Keep Learning written on rural road-1

Dave Pearcy, a senior cyber security consultant at Savanti, recently took his ISACA Certified Information Security Manager (CISM) exam and passed

In Dave's own words:

While this might look like a massive attempt to promote myself (it is by the way), I thought it might be useful for others working in the cyber security industry, thinking of studying for some professional qualifications, to see my learning journey.

Which Qualification?

Obvious, I know, but the first and most important part of taking a qualification is deciding what qualification to take. Maybe you have an interest in a particular subject, maybe there's a requirement within your organisation, or perhaps there is an opportunity for free learning.

Whilst free learning is always welcome, I have taken several professional qualifications in the past and the most effective are ones I have had an interest in because these give you a fighting chance of getting a benefit. Whether that's a qualification or just useful learning. 

If the organisation you are working for is asking you to take courses that you are not interested in (away from regulatory requirements) then I would question if this is the right organisation.

Savanti and FSP both encourage education, and it is fundamental when working in the cyber security industry that you keep re-educating and keep abreast of the latest security trends and technology advances.

Why did I choose CISM?

  1. I've completed CISSP, but apart from the initial learnings, I found little benefit in its wide remit.
  2. I wasn’t interested in more technical courses
  3. I already have a good working experience in Risk, Data Protection, Governance and Compliance.

CISM offers a professional qualification that enhances current knowledge. The courses were free on Udemy, a learning platform that all Savanti employees have access to.

Savanti paid for my exam and membership but it benefits both of us. I have a new qualification and they have a better-informed employee with qualified skills. We both get to show off.

I don’t like studying or reading

Children reading books at park against trees and meadow in the park

Choosing the coursework is the easy part! Learning is where it can quite easily fall apart.

I don't like reading, sorry all you bookworms out there, it almost feels like admitting to social leprosy, but I don’t enjoy reading books. 

My general approach to studying is to wait until the last minute and cram it all in. This is the method I used at school and for my PRINCE2CISSP and MoR exams.  

I do like to ‘learn on the job’

I am more likely to learn something if I’m doing it.

I like a good quiz

I love Trivial Pursuits and a good pub quiz. If you think of the exam as a big quiz then it makes it less scary.

My Approach

The first thing about approaching the coursework is understanding yourself. How do you like to learn? Because of my points above, I knew there was no point in investing in lots of books to read, no point in setting heavy study schedules that I wouldn't keep to. 

Find the right course by checking what scope is covered in the exam. I found one that was:

  1. video learning, so very little reading 
  2. mainly subjects I was interested in, knew something about and was working on for my job.

Watching the course videos was a smallish chunk of my worktime and Savanti supported this.


  • Note down revision areas that you are not comfortable with.
  • When halfway through the videos, book your exam for the same amount of time again, it is important to set the target date in the future. Be realistic!
  • Choose an exam type that suits you. Some like online but I like to be in an exam room with no distractions. 
  • Once you have watched all the videos go back over the areas you have noted.
  • Buy, find, or borrow exam question examples. Some come with the course.
  • Look for CISM question apps. You can get a bank of questions from ISACA if you’re a member, they are all over the place if you search.


  • Write pages of notes that you won’t read.
  • Waste time on areas that you already feel confident in, you won’t gain points in the exam by relearning information.

The key to passing the exam is to understand the question formats, the more you practise these, the more you will have confidence for the exam. When you're hitting a regular 75% pass rate, you are ready for your big day!

My prep for the exam was simply to keep doing lots of questions. When watching football I’d be doing questions on my app, when on a train, doing some more questions. Keep doing the questions and reviewing wrong answers.

Exam day tips

Closeup of form being filled

  • Get a good night’s sleep.
  • If travelling to the exam, make sure you know where you are going.
  • Make sure you are fed and watered, but not so watered that you need the loo all the time.
  • Read the exam entrance requirements (ID, no phones, length of time etc.)
  • Be prepared - arrive early.
  • Above all - don't panic

Exams are different for different people. I like to stay chilled and treat them like the quizzes I do. Once finished I go through the questions again looking for silly mistakes, but not deliberating over decisions too much. You are just as likely to change a right answer to a wrong answer rather than improve your score,

ISACA seem to have some sort of witchcraft formula to work out if you have passed or failed as you usually find out straight away.

They think it’s all over…

Pass or fail, there is some relief to finishing the exam. Take some time to relax and perhaps don’t think about the questions for a while.

If you have failed don’t worry too much about it. These things aren’t easy on purpose. My advice is don’t give up! Hopefully your organisation will pay your exam fee again. It’s not a reflection on your job or the work you do, it's about how you learn and react to exam conditions.

If you pass it’s still not over because there is always the next one. Rinse and Repeat!

We'd be happy to support you on your journey, please get in touch or visit the chat function on our website: