenarios.

Cybrary CISM Course

Where It Finally Clicked: Pete Zerger’s CISM Content

The real shift happened when I started watching Pete Zerger’s CISM videos on YouTube. His teaching is not about explaining concepts in isolation. It is about explaining why ISACA prefers one answer over another, even when multiple options seem correct.

He consistently brings the focus back to governance, sequencing, and managerial judgment. This was especially important for ISACA-specific frameworks and ideologies such as COBIT, FAIR, governance maturity, and risk philosophy. These topics are rarely asked directly, but many questions are built around their principles.

All Pete Zerger Videos

Domain 1
Domain 1A CISM Video
Domain 1B CISM Video

Domain 2
Domain 2A CISM Video
Domain 2B CISM Video

Domain 3
Domain 3A CISM Video
Domain 3B CISM Video

Domain 4
Domain 4A CISM Video
Domain 4B CISM Video

Why the PDFs Matter (More Than Once)

After completing the videos, I went through Pete Zerger’s PDFs in detail. I would strongly recommend reading them at least twice. The PDFs are not just summaries. They highlight differences, sequencing, and emphasis areas that matter in the exam. The second pass is where validation happens—you are no longer just reading, you are checking whether your thinking matches ISACA’s.

Moving Fully to Questions: ISACA QAE

Once I felt conceptually aligned, I shifted fully to ISACA’s QAE. The QAE is not just a practice bank; it is a thinking tool. It exposes gaps in interpretation and forces you to justify decisions the way ISACA expects.

ISACA QAE

The QAE contains roughly 1,200 questions. My first pass was deliberate and structured. I did not mix questions randomly. I attempted them topic-wise and domain-wise. The goal was not to score high or measure readiness. The goal was to attempt every question and expose gaps in my thinking.

Time Commitment: 10 Days, Fully Focused

One important detail here is time. I took 10 days of leave from office specifically for this preparation. This was not something I did alongside meetings or work calls. Those 10 days were fully dedicated to CISM. That mattered, because QAE is mentally exhausting—especially when you are retraining how you think, not just recalling answers.

First QAE Pass: Scores Didn’t Matter

During this first round of QAE, I did not worry about scores. Some areas looked decent; others were clearly weak. That did not bother me. At this stage, I knew I was still learning how ISACA frames questions. I was not yet reading every justification deeply. I was forcing myself to answer honestly and sit with the discomfort.

The Preparation Loop That Worked

The loop at this stage was simple and intentional:
go through Pete Zerger’s videos and PDFs, then attempt the corresponding QAE questions topic-wise.

The objective was exposure and alignment, not perfection. This phase laid the foundation for what came next—where preparation shifted from understanding concepts to refining judgment and decision-making.

Free Preparation Material with Sample Questions

Curated references to reinforce concepts quickly.

• Identity and Access Management IAM foundations and framing.
• Authentication, Authorization and Accounting AAA explained with applied context.
• Zero Trust Architecture What it is, what it isn’t, and why it matters.
• Security Governance Governance tied to real execution.
• GDPR and Privacy Laws Privacy essentials for EU context.
• Policies, Baselines, Standards, Procedures How to separate and apply each properly.
• Risk Management From intuition to structured decisions.
• Business Continuity and Disaster Recovery BCP/DR essentials and why they fail.
• Asset Security Asset handling, ownership, protection.
• Asset and Data Lifecycle Lifecycle thinking for governance controls.
• Securing Data Retention, handling, and protection.
• Cryptography Core crypto concepts without noise.
• Asymmetric and Symmetric Encryption Practical differences and use cases.
• Physical Security Facility controls: the ignored layer.
• Intrusion Detection Detection logic and monitoring basics.
• Intrusion Prevention Prevention controls and trade-offs.
• Configuration Management, Patch Management Operational controls that reduce risk fast.
• Incident Management Response fundamentals and escalation.
• DRP, Backup & Recovery Resilience planning and recovery mechanics.