So I just got my results yesterday and I'm still kind of in shock — 453, which clears the 450 passing threshold. I failed my first attempt back in February with a 432 and honestly considered just giving up on it. The CISM is a different beast from the CISSP; it's not about technical knowledge so much as how a senior manager thinks about information security risk and governance. That shift in mindset took me a while to internalize.
For my second attempt I completely changed my approach. I stopped trying to memorize definitions and started working through a CISM practice test almost every day for six weeks — focusing hard on why wrong answers were wrong, not just why the right one was right. I also leaned heavily on the official ISACA study guide alongside a third-party prep book for the domain breakdowns. Domain 1 (Information Security Governance) was where I was losing the most points the first time.
Happy to share my full study plan if anyone's interested. What domains are people finding hardest right now? And has anyone used the ISACA QAE database versus third-party question banks — curious which felt more representative of the actual exam.