Two-Week Final Review Plan

Two-Week Final Review Plan

The Certified Information Security Manager (CISM) exam is 150 multiple-choice questions in 240 minutes, scored on a 200-800 scale where 450 is passing. ISACA does not publish a percent-correct cutoff; the scaled score is equated across forms, so a raw percentage from a practice test cannot be converted to a 450. In the final two weeks your job is not to relearn the syllabus but to close domain gaps and sharpen the manager's answer-selection habit.

Allocate study time by the current domain weights, because that is how the 150 questions are distributed:

Domains 3 and 4 together are roughly 63% of the exam, so review them first if time is short.

A caution that affects every section of this chapter: do not study from "brain dumps" or recalled live questions. ISACA's Code of Professional Ethics and exam agreement prohibit it, the items are frequently wrong or stale, and possessing them can void your result. Use legitimate practice banks that explain the manager's reasoning instead. The goal of the final two weeks is calibration -- confirming you can apply principles under time pressure -- not memorizing answers.

A concrete 14-day schedule

Use a remediation loop, not a re-read. A workable cadence:

• Days 1-2 (Risk Management, 20%): review asset valuation, qualitative vs. quantitative analysis, SLE = AV x EF, ALE = SLE x ARO, risk treatment options (accept, mitigate, transfer, avoid), and residual vs. inherent risk.
• Days 3-5 (Information Security Program, 33%): controls selection, metrics and KPIs/KRIs, awareness, third-party/vendor risk, and how the manager reports program value to the business.
• Days 6-8 (Incident Management, 30%): the detect, triage, contain, eradicate, recover, lessons-learned lifecycle, BIA, RTO, RPO, and incident classification.
• Days 9-10 (Governance, 17%): strategy alignment, roles (board, steering committee, CISO), policy hierarchy, and the RACI model.
• Days 11-13: two full 150-question timed mocks; log every miss by domain.
• Day 14: light review of your error log only. No new material.

The single highest-yield habit in week two is the error log. For each miss, write one line: the domain, the trap that fooled you, and the principle that picks the right answer. Most candidates find their misses cluster -- they repeatedly pick the technical fix over the governance action, or jump to containment before classification. Fixing one recurring reasoning error is worth more than memorizing ten new facts.

Mix domains in your final mocks rather than drilling one area at a time. The real exam interleaves all four domains in unpredictable order, and the skill of switching context -- from a risk-quantification item to an incident-command item to a governance-strategy item -- is itself a hurdle. A candidate who scores well on single-domain quizzes but stumbles on a mixed 150-question set has a sequencing and stamina problem, not a knowledge problem, and the cure is full-length timed practice.

The manager's lens

CISM rewards the governance answer over the technical one. When a question lists several reasonable actions, the strongest choice usually aligns with business objectives, assigns ownership, and produces evidence management can act on. "Reduce risk to an acceptable level" beats "eliminate the risk." The FIRST action is often to determine business impact, classify, or consult the asset owner -- not to deploy a tool.

Watch the qualifier in the stem -- it changes the answer:

If you test on or after 3 November 2026, switch to the updated outline, which emphasizes strategy and adds enterprise architecture and information security architecture content; updated prep materials shipped September 2026. Studying the wrong blueprint is a genuine risk because two outlines circulate around that date.

A worked example of the manager's lens

Stem: A new business unit will process regulated customer data in a cloud service the security team has never assessed. What should the information security manager do FIRST? Tempting technical options -- enable encryption, deploy a CASB, configure logging -- all feel productive. But the FIRST qualifier and the regulated-data context point to understanding exposure before acting. The strongest answer is to conduct a risk assessment / determine the data classification and applicable requirements, because that defines what controls are even appropriate and who owns the risk.

Encryption without knowing the classification or legal obligations is a guess.

Replay this pattern across your error log: for each miss, ask whether the better answer was the one that established context and ownership before jumping to a tool. That single reframing resolves a large share of CISM near-misses and is the most transferable skill you can sharpen in the final two weeks.