📋 Table of Contents
Quick Answer: The Short Stack
The CISM market is full of materials ranging from excellent to genuinely useless. The exam tests management judgment, not technical recall -- which means your study resources need to teach you how ISACA thinks, not just what ISACA knows. That distinction rules out a surprising number of popular products.
Before diving into individual reviews: the single most common mistake CISM candidates make is spending too much on materials and too little time doing practice questions. The exam rewards candidates who understand the ISACA management mindset, and that mindset is absorbed through repeated exposure to well-explained questions -- not through re-reading textbook chapters.
If you want a framework for how to schedule each resource across 12 weeks, see our CISM 12-Week Study Plan.
ISACA's Official Materials
ISACA CISM Review Manual (15th Edition)
The Review Manual is the authoritative source for CISM content -- everything on the exam is ultimately derived from this document and the Exam Content Outline. The 2026 edition covers all four domains: Information Security Governance (17%), Information Risk Management (20%), Information Security Program (33%), and Information Security Incident Management (30%).
Cost: Approximately $139 for ISACA members, $189 for non-members (digital PDF). Print editions run higher.
What it does well: Definitively comprehensive. If a concept appears on the exam, it is in this manual. The 2026 edition reflects the updated domain weightings taking effect November 2026, so it is current. It also functions as an excellent reference during your certification lifecycle.
What it does poorly: The manual is written to document the body of knowledge, not to prepare you for a four-hour scenario-based exam. The writing is dense and encyclopedic. Reading it cover to cover -- roughly 700 pages -- without supplementing with practice questions is a common failure mode. Candidates who rely on it alone frequently pass the content knowledge component but struggle with ISACA's management-first answer logic.
Verdict: Buy it as a reference, not as your primary study vehicle. Read the chapter introductions and key concept summaries; use it to look up topics you miss on practice exams rather than reading linearly.
ISACA Questions, Answers and Explanations (QAE) Database
The QAE database is the official ISACA practice question bank -- over 1,000 questions written by ISACA subject matter experts, mapped directly to the Exam Content Outline.
Cost: Approximately $149 for ISACA members, $199 for non-members (12-month access).
Why it is essential: These are the closest publicly available questions to actual exam style. The explanations, particularly the "why the other three answers are wrong" sections, are where the management mindset gets absorbed. Candidates who work through the entire QAE database with honest reflection -- not just clicking to see the answer -- consistently outperform those who do not.
See our guide to CISM question banks for a full comparison of the QAE versus third-party alternatives.
Verdict: Non-negotiable. This should be in every candidate's stack regardless of what else they use.
ISACA Interactive Online Review (IOR)
The IOR is ISACA's video-plus-question course, available individually per domain or as a bundle. It covers all four domains with recorded lectures and embedded practice questions.
Cost: Approximately $895 for members (full bundle), $1,195 for non-members.
Verdict: Overpriced relative to alternatives that cover the same ground. The content quality is fine, but at this price you can purchase the Review Manual, QAE database, and a well-regarded third-party course and have money left over. Only worth considering if your employer reimburses it in full and you prefer a single-vendor approach.
Third-Party Study Guides
Mike Chapple and Joe Shelley - CISM All-in-One Exam Guide (McGraw-Hill)
The McGraw-Hill All-in-One series has produced the benchmark study guides for dozens of IT certifications, and the CISM edition holds up well. Chapple and Shelley structured the book around exam objectives rather than around the Review Manual's domain chapters, which makes it substantially easier to use for targeted study.
Strengths: Clear writing, well-organized chapters, good summary tables, and practice questions at the end of each chapter that teach answer logic rather than just content recall. The authors explicitly address common wrong-answer traps -- a real differentiator for a scenario-based exam.
Weaknesses: At roughly 650-700 pages it is nearly as long as the Review Manual. Not all topics receive equal depth; incident management and governance tend to be thorough, while some niche risk management sub-topics are thinner than the Review Manual.
Cost: Around $50-60 print, $40-50 digital.
Verdict: Best overall third-party book. Recommended as the primary reading resource for candidates who prefer text to video.
Hemang Doshi - CISM Certified Information Security Manager Practice Exams
Hemang Doshi is probably the most recognized independent CISM instructor, with a large following from his YouTube channel and Udemy courses. His practice exam books and Udemy course are consistently highly rated by candidates who describe the management-mindset explanations as the clearest available.
Book strengths: Doshi excels at explaining why the ISACA answer is correct from a management perspective, not just restating the domain content. His mnemonics and "think like a manager, not an engineer" framing resonates with technical professionals transitioning toward management roles.
Book weaknesses: The practice exam books skew lighter on domain content coverage compared to Chapple. They work best as a complement to a content-heavy resource, not as a standalone.
Cost: Practice exam books around $35-45 print; Udemy course typically $15-25 during sales (which run frequently), $130-200 list price.
Verdict: Best supplementary resource, especially strong for candidates who struggle with the "management mindset" trap questions. Pair with the Chapple book or the ISACA Review Manual for full content coverage.
David Kim and Michael G. Solomon - CISM Certified Information Security Manager Study Guide (Sybex/Wiley)
The Sybex study guide takes a more practitioner-oriented approach than the Chapple text, grounding domain concepts in real-world security program scenarios. This makes it useful for candidates with limited management experience who need to understand what the exam concepts look like in practice.
Cost: Around $50-60 print.
Verdict: A solid secondary option, particularly useful for candidates who find Chapple too exam-centric and want more applied context. Not materially better than Chapple as a primary resource; choose one or the other.
Online Courses and Video Training
Hemang Doshi (Udemy)
The Udemy course from Hemang Doshi covers all four domains with video lectures, and supplements the content with downloadable notes and practice questions. Running around 30-40 hours of content, it is the most popular third-party CISM course on the platform by a wide margin.
Best for: Candidates who absorb material better through listening than reading, and candidates who want a narrative walkthrough of the management mindset before doing questions.
Cost: $15-25 on sale (Udemy runs frequent discounts). At that price it is low-risk to buy as a supplement.
Pluralsight CISM Learning Path
Pluralsight's CISM path covers all four domains through a series of short-form video modules. The production quality is high and the content is regularly updated.
Best for: Candidates already paying for a Pluralsight subscription for other professional development. At full subscription cost ($299+/year), it does not justify the price as a CISM-only resource when Udemy alternatives exist at a fraction of the cost.
LinkedIn Learning CISM Prep
LinkedIn Learning's CISM content is adequate but thinner than Pluralsight or Doshi. Useful if you already have a LinkedIn Premium subscription. Not worth purchasing as a standalone resource.
Practice Question Banks
Practice questions are where exam preparation actually happens. Reading content builds domain knowledge; questions test whether you can apply it the way ISACA expects. The two most important dimensions of a question bank are question quality (scenario-based, management-oriented, with traps that reflect real exam patterns) and explanation quality (explaining the reasoning behind correct and incorrect answers, not just citing the domain).
| Source | Question Count | Explanation Quality | Cost (approx.) |
|---|---|---|---|
| ISACA QAE Database | 1,000+ | Excellent | $149 / $199 |
| Hemang Doshi (Udemy + book) | 500-800 | Very Good | $35-60 |
| Mike Chapple All-in-One | 400-600 | Good | Included with book |
| Sybex/Wiley Study Guide | 350-500 | Good | Included with book |
For a deeper breakdown of question bank platforms and how to use them strategically, see our free CISM practice questions guide and the full question bank comparison.
Full Comparison Table
| Resource | Type | Cost (approx.) | Best For | Verdict |
|---|---|---|---|---|
| ISACA QAE Database | Practice questions | $149 - $199 | All candidates | Essential |
| ISACA Review Manual | Reference text | $139 - $189 | Supplemental reference | Useful, not primary |
| Chapple All-in-One (McGraw-Hill) | Study guide | $50 - $60 | Primary reading, text learners | Best book overall |
| Hemang Doshi (book) | Practice exams | $35 - $45 | Mindset supplement | Best supplementary book |
| Hemang Doshi (Udemy) | Video course | $15 - $25 (sale) | Video/audio learners | Best video value |
| Sybex/Wiley Study Guide | Study guide | $50 - $60 | Practitioner context | Solid alternative to Chapple |
| ISACA Interactive Online Review | Course bundle | $895 - $1,195 | Employer-reimbursed only | Overpriced vs. alternatives |
| Pluralsight CISM Path | Video course | $299+/year | Existing subscribers | Good content, not justified solo |
How to Build Your Study Stack
The goal is to achieve sufficient coverage across four dimensions: domain content knowledge, management mindset, practice volume, and timed exam simulation. No single resource covers all four. Here is a practical stack for three budget levels:
Minimum Effective Stack (~$200)
- ISACA QAE Database ($149 member / $199 non-member) - primary practice source
- Chapple All-in-One (~$55) - primary reading
- Hemang Doshi Udemy course (~$20 on sale) - mindset supplement
This stack covers all four dimensions without redundancy. Total: roughly $200-$270 depending on ISACA membership status. See the full cost breakdown including exam fees in our CISM certification cost guide.
Standard Stack (~$300)
Add the ISACA Review Manual as a reference resource for topics you miss on practice exams. This is worth the investment if you intend to stay current with the certification long-term -- it doubles as a reference during your three-year certification cycle.
Full Stack (~$450+)
Add the Hemang Doshi practice exam book for additional question volume. At the point of 2,000+ practice questions across multiple sources, most candidates have more than enough exposure to ISACA question patterns and should shift time toward review and weak-domain reinforcement.
For a week-by-week breakdown of how to sequence these materials over 12 weeks, see the CISM Study Plan.
Supplement Any Stack with CISM-Style Questions
Thousands of expert-verified CISM practice questions with AI-powered gap analysis. Know exactly which domains need more work before exam day.
Start Free 7-Day Trial →Frequently Asked Questions
Is the ISACA Review Manual enough to pass the CISM?
No. The Review Manual is comprehensive but is written to document the CISM body of knowledge, not to teach exam answer logic. Candidates who rely on it alone frequently have strong domain knowledge but struggle with the management-oriented scenario questions. You need substantial practice question volume -- at minimum the QAE database -- alongside any reading resource.
Hemang Doshi vs Mike Chapple: which is better for the CISM?
They serve different functions. Chapple's All-in-One provides broader, more structured domain content coverage -- it is the better primary reading resource. Doshi is superior at teaching the ISACA management mindset and explaining why wrong answers are wrong -- his material shines as a supplement, particularly for candidates who are technically strong but keep choosing the "engineer answer" instead of the "manager answer" on practice exams. Most candidates benefit from both.
How many practice questions should I do before the CISM exam?
Most passing candidates report completing 1,500-2,500 practice questions before exam day. The ISACA QAE database at 1,000+ questions should be completed at least once; running through it twice and tracking your wrong-answer patterns is more valuable than adding a second question bank at lower quality. The key metric is not total question count but whether your domain-specific scores are consistently above 75-80% on QAE questions.
Are there free CISM study materials worth using?
Yes, within limits. ISACA publishes a free CISM Exam Content Outline that maps every testable topic -- this is essential reading and costs nothing. Hemang Doshi has free YouTube content that covers CISM concepts and mindset, though the volume is much lower than his paid courses. Free browser-based CISM quizzes exist but tend to be low-quality; verify any free question source against real ISACA question style before relying on it. For a set of free representative questions to calibrate where you stand, see our 25 free CISM practice questions.
Does it matter which edition of the study guide I use?
For the ISACA Review Manual, use the most current edition -- ISACA updates it to reflect Exam Content Outline changes, and the November 2026 domain weight update is reflected in the 2026 edition. For third-party books like Chapple, an edition that is one cycle behind is usually acceptable for domain content (the fundamentals of security governance and risk management do not change rapidly), but verify publication date before purchasing an older edition at a discount.
Should I join ISACA to get member pricing on materials?
Almost always yes. Annual ISACA membership costs $135 for professionals. Between the QAE database (~$50 savings) and the Review Manual (~$50 savings), membership pays for itself on materials alone for first-time CISM candidates. Add the CPE reporting benefits for maintaining your certification and the value is clear. See the full calculation in our CISM cost guide.
Related Guides
CISM 12-Week Study Plan
Week-by-week schedule for working professionals. How to sequence every resource from this guide.
CISM Question Bank Guide
Full comparison of the QAE database, third-party platforms, and how to use each strategically.
CISM Certification Cost
Exam fees, membership, study materials, and what employers typically reimburse.
CISM Passing Score Explained
What the 450 scaled score actually means and how many questions you need to get right.