December 28, 2025 | Parul Sharma
My exam was scheduled for December 5th, so on December 4th I focused entirely on setup. I have a strong and stable internet connection in my living room, while the network in my bedroom can sometimes be unreliable. I did not want to take that risk, so I decided to give the exam from the living room.
Because this was an online proctored exam, the room itself mattered. The living room could not have showpieces, paintings, wall hangings, or unnecessary electronics. I removed everything- decor, speakers, extra devices- until the room was clean and minimal. I used the dining table and removed all chairs except my office chair. I deliberately chose a comfortable, wheeled chair because I knew I would be sitting there for four hours.
This preparation was not cosmetic. It removed anxiety. Once the room was ready, there was nothing left to worry about.
This part is critical and should not be skipped. Even while buying the voucher earlier, I had already ensured that my personal laptop met all ISACA requirements- operating system, browser, and system permissions.
Before the exam day, I completed ISACA’s system readiness checks and tutorial. Through that process, I identified background applications and processes that would need to be closed on exam day. ISACA allows you to run these checks multiple times, and I strongly recommend doing so. It builds confidence that your hardware and software will not surprise you at the last minute.
By exam day, I was completely confident about my setup.
My exam was scheduled for 11:00 AM. I woke up, had a proper breakfast, and did not attempt any questions. I only skimmed a few important concepts from my bookmarked PDFs- nothing heavy, nothing new.
One hour before the exam, I shut everything down. No phone, no notes, no distractions. I had only my laptop and my identification document ready.
I logged in at 10:15 AM. The exam launch button became visible around 10:30 AM, and once I launched it, the proctor joined almost immediately.
The proctoring process was clear and professional. Communication was only via chat, but the camera was on the entire time. Instructions were unambiguous: do not leave the camera view without informing the proctor, keep the ID visible when asked, and show the room if required.
Because I was using a dining table, there were no drawers or hidden compartments. I could easily show the entire area, which satisfied the proctor quickly.
They informed me that two 10-minute breaks were allowed. The rule was simple: do not take a break without informing them, and do not leave the camera view without permission.
Once this was clear, I started the exam.
The first hour went reasonably well. After that, fatigue started setting in. What surprised me was that I began doubting almost every answer I selected. Whether due to pressure or overthinking, I started bookmarking nearly every question.
In hindsight, this was not ideal. Bookmarking everything defeats the purpose of bookmarking. But at that moment, I wanted to give myself the option to revisit decisions.
I continued without taking a break and completed all 150 questions in about 2 hours and 10 minutes. By then, I was mentally and physically exhausted.
At that point, I informed the proctor that I wanted to take a break. They allowed it and confirmed that I could leave the room. I had already prepared for this scenario: my phone was in another room, the doorbell volume was low, there were no deliveries scheduled, my son was at school, and no one else was at home.
I had water and something sugary because I felt completely drained. I opened a window to let in cold air, took a few deep breaths, and stretched my neck and shoulders. Although a 20-minute break was allowed, I returned in about 10–15 minutes. One important point to remember: the exam timer does not stop during breaks. If you take a 20-minute break after two hours, those 20 minutes are gone from your total time.
When I returned, the proctor asked me to show my ID again and then resumed the exam. I used my own mouse, which was allowed and made clicking much more comfortable. I wore no jewelry, no watch, and comfortable clothes to avoid any issues. I then reviewed all 150 questions again, which took another one and a half hours. During this phase, I noticed something important: in many cases where I changed an answer, I later felt compelled to change it back. My first instinct, even under fatigue, often turned out to be consistent with my later reasoning. I complted all the questions in second pass and now had final 40 questions bookmarked for a third pass. With about 10 minutes left, I still had around 40 bookmarked questions. At that moment, I made a conscious decision not to touch them. I felt that changing answers under time pressure would do more harm than good.
Before ending the exam, I informed the proctor. Only after they acknowledged it did I click the option to end the session. The session ended immediately. There was no result on the screen.
This was unsettling because in other exams like CC or CISSP, you receive the result immediately. I logged into my ISACA account and saw no update. For a moment, I wondered if something had gone wrong. A few minutes later, the portal updated to say that the results would be communicated within 10 working days. At that point, the exam was truly over.
One thing that helped me throughout this journey- and something I want to explicitly call out- is writing. I have been writing regularly my learnings in my blog with AnyaInCybersecurity and that inherently helped a lot especially in memory retention. Writing concepts in your own words forces clarity. Even if you take help while formulating ideas, the act of explaining something makes it stick. For me, it significantly improved retention and confidence. This is also why I am very selective about the resources I recommend. There are many courses available online, but I strongly recommend Pete Zerger’s videos and material because they speak the language of the exam. The problem with many courses is not that they teach concepts incorrectly, but that they teach them generically. CISM is not testing whether you know concepts. It is testing whether you can apply one specific way of thinking. Pete Zerger consistently highlights that mindset. The Cybrary course also touched on this, but for me personally, it did not click at the same depth.
Mocks are another area where candidates often misunderstand their purpose. Mock exams are useful for building endurance- sitting through 150 questions for four hours, managing fatigue, and thinking under time pressure. But that is not all. The language of the questions matters immensely. If you work through ISACA’s QAE, you will immediately notice that many third-party question banks do not resemble ISACA’s wording at all. In such cases, attempting those questions adds little value.
If a question simply asks which document ensures business continuity and lists BCP, DRP, BIA, or a risk register, you already know the answer. That question does not train your thinking. ISACA’s questions are trickier. They embed context. For example, when a scenario talks about a disaster affecting IT operations and asks what guidance the team should follow, the correct answer is DRP, not BCP- because DRP focuses on technology recovery, even though it ultimately supports business continuity. These nuances are what the exam is testing.
This is why perspective matters. Preparation must be exam-centric, not content-centric. You have limited time and mental energy. You cannot consume everything. You need to choose content that aligns with how the exam is designed. That philosophy is also reflected in how I structure content on Onion Cybersecurity. I pull concepts from multiple sources- ISC², ISACA, books, trainers, and practitioners- but I focus on highlighting differences, boundaries, and sequencing. I also convert many concepts into visual summaries. For example, in forensic analysis, chain of custody is not an afterthought; it is the first step. You do not isolate a server before preserving evidence. Visualizing these ideas makes them easier to remember and apply.
If you follow Any In Cybersecurity, the idea is simple: first build crisp conceptual clarity, then tailor your preparation to the specific exam you are targeting. I plan to write similar reflections for CC, CISSP, and other certifications as I progress, with the goal of building a single place where experienced professionals can find practical, exam-relevant guidance.
That, ultimately, is the purpose of this blog.