How to pass Isaca CISM exam with the help of dumps?
DumpsPool provides you the finest quality resources you’ve been looking for to no avail. So, it's due time you stop stressing and get ready for the exam. Our Online Test Engine provides you with the guidance you need to pass the certification exam. We guarantee top-grade results because we know we’ve covered each topic in a precise and understandable manner. Our expert team prepared the latest Isaca CISM Dumps to satisfy your need for training. Plus, they are in two different formats: Dumps PDF and Online Test Engine.
How Do I Know Isaca CISM Dumps are Worth it?
Did we mention our latest CISM Dumps PDF is also available as Online Test Engine? And that’s just the point where things start to take root. Of all the amazing features you are offered here at DumpsPool, the money-back guarantee has to be the best one. Now that you know you don’t have to worry about the payments. Let us explore all other reasons you would want to buy from us. Other than affordable Real Exam Dumps, you are offered three-month free updates.
You can easily scroll through our large catalog of certification exams. And, pick any exam to start your training. That’s right, DumpsPool isn’t limited to just Isaca Exams. We trust our customers need the support of an authentic and reliable resource. So, we made sure there is never any outdated content in our study resources. Our expert team makes sure everything is up to the mark by keeping an eye on every single update. Our main concern and focus are that you understand the real exam format. So, you can pass the exam in an easier way!
IT Students Are Using our Certified Information Security Manager Dumps Worldwide!
It is a well-established fact that certification exams can’t be conquered without some help from experts. The point of using Certified Information Security Manager Practice Question Answers is exactly that. You are constantly surrounded by IT experts who’ve been through you are about to and know better. The 24/7 customer service of DumpsPool ensures you are in touch with these experts whenever needed. Our 100% success rate and validity around the world, make us the most trusted resource candidates use. The updated Dumps PDF helps you pass the exam on the first attempt. And, with the money-back guarantee, you feel safe buying from us. You can claim your return on not passing the exam.
How to Get CISM Real Exam Dumps?
Getting access to the real exam dumps is as easy as pressing a button, literally! There are various resources available online, but the majority of them sell scams or copied content. So, if you are going to attempt the CISM exam, you need to be sure you are buying the right kind of Dumps. All the Dumps PDF available on DumpsPool are as unique and the latest as they can be. Plus, our Practice Question Answers are tested and approved by professionals. Making it the top authentic resource available on the internet. Our expert has made sure the Online Test Engine is free from outdated & fake content, repeated questions, and false plus indefinite information, etc. We make every penny count, and you leave our platform fully satisfied!
ISACA CISM Exam Overview:
Aspect
Details
Exam Cost
$575 (for ISACA members) $760 (for non-members)
Total Time
4 hours
Available Languages
English
Passing Marks
Scaled score of 450 out of 800
Exam Format
Multiple choice questions
Exam Domains
4 (Information Security Governance, Information Risk Management, Information Security Program Development and Management, Information Security Incident Management)
ISACA Certified Information Security Manager (CISM) Exam Topics Breakdown
Content Area
Percentage
Information Security Governance
24
Establishing and maintaining an information security governance framework and supporting processes.
Information Risk Management
30
Identifying and managing information security risks to achieve business objectives.
Information Security Program Development and Management
27
Developing and managing an information security program that aligns with the organization's objectives and compliance requirements.
Information Security Incident Management
19
Planning, establishing, and managing the capability to detect, respond to, and recover from information security incidents.
Frequently Asked Questions
Isaca CISM Sample Question Answers
Question # 1
Meeting which of the following security objectives BEST ensures that information isprotected against unauthorized disclosure?
A. Integrity B. Authenticity C. Confidentiality D. Nonrepudiation
Answer: C
Explanation: Confidentiality is the security objective that best ensures that information is
protected against unauthorized disclosure. Confidentiality means that only authorized
parties can access or view sensitive or classified information. Integrity means that
information is accurate and consistent and has not been tampered with or modified by
unauthorized parties. Authenticity means that information is genuine and trustworthy and
has not been forged or misrepresented by unauthorized parties. Nonrepudiation means
that information can be verified and proven to be sent or received by a specific party
An organization has identified a large volume of old data that appears to be unused. Which of the following should the information security manager do NEXT?
A. Consult the record retention policy. B. Update the awareness and training program. C. Implement media sanitization procedures. D. Consult the backup and recovery policy.
Answer: A
Explanation:
The next thing that the information security manager should do after identifying a large
volume of old data that appears to be unused is to consult the record retention policy. The
record retention policy is a document that defines the types, formats, and retention periods
of data that the organization needs to keep for legal, regulatory, operational, or historical
purposes. By consulting the record retention policy, the information security manager can
determine if the old data is still required to be stored, archived, or disposed of, and how to
do so in a secure and compliant manner.
References: The CISM Review Manual 2023 states that “the information security manager
is responsible for ensuring that the data lifecycle management process is in alignment with
the organization’s record retention policy” and that “the record retention policy defines the
types, formats, and retention periods of data that the organization needs to keep for legal,
regulatory, operational, or historical purposes” (p. 140). The CISM Review Questions,
Answers & Explanations Manual 2023 also provides the following rationale for this answer:
“Consult the record retention policy is the correct answer because it is the next logical step
to take after identifying a large volume of old data that appears to be unused, as it will help
the information security manager to decide on the appropriate data lifecycle management
actions for the old data, such as storage, archiving, or disposal” (p. 64). Additionally, the
article Data Retention Policy: What It Is and How to Create One from the ISACA Journal
2019 states that “a data retention policy is a document that outlines the types, formats, and
retention periods of data that an organization needs to keep for various purposes, such as
legal compliance, business operations, or historical records” and that “a data retention
policy can help an organization to manage its data lifecycle, optimize its storage capacity,
reduce its costs, and enhance its security and privacy” (p. 1)1.
Question # 5
Which of the following BEST helps to ensure the effective execution of an organization'sdisaster recovery plan (DRP)?
A. The plan is reviewed by senior and IT operational management. B. The plan is based on industry best practices. C. Process steps are documented by the disaster recovery team. D. Procedures are available at the primary and failover location.
Answer: D
Explanation:
The best way to ensure the effective execution of a disaster recovery plan (DRP) is to
make sure that the procedures are available at both the primary and the failover location,
so that the staff can access them in case of a disaster. The procedures should be clear,
concise, and updated regularly to reflect the current situation and requirements. Having the
procedures available at both locations also helps to avoid confusion and delays in the
and Disaster Recovery, Section: Disaster Recovery Planning, Subsection: Disaster
Recovery Plan Development, Page 373.
Question # 6
Which of the following should have the MOST influence on an organization's response to a ew industry regulation?
A. The organization's control objectives B. The organization's risk management framework C. The organization's risk appetite D. The organization's risk control baselines
Answer: C
Explanation:
The most influential factor on an organization’s response to a new industry regulation is the
organization’s risk appetite. This is because the risk appetite defines the level of risk that
the organization is willing to accept in pursuit of its objectives, and it guides the decisionmaking
process for managing risks. The risk appetite also determines the extent to which
the organization needs to comply with the new regulation, and the resources and actions
required to achieve compliance. The risk appetite should be aligned with the organization’s
strategy, culture, and values, and it should be communicated and monitored throughout the organization.
Question # 7
Which of the following roles is MOST appropriate to determine access rights for specificusers of an application?
A. Data owner B. Data custodian C. System administrator D. Senior management
Answer: A
Explanation: The data owner is the most appropriate role to determine access rights for
specific users of an application because they have legal rights and complete control over
data elements4. They are also responsible for approving data glossaries and definitions,
ensuring the accuracy of information, and supervising operations related to data quality5
. The data custodian is responsible for the safe custody, transport, and storage of the data
and implementation of business rules, but not for determining access rights4. The system
administrator is responsible for managing the security and storage infrastructure of data
sets according to the organization’s data governance policies, but not for determining
access rights5. Senior management is responsible for setting the strategic direction and
priorities for data governance, but not for determining access rights5. References: 5
The effectiveness of an incident response team will be GREATEST when:
A. the incident response team meets on a regular basis to review log files. B. the incident response team members are trained security personnel. C. the incident response process is updated based on lessons learned. D. incidents are identified using a security information and event monitoring {SIEM) system.
Answer: C
Question # 9
Which of the following metrics provides the BEST evidence of alignment of information security governance with corporate governance?
A. Average return on investment (ROI) associated with security initiatives B. Average number of security incidents across business units C. Mean time to resolution (MTTR) for enterprise-wide security incidents D. Number of vulnerabilities identified for high-risk information assets
Answer: A
Explanation: Average return on investment (ROI) associated with security initiatives is the
best metric to provide evidence of alignment of information security governance with
corporate governance because it demonstrates the value and benefits of security
investments to the organization’s strategic goals and objectives. Average number of
security incidents across business units is not a good metric because it does not measure
the effectiveness or efficiency of security initiatives or their alignment with corporate
governance. Mean time to resolution (MTTR) for enterprise-wide security incidents is not a
good metric because it does not measure the impact or outcome of security initiatives or
their alignment with corporate governance. Number of vulnerabilities identified for high-risk
information assets is not a good metric because it does not measure the performance or
improvement of security initiatives or their alignment with corporate governance.
A business impact analysis (BIA) should be periodically executed PRIMARILY to:
A. validate vulnerabilities on environmental changes. B. analyze the importance of assets. C. check compliance with regulations. D. verify the effectiveness of controls.
Answer: D
Explanation: A business impact analysis (BIA) is a process that helps identify and
evaluate the potential effects of disruptions or incidents on the organization’s mission,
objectives, and operations. A BIA should be periodically executed to verify the
effectiveness of the controls that are implemented to prevent, mitigate, or recover from
such disruptions or incidents12.
According to the CISM Manual, a BIA should be performed at least annually for critical
systems and processes, and more frequently for non-critical ones3. A BIA should also be
updated whenever there are significant changes in the organization’s environment, such as
new regulations, technologies, business models, or stakeholder expectations3. A BIA
should not be used to validate vulnerabilities on environmental changes (A), analyze the
(BIA) - YouTube 3: CISM ITEM DEVELOPMENT GUIDE - ISACA
Question # 11
To ensure that a new application complies with information security policy, the BESTapproach is to:
A. review the security of the application before implementation. B. integrate functionality the development stage. C. perform a vulnerability analysis. D. periodically audit the security of the application.
Answer: C
Explanation: Performing a vulnerability analysis is the best option to ensure that a new
application complies with information security policy because it helps to identify and
evaluate any security flaws or weaknesses in the application that may expose it to potential
threats or attacks, and provide recommendations or solutions to mitigate them. Reviewing
the security of the application before implementation is not a good option because it may
not detect or prevent all security issues that may arise after implementation or deployment.
Integrating security functionality at the development stage is not a good option because it
may not account for all security requirements or challenges of the application or its
environment. Periodically auditing the security of the application is not a good option
because it may not address any security issues that may occur between audits or after
Which of the following BEST enables the capability of an organization to sustain thedelivery of products and services within acceptable time frames and at predefined capacityduring a disruption?
A. Service level agreement (SLA) B. Business continuity plan (BCP) C. Disaster recovery plan (DRP) D. Business impact analysis (BIA)
Answer: B
Explanation: The best option to enable the capability of an organization to sustain the delivery of
products and services within acceptable time frames and at predefined capacity during a
disruption is B. Business continuity plan (BCP). This is because a BCP is a documented
collection of procedures and information that guides the organization to prepare for,
respond to, and recover from a disruption, such as a natural disaster, a cyberattack, or a
pandemic. A BCP aims to ensure the continuity of the critical business functions and
processes that support the delivery of products and services to the customers and
stakeholders. A BCP also defines the roles, responsibilities, resources, and actions
required to maintain the operational resilience of the organization in the face of a
An organization's information security team presented the risk register at a recentinformation security steering committee meeting. Which of the following should be of MOSTconcern to the committee?
A. No owners were identified for some risks. B. Business applications had the highest number of risks. C. Risk mitigation action plans had no timelines. D. Risk mitigation action plan milestones were delayed.
Answer: A
Explanation: The most concerning issue for the information security steering committee
should be that no owners were identified for some risks in the risk register. This means that
there is no clear accountability and responsibility for managing and mitigating those risks,
and that the risks may not be properly addressed or monitored. The risk owners are the
persons who have the authority and ability to implement the risk treatment options and to
accept the residual risk. The risk owners should be identified and assigned for each risk in
the risk register, and they should report the status and progress of the risk management
activities to the information security steering committee.
An organization is leveraging tablets to replace desktop computers shared by shift-basedstaff These tablets contain critical business data and are inherently at increased risk of theftWhich of the following will BEST help to mitigate this risk''
A. Deploy mobile device management (MDM) B. Implement remote wipe capability. C. Create an acceptable use policy. D. Conduct a mobile device risk assessment
Answer: D
Explanation: A key risk indicator (KRI) is a metric that provides an early warning of
potential exposure to a risk. A KRI should be relevant, measurable, timely, and actionable.
The most important factor in an organization’s selection of a KRI is the criticality of
information, which means that the KRI should reflect the value and sensitivity of the
information assets that are exposed to the risk. For example, a KRI for data breach risk
could be the number of unauthorized access attempts to a database that contains
confidential customer data. The criticality of information helps to prioritize the risks and
Which of the following should be the FIRST step in developing an information security strategy?
A. Perform a gap analysis based on the current state B. Create a roadmap to identify security baselines and controls. C. Identify key stakeholders to champion information security. D. Determine acceptable levels of information security risk.
Answer: A
Explanation: The FIRST step in developing an information security strategy is to perform
a gap analysis based on the current state of the organization’s information security posture.
A gap analysis is a systematic process of comparing the current state with the desired state
and identifying the gaps or deficiencies that need to be addressed. A gap analysis helps to establish a baseline for the information security strategy, as well as to prioritize the actions
and resources needed to achieve the strategic objectives. A gap analysis also helps to
align the information security strategy with the organizational goals and strategies, as well
as to ensure compliance with relevant standards and regulations. References = CISM
first step in developing an information security strategy is to conduct a risk-aware and
comprehensive inventory of your company’s context, including all digital assets,
employees, and vendors. Then you need to know about the threat environment and which
types of attacks are a threat to your company1. This is similar to performing a gap analysis
based on the current state3.
Question # 16
Which of the following is the PRIMARY purpose of a business impact analysis (BIA)?
A. To define security roles and responsibilities B. To determine return on investment (ROI) C. To establish incident severity levels D. To determine the criticality of information assets
Answer: D
Explanation:
A business impact analysis (BIA) is a process that identifies and evaluates the potential
effects of disruptions to critical business operations as a result of a disaster, accident or
emergency. The primary purpose of a BIA is to determine the criticality of information
assets and the impact of their unavailability on the organization’s mission, objectives and
Which of the following is the BEST way to reduce the risk of security incidents from targeted email attacks?
A. Implement a data loss prevention (DLP) system B. Disable all incoming cloud mail services C. Conduct awareness training across the organization D. Require acknowledgment of the acceptable use policy
Answer: C
Explanation:
Conducting awareness training across the organization is the best way to reduce the risk of
security incidents from targeted email attacks because it helps to educate and empower
the employees to recognize and avoid falling for such attacks. Targeted email attacks, such
as phishing, spear phishing, or business email compromise, rely on social engineering
techniques to deceive and manipulate the recipients into clicking on malicious links,
opening malicious attachments, or disclosing sensitive information. Awareness training can
help to raise the level of security culture and behavior among the employees, as well as to
provide them with practical tips and best practices to protect themselves and the
organization from targeted email attacks. Therefore, conducting awareness training across
Which of the following is MOST appropriate to communicate to senior management regarding information risk?
A. Defined risk appetite B. Emerging security technologies C. Vulnerability scanning progress D. Risk profile changes
Answer: D
Explanation:
The most appropriate information to communicate to senior management regarding
information risk is the risk profile changes, which reflect the current level and nature of the risks that the organization faces. The risk profile changes can help senior management to
understand the impact of the risks on the business objectives, the effectiveness of the risk
management strategy, and the need for any adjustments or improvements. The risk profile
changes can also help senior management to prioritize the allocation of resources and to
Which of the following provides the MOST useful information for identifying security controlgaps on an application server?
A. Risk assessments B. Threat models C. Penetration testing D. Internal audit reports
Answer: C
Explanation: Penetration testing is the most useful method for identifying security control
gaps on an application server because it simulates real-world attacks and exploits the
vulnerabilities and weaknesses of the application server. Penetration testing can reveal the
actual impact and risk of the security control gaps, and provide recommendations for
remediation and improvement.
References: The CISM Review Manual 2023 defines penetration testing as “a method of
evaluating the security of an information system or network by simulating an attack from a
malicious source” and states that “penetration testing can help identify security control gaps
and provide evidence of the potential impact and risk of the gaps” (p. 185). The CISM
Review Questions, Answers & Explanations Manual 2023 also provides the following
rationale for this answer: “Penetration testing is the correct answer because it is the most
useful method for identifying security control gaps on an application server, as it simulates
real-world attacks and exploits the vulnerabilities and weaknesses of the application server,
and provides recommendations for remediation and improvement” (p. 95). Additionally, the
web search result 4 states that “penetration testing is a valuable tool for discovering
security gaps in your application server and network infrastructure” and that “penetration
testing can help you assess the effectiveness and efficiency of your security controls, and
identify the areas that need improvement or enhancement” (p. 1).
Question # 20
Following a breach where the risk has been isolated and forensic processes have beenperformed, which of the following should be done NEXT?
A. Place the web server in quarantine. B. Rebuild the server from the last verified backup. C. Shut down the server in an organized manner. D. Rebuild the server with relevant patches from the original media.
Answer: B
Explanation:
= After a breach where the risk has been isolated and forensic processes have been
performed, the next step should be to rebuild the server from the last verified backup. This
will ensure that the server is restored to a known and secure state, and that any malicious
code or data that may have been injected or compromised by the attacker is removed.
Rebuilding the server from the original media may not be sufficient, as it may not include
the latest patches or configurations that were applied before the breach. Placing the web
server in quarantine or shutting it down may not be feasible or desirable, as it may disrupt
the business operations or services that depend on the server. Rebuilding the server from
the last verified backup is the best option to resume normal operations while maintaining
security. References =
CISM Review Manual 15th Edition, page 118: “Recovery is the process of restoring normal
operations after an incident. Recovery activities may include rebuilding systems, restoring
data, applying patches, changing passwords, and testing functionality.”
Data Breach Experts Share The Most Important Next Step You Should Take After A Data
Breach in 2014 & 2015, snippet: “Restore from backup. If you have a backup of your
system from before the breach, wipe your system clean and restore from backup. This will
ensure that any backdoors or malware installed by the hackers are removed.”
Question # 21
An organization involved in e-commerce activities operating from its home country openeda new office in another country with stringent security laws. In this scenario, the overallsecurity strategy should be based on:
A. the security organization structure. B. international security standards. C. risk assessment results. D. the most stringent requirements.
Answer: D
Question # 22
Which of the following is the BEST defense-in-depth implementation for protecting high value assets or for handling environments that have trust concerns?
A. Compartmentalization B. Overlapping redundancy C. Continuous monitoring D. Multi-factor authentication
Answer: A
Explanation: Compartmentalization is the best defense-in-depth implementation for
protecting high value assets or for handling environments that have trust concerns because
it is a strategy that divides the network or system into smaller segments or compartments,
each with its own security policies, controls, and access rules. Compartmentalization helps
to isolate and protect the most sensitive or critical data and functions from unauthorized or
malicious access, as well as to limit the damage or impact of a breach or compromise.
Compartmentalization also helps to enforce the principle of least privilege, which grants
users or processes only the minimum access rights they need to perform their tasks.
Therefore, compartmentalization is the correct answer.
An information security manager has identified that privileged employee access requests toproduction servers are approved; but user actions are not logged. Which of the followingshould be the GREATEST concern with this situation?
A. Lack of availability B. Lack of accountability C. Improper authorization D. Inadequate authentication
Answer: B
Explanation: The greatest concern with the situation of privileged employee access
requests to production servers being approved but not logged is the lack of accountability,
which means the inability to trace or verify the actions and decisions of the privileged users.
Lack of accountability can lead to security risks such as unauthorized changes, data
breaches, fraud, or misuse of privileges. Logging user actions is a key component of
privileged access management (PAM), which helps to monitor, detect, and prevent
unauthorized privileged access to critical resources. The other options, such as lack of availability, improper authorization, or inadequate authentication, are not directly related to
the situation of not logging user actions. References:
Which of the following BEST helps to enable the desired information security culture withinan organization?
A. Information security awareness training and campaigns B. Effective information security policies and procedures C. Delegation of information security roles and responsibilities D. Incentives for appropriate information security-related behavior
Answer: A
Explanation: Information security awareness training and campaigns are the best way to
enable the desired information security culture within an organization because they help to
educate, motivate and influence the behavior and attitude of the employees towards
information security. They also help to raise the awareness of the risks, threats and best
practices of information security among the staff and stakeholders.
References = Organizational Culture for Information Security: A Systemic Perspective on
the Articulation of Human, Cultural and Social Systems, CISM Exam Content Outline
Question # 27
Which of the following BEST enables the assignment of risk and control ownership?
A. Aligning to an industry-recognized control framework B. Adopting a risk management framework C. Obtaining senior management buy-in D. Developing an information security strategy
Answer: C
Explanation: Obtaining senior management buy-in is the best way to enable the
assignment of risk and control ownership because it helps to establish the authority and
accountability of the risk and control owners, as well as to provide them with the necessary
resources and support to perform their roles. Risk and control ownership refers to the assignment of specific responsibilities and accountabilities for managing risks and controls
to individuals or groups within the organization. Obtaining senior management buy-in helps
to ensure that risk and control ownership is aligned with the organizational objectives,
structure, and culture, as well as to communicate the expectations and benefits of risk and
control ownership to all stakeholders. Therefore, obtaining senior management buy-in is
An organization is about to purchase a rival organization. The PRIMARY reason forperforming information security due diligence prior to making the purchase is to:
A. determine the security exposures. B. assess the ability to integrate the security department operations. C. ensure compliance with international standards. D. evaluate the security policy and standards.
Answer: A
Explanation:
Information security due diligence is the process of assessing the current state of
information security in an organization, identifying any gaps, risks, or vulnerabilities, and
estimating the costs and efforts required to remediate them. Performing information
security due diligence prior to making the purchase is important to determine the security
exposures that may affect the value, reputation, or liability of the organization, as well as
the feasibility and compatibility of integrating the security systems and processes of the two
1, Task 1.22; Information Security Due Diligence Questionnair
Question # 31
An organization wants to integrate information security into its HR management processes.Which of the following should be the FIRST step?
A. Calculate the return on investment (ROI). B. Provide security awareness training to HR. C. Benchmark the processes with best practice to identify gaps. D. Assess the business objectives of the processes.
Answer: D
Question # 32
Which of the following is the BEST indicator of the maturity level of a vendor riskmanagement process?
A. Average time required to complete the vendor risk management process B. Percentage of vendors that have gone through the vendor onboarding process C. Percentage of vendors that are regularly reviewed against defined criteria D. Number of vendors rejected because of security review results
Answer: C
Explanation:
The percentage of vendors that are regularly reviewed against defined criteria is the best
indicator of the maturity level of a vendor risk management process, as it reflects the extent
to which the organization has established and implemented a consistent, repeatable, and
effective process to monitor and evaluate the security performance and compliance of its
vendors. A high percentage indicates a mature process that covers all vendors and applies
clear and relevant criteria based on the organization’s risk appetite and objectives. A low
percentage indicates a less mature process that may be ad hoc, incomplete, or outdated.
The PRIMARY objective of timely declaration of a disaster is to:
A. ensure the continuity of the organization's essential services. B. protect critical physical assets from further loss. C. assess and correct disaster recovery process deficiencies. D. ensure engagement of business management in the recovery process.
Answer: A
Explanation: The primary objective of timely declaration of a disaster is to ensure the
continuity of the organization’s essential services, as it enables the activation of the
business continuity plan (BCP) and the disaster recovery plan (DRP) that outline the
processes and procedures to maintain or resume the critical business functions and
minimize the impact of the disruption. A timely declaration of a disaster also helps to
communicate the situation to the stakeholders, mobilize the resources, and request
FEMA, How a Disaster Gets Declared2; CISM Online Review Course, Module 4, Lesson 3,
Topic 13
Question # 34
Which of the following eradication methods is MOST appropriate when responding to anincident resulting in malware on an application server?
A. Disconnect the system from the network. B. Change passwords on the compromised system. C. Restore the system from a known good backup. D. Perform operation system hardening.
Answer: C
Explanation:
Restoring the system from a known good backup is the most appropriate eradication
method when responding to an incident resulting in malware on an application server, as it
ensures that the system is free of any malicious code and that the data and applications
are consistent with the expected state. Disconnecting the system from the network may
prevent further spread of the malware, but it does not eradicate it from the system.
Changing passwords on the compromised system may reduce the risk of unauthorized
access, but it does not remove the malware from the system. Performing operation system
hardening may improve the security configuration of the system, but it does not guarantee
Question # 35
Which of the following is the PRIMARY reason to regularly update business continuity and disaster recovery documents?
A. To enforce security policy requirements B. To maintain business asset inventories C. To ensure audit and compliance requirements are met D. To ensure the availability of business operations
Answer: D
Explanation:
The primary reason to regularly update business continuity and disaster recovery
documents is to ensure that the plans and procedures are aligned with the current business
needs and objectives, and that they can effectively support the availability of business
operations in the event of a disaster. Updating the documents also helps to enforce
security policy requirements, maintain business asset inventories, and ensure audit and
compliance requirements are met, but these are secondary benefits.
and Disaster Recovery, Section: Business Continuity Planning, Subsection: Business
Continuity Plan Maintenance, Page 378.
Question # 36
Which of the following roles is PRIMARILY responsible for developing an informationclassification framework based on business needs?
A. Information security manager B. Information security steering committee C. Information owner D. Senior management
Answer: C
Explanation: According to the CISM Review Manual (Digital Version), Chapter 3, Section
3.2.1, Information owners are responsible for developing an information classification
framework based on business needs1. They are also responsible for defining and
maintaining the classification scheme, policies, and procedures for their information
assets1.
The CISM Review Manual (Digital Version) also states that information owners should
collaborate with other stakeholders, such as information security managers, information
security steering committees, senior management, and legal counsel, to ensure that the
classification framework is aligned with the organization’s objectives and complies with
applicable laws and regulations1.
The CISM Exam Content Outline also covers the topic of information classification
frameworks in Domain 3 — Information Security Program Development and Management
(27% exam weight)2. The subtopics include:
3.2.1 Information Classification Frameworks
3.2.2 Information Classification Policies
3.2.3 Information Classification Procedures
3.2.4 Information Classification Training
I hope this answer helps you prepare for your CISM exam. Good luck!
Question # 37
An investigation of a recent security incident determined that the root cause was negligenthanding of incident alerts by system admit manager to address this issue?
A. Conduct a risk assessment and share the result with senior management. B. Revise the incident response plan-to align with business processes. C. Provide incident response training to data custodians. D. Provide incident response training to data owners.
Answer: C
Explanation: The best action for the system admin manager to address the issue of
negligent handling of incident alerts by system admins is to provide incident response
training to data custodians because it helps to improve their awareness and skills in
recognizing and reporting security incidents, and following the incident response
procedures and protocols. Conducting a risk assessment and sharing the result with senior
management is not a good action because it does not address the root cause of the issue
or provide any solutions or improvements. Revising the incident response plan to align with
business processes is not a good action because it does not address the root cause of the
issue or provide any solutions or improvements. Providing incident response training to
data owners is not a good action because data owners are not responsible for handling
incident alerts or performing incident response tasks. References:
A KEY consideration in the use of quantitative risk analysis is that it:
A. aligns with best practice for risk analysis of information assets. B. assigns numeric values to exposures of information assets. C. applies commonly used labels to information assets. D. is based on criticality analysis of information assets.
Answer: B
Explanation: A key consideration in the use of quantitative risk analysis is that it assigns
numeric values to exposures of information assets, such as the probability of occurrence,
the frequency of occurrence, the impact of occurrence, and the monetary value of the
assets. These numeric values help to measure and compare the risks in a more objective
and consistent way, and to support the decision-making process based on cost-benefit
analysis. Quantitative risk analysis also requires reliable and accurate data sources, and it
may involve the use of statistical tools and techniques.
Which of the following is MOST important to consider when choosing a shared alternate location for computing facilities?
A. The organization's risk tolerance B. Resource availability C. The organization's mission D. Incident response team training
Answer: A
Explanation: The organization’s risk tolerance is the most important factor to consider
when choosing a shared alternate location for computing facilities, because it determines
the acceptable level of risk exposure and the required recovery time objectives (RTOs) and recovery point objectives (RPOs) for the organization’s critical business processes and
information assets. Resource availability, the organization’s mission, and incident response
team training are also important considerations, but they are secondary to the risk
An organization has remediated a security flaw in a system. Which of the following should be done NEXT?
A. Assess the residual risk. B. Share lessons learned with the organization. C. Update the system's documentation. D. Allocate budget for penetration testing.
Answer: A
Explanation:
Residual risk is the risk that remains after applying controls to mitigate the original risk. It is
important to assess the residual risk after remediation to ensure that it is within the
acceptable level and tolerance of the organization. (From CISM Review Manual 15th
A security incident has been reported within an organization. When should an informationsecurity manager contact the information owner?
A. After the incident has been contained B. After the incident has been mitigated C. After the incident has been confirmed D. After the potential incident has been logged
Answer: C
Explanation: The information owner is the person who has the authority and responsibility
for the information asset and its protection. The information security manager should
contact the information owner as soon as possible after the incident has been confirmed, to
inform them of the incident, its impact, and the actions taken or planned to resolve it. The
information owner may also need to be involved in the decision-making process regarding
the incident response and recovery. (From CISM Review Manual 15th Edition)
In a call center, the BEST reason to conduct a social engineering is to:
A. Identify candidates for additional security training. B. minimize the likelihood of successful attacks. C. gain funding for information security initiatives. D. improve password policy.
Answer: A
Explanation: The best reason to conduct a social engineering test in a call center is to
identify candidates for additional security training because it helps to assess the level of
awareness and skills of the call center staff in recognizing and resisting social engineering
attacks, and provide them with the necessary training or education to improve their security
posture. Minimizing the likelihood of successful attacks is not a reason to conduct a social
engineering test, but rather a possible outcome or benefit of conducting such a test.
Gaining funding for information security initiatives is not a reason to conduct a social
engineering test, but rather a possible outcome or benefit of conducting such a test.
Improving password policy is not a reason to conduct a social engineering test, but rather a
possible outcome or benefit of conducting such a test. References:
A small organization has a contract with a multinational cloud computing vendor. Which ofthe following would present the GREATEST concern to an information security manager ifomitted from the contract?
A. Right of the subscriber to conduct onsite audits of the vendor B. Escrow of software code with conditions for code release C. Authority of the subscriber to approve access to its data D. Commingling of subscribers' data on the same physical server
Answer: C
Explanation: The greatest concern to an information security manager if omitted from the
contract with a multinational cloud computing vendor would be the authority of the
subscriber to approve access to its data. This is because the subscriber’s data may be
subject to different legal and regulatory requirements in different jurisdictions, and the
subscriber may lose control over who can access, process, or disclose its data. The
subscriber should have the right to approve or deny access to its data by the vendor or any
third parties, and to ensure that the vendor complies with the applicable data protection
laws and standards. The authority of the subscriber to approve access to its data is also
one of the key elements of the ISACA Cloud Computing Management Audit/Assurance
Before approving the implementation of a new security solution, senior managementrequires a business case. Which of the following would BEST support the justification forinvestment?
A. The solution contributes to business strategy. B. The solution improves business risk tolerance levels. C. The solution improves business resiliency. D. The solution reduces the cost of noncompliance with regulations.
Answer: A
Explanation:
The best way to support the justification for investment in a new security solution is to show
how the solution contributes to the business strategy of the organization. The business
strategy defines the vision, mission, goals, and objectives of the organization, and the
security solution should align with and support them. The security solution should also
demonstrate how it adds value to the organization, such as by enabling new business
opportunities, enhancing customer satisfaction, or increasing competitive advantage. The
business case should include the expected benefits, costs, risks, and alternatives of the
security solution, and provide a clear rationale for choosing the preferred option1.
Governance, Section: Information Security Strategy, Subsection: Business Case
Development, Page 33.
Question # 51
An information security team is planning a security assessment of an existing vendor.Which of the following approaches is MOST helpful for properly scoping the assessment?
A. Focus the review on the infrastructure with the highest risk B. Review controls listed in the vendor contract C. Determine whether the vendor follows the selected security framework rules D. Review the vendor's security policy
Answer: B
Explanation: Reviewing controls listed in the vendor contract is the most helpful approach
for properly scoping the security assessment of an existing vendor because it helps to
determine the security requirements and expectations that the vendor has agreed to meet.
A vendor contract is a legal document that defines the terms and conditions of the business
relationship between the organization and the vendor, including the scope, deliverables,
responsibilities, and obligations of both parties. A vendor contract should also specify the
security controls that the vendor must implement and maintain to protect the organization’s
data and systems, such as encryption, authentication, access control, backup, monitoring,
auditing, etc. Reviewing controls listed in the vendor contract helps to ensure that the
security assessment covers all the relevant aspects of the vendor’s security posture, as
well as to identify any gaps or discrepancies between the contract and the actual practices.
Therefore, reviewing controls listed in the vendor contract is the correct answer.
After the occurrence of a major information security incident, which of the following willBEST help an information security manager determine corrective actions?
A. Calculating cost of the incident B. Conducting a postmortem assessment C. Performing an impact analysis D. Preserving the evidence
Answer: B
Explanation: The best way to determine corrective actions after a major information
security incident is to conduct a postmortem assessment, which is a systematic and
structured review of the incident, its causes, its impacts, and its lessons learned. A
postmortem assessment can help to identify the root causes of the incident, the strengths and weaknesses of the incident response process, the gaps and deficiencies in the security
controls, and the opportunities for improvement and remediation. A postmortem
assessment can also help to document the recommendations and action plans for
preventing or minimizing the recurrence of similar incidents in the future.
While responding to a high-profile security incident, an information security managerobserved several deficiencies in the current incident response plan. When would be theBEST time to update the plan?
A. While responding to the incident B. During a tabletop exercise C. During post-incident review D. After a risk reassessment
Answer: C
Explanation:
During post-incident review is the best time to update the incident response plan after
observing several deficiencies in the current plan while responding to a high-profile security
incident. A post-incident review is a process of analyzing and evaluating the incident
response activities, identifying the lessons learned, and documenting the recommendations
and action items for improvement. Updating the incident response plan during post-incident
review helps to ensure that the plan reflects the current best practices, addresses the gaps
and weaknesses, and incorporates the feedback and suggestions from the incident
response team and other stakeholders. Therefore, during post-incident review is the correct
An information security program is BEST positioned for success when it is closely alignedwith:A. information security best practices.B. recognized industry frameworks.C. information security policies.D. the information security strategy.Answer: DExplanation: An information security program is best positioned for success when it isclosely aligned with the information security strategy, which defines the organization’svision, mission, goals, objectives, and risk appetite for information security. The informationsecurity strategy provides the direction and guidance for developing and implementing theinformation security program, ensuring that it supports the organization’s businessprocesses and objectives. The information security strategy also helps to establish thescope, boundaries, roles, responsibilities, and resources for the information securityprogram.References = CISM Manual, Chapter 3: Information Security Program Development(ISPD), Section 3.1: Information Security Strategy11: https://store.isaca.org/s/store#/store/browse/cat/a2D4w00000Ac6NNEAZ/tilesWhich of the following should an information security manager do FIRST to address therisk associated with a new third-party cloud application that will not meet organizationalsecurity requirements?
A. Update the risk register. B. Consult with the business owner. C. Restrict application network access temporarily. D. Include security requirements in the contract.
Answer: B
Explanation: The information security manager should first consult with the business owner to understand the business needs and objectives for using the new cloud
application, and to discuss the possible alternatives or compensating controls that can
mitigate the risk. Updating the risk register, restricting application network access, or
including security requirements in the contract are possible actions to take after consulting
An organization is performing due diligence when selecting a third party. Which of thefollowing is MOST helpful to reduce the risk of unauthorized sharing of information duringthis process?
A. Using secure communication channels B. Establishing mutual non-disclosure agreements (NDAs) C. Requiring third-party privacy policies D. Obtaining industry references
Answer: B
Explanation:
The best option to reduce the risk of unauthorized sharing of information during the due
diligence process is B. Establishing mutual non-disclosure agreements (NDAs). This is
because NDAs are legal contracts that bind the parties to keep confidential any information
that is exchanged or disclosed during the due diligence process. NDAs can help to protect
the sensitive data, intellectual property, trade secrets, or business strategies of both the
organization and the third party from being leaked, stolen, or misused by unauthorized
parties. NDAs can also specify the terms and conditions for the use, storage, and disposal
of the information, as well as the consequences for breaching the agreement.
An organization experienced a loss of revenue during a recent disaster. Which of thefollowing would BEST prepare the organization to recover?
A. Business impact analysis (BIA) B. Business continuity plan (BCP) C. Incident response plan D. Disaster recovery plan (DRP)
Answer: B
Question # 59
Management would like to understand the risk associated with engaging an Infrastructureas-a-Service (laaS) provider compared to hosting internally. Which of the following wouldprovide the BEST method of comparing risk scenarios?
A. Mapping risk scenarios according to sensitivity of data B. Reviewing mitigating and compensating controls for each risk scenario C. Mapping the risk scenarios by likelihood and impact on a chart D. Performing a risk assessment on the laaS provider
Answer: C
Explanation:
Mapping the risk scenarios by likelihood and impact on a chart is the best method of
comparing risk scenarios, as it helps to visualize and prioritize the different types and levels
of risks associated with each option. A chart can also facilitate the communication and
decision-making process by showing the trade-offs and benefits of each option. A chart can
be based on qualitative or quantitative data, depending on the availability and accuracy of
1, Task 1.32; A risk assessment model for selecting cloud service providers; Security best
practices for IaaS workloads in Azure
Question # 60
An external security audit has reported multiple instances of control noncompliance. Whichof the following is MOST important for the information security manager to communicate tosenior management?
A. Control owner responses based on a root cause analysis B. The impact of noncompliance on the organization's risk profile C. A noncompliance report to initiate remediation activities D. A business case for transferring the risk
Answer: B
Explanation:
The impact of noncompliance on the organization’s risk profile is the MOST important
information for the information security manager to communicate to senior management,
because it helps them understand the potential consequences of not adhering to the
established controls and the need for corrective actions. Noncompliance may expose the
organization to increased threats, vulnerabilities, and losses, as well as legal, regulatory,
and contractual liabilities. References =
CISM Review Manual, 16th Edition, ISACA, 2020, p. 84: “The information security manager
should report on information security risk, including noncompliance and changes in
information risk, to key stakeholders to facilitate the risk management decision-making
process.”
CISM Review Manual, 16th Edition, ISACA, 2020, p. 85: “Noncompliance with information
security policies, standards, and procedures may result in increased threats, vulnerabilities,
and losses, as well as legal, regulatory, and contractual liabilities for the enterprise.”
Question # 61
An external security audit has reported multiple instances of control noncompliance. Whichof the following is MOST important for the information security manager to communicate tosenior management?
A. Control owner responses based on a root cause analysis B. The impact of noncompliance on the organization's risk profile C. A noncompliance report to initiate remediation activities D. A business case for transferring the risk
Answer: B
Explanation:
The impact of noncompliance on the organization’s risk profile is the MOST important
information for the information security manager to communicate to senior management,
because it helps them understand the potential consequences of not adhering to the
established controls and the need for corrective actions. Noncompliance may expose the
organization to increased threats, vulnerabilities, and losses, as well as legal, regulatory,
and contractual liabilities. References =
CISM Review Manual, 16th Edition, ISACA, 2020, p. 84: “The information security manager
should report on information security risk, including noncompliance and changes in
information risk, to key stakeholders to facilitate the risk management decision-making
process.”
CISM Review Manual, 16th Edition, ISACA, 2020, p. 85: “Noncompliance with information
security policies, standards, and procedures may result in increased threats, vulnerabilities,
and losses, as well as legal, regulatory, and contractual liabilities for the enterprise.”
Question # 62
An external security audit has reported multiple instances of control noncompliance. Whichof the following is MOST important for the information security manager to communicate tosenior management?
A. Control owner responses based on a root cause analysis B. The impact of noncompliance on the organization's risk profile C. A noncompliance report to initiate remediation activities D. A business case for transferring the risk
Answer: B
Explanation:
The impact of noncompliance on the organization’s risk profile is the MOST important
information for the information security manager to communicate to senior management,
because it helps them understand the potential consequences of not adhering to the
established controls and the need for corrective actions. Noncompliance may expose the
organization to increased threats, vulnerabilities, and losses, as well as legal, regulatory,
and contractual liabilities. References =
CISM Review Manual, 16th Edition, ISACA, 2020, p. 84: “The information security manager
should report on information security risk, including noncompliance and changes in
information risk, to key stakeholders to facilitate the risk management decision-making
process.”
CISM Review Manual, 16th Edition, ISACA, 2020, p. 85: “Noncompliance with information
security policies, standards, and procedures may result in increased threats, vulnerabilities,
and losses, as well as legal, regulatory, and contractual liabilities for the enterprise.”
Question # 63
An external security audit has reported multiple instances of control noncompliance. Whichof the following is MOST important for the information security manager to communicate tosenior management?
A. Control owner responses based on a root cause analysis B. The impact of noncompliance on the organization's risk profile C. A noncompliance report to initiate remediation activities D. A business case for transferring the risk
Answer: B
Explanation:
The impact of noncompliance on the organization’s risk profile is the MOST important
information for the information security manager to communicate to senior management,
because it helps them understand the potential consequences of not adhering to the
established controls and the need for corrective actions. Noncompliance may expose the
organization to increased threats, vulnerabilities, and losses, as well as legal, regulatory,
and contractual liabilities. References =
CISM Review Manual, 16th Edition, ISACA, 2020, p. 84: “The information security manager
should report on information security risk, including noncompliance and changes in
information risk, to key stakeholders to facilitate the risk management decision-making
process.”
CISM Review Manual, 16th Edition, ISACA, 2020, p. 85: “Noncompliance with information
security policies, standards, and procedures may result in increased threats, vulnerabilities,
and losses, as well as legal, regulatory, and contractual liabilities for the enterprise.”
Question # 64
An external security audit has reported multiple instances of control noncompliance. Whichof the following is MOST important for the information security manager to communicate tosenior management?
A. Control owner responses based on a root cause analysis B. The impact of noncompliance on the organization's risk profile C. A noncompliance report to initiate remediation activities D. A business case for transferring the risk
Answer: B
Explanation:
The impact of noncompliance on the organization’s risk profile is the MOST important
information for the information security manager to communicate to senior management,
because it helps them understand the potential consequences of not adhering to the
established controls and the need for corrective actions. Noncompliance may expose the
organization to increased threats, vulnerabilities, and losses, as well as legal, regulatory,
and contractual liabilities. References =
CISM Review Manual, 16th Edition, ISACA, 2020, p. 84: “The information security manager
should report on information security risk, including noncompliance and changes in
information risk, to key stakeholders to facilitate the risk management decision-making
process.”
CISM Review Manual, 16th Edition, ISACA, 2020, p. 85: “Noncompliance with information
security policies, standards, and procedures may result in increased threats, vulnerabilities,
and losses, as well as legal, regulatory, and contractual liabilities for the enterprise.”
Question # 65
An external security audit has reported multiple instances of control noncompliance. Whichof the following is MOST important for the information security manager to communicate tosenior management?
A. Control owner responses based on a root cause analysis B. The impact of noncompliance on the organization's risk profile C. A noncompliance report to initiate remediation activities D. A business case for transferring the risk
Answer: B
Explanation:
The impact of noncompliance on the organization’s risk profile is the MOST important
information for the information security manager to communicate to senior management,
because it helps them understand the potential consequences of not adhering to the
established controls and the need for corrective actions. Noncompliance may expose the
organization to increased threats, vulnerabilities, and losses, as well as legal, regulatory,
and contractual liabilities. References =
CISM Review Manual, 16th Edition, ISACA, 2020, p. 84: “The information security manager
should report on information security risk, including noncompliance and changes in
information risk, to key stakeholders to facilitate the risk management decision-making
process.”
CISM Review Manual, 16th Edition, ISACA, 2020, p. 85: “Noncompliance with information
security policies, standards, and procedures may result in increased threats, vulnerabilities,
and losses, as well as legal, regulatory, and contractual liabilities for the enterprise.”
Question # 66
A new regulatory requirement affecting an organization's information security program isreleased. Which of the following should be the information security manager's FIRSTcourse of action?
A. Perform a gap analysis. B. Conduct benchmarking. C. Notify the legal department. D. Determine the disruption to the business.
Answer: C
Explanation: = A new regulatory requirement affecting an organization’s information
security program is released. The information security manager’s first course of action
should be to notify the legal department, as they are responsible for ensuring compliance
with the relevant laws and regulations. The legal department can advise the information
security manager on how to interpret and implement the new requirement, as well as what
are the potential implications and risks for the organization12.
A new regulatory requirement affecting an organization's information security program isreleased. Which of the following should be the information security manager's FIRSTcourse of action?
A. Perform a gap analysis. B. Conduct benchmarking. C. Notify the legal department. D. Determine the disruption to the business.
Answer: C
Explanation: = A new regulatory requirement affecting an organization’s information
security program is released. The information security manager’s first course of action
should be to notify the legal department, as they are responsible for ensuring compliance
with the relevant laws and regulations. The legal department can advise the information
security manager on how to interpret and implement the new requirement, as well as what
are the potential implications and risks for the organization12.
A new regulatory requirement affecting an organization's information security program isreleased. Which of the following should be the information security manager's FIRSTcourse of action?
A. Perform a gap analysis. B. Conduct benchmarking. C. Notify the legal department. D. Determine the disruption to the business.
Answer: C
Explanation: = A new regulatory requirement affecting an organization’s information
security program is released. The information security manager’s first course of action
should be to notify the legal department, as they are responsible for ensuring compliance
with the relevant laws and regulations. The legal department can advise the information
security manager on how to interpret and implement the new requirement, as well as what
are the potential implications and risks for the organization12.
An internal audit has revealed that a number of information assets have beeninappropriately classified. To correct the classifications, the remediation accountabilityshould be assigned to:
A. the business users. B. the information owners. C. the system administrators. D. senior management.
Answer: B
Explanation:
The best automated control to resolve the issue of security incidents not being
appropriately escalated by the help desk is to integrate incident response workflow into the
help desk ticketing system. This will ensure that the help desk staff follow the predefined
steps and procedures for handling and escalating security incidents, based on the severity,
impact, and urgency of each incident. The incident response workflow will also provide
clear guidance on who to notify, when to notify, and how to notify the relevant stakeholders
and authorities. This will improve the efficiency, effectiveness, and consistency of the
incident response process.
References = CISM Review Manual, 16th Edition, page 2901; A Practical Approach to
Incident Management Escalation2
Question # 70
Recovery time objectives (RTOs) are an output of which of the following?
A. Business continuity plan (BCP) B. Disaster recovery plan (DRP) C. Service level agreement (SLA) D. Business impact analysis (BIA)
Answer: D
Explanation: Business impact analysis (BIA) is the process that provides the output of
recovery time objectives (RTOs), which are the maximum acceptable time frames for
restoring business functions or processes after a disruption. Business continuity plan (BCP)
is the document that describes the strategies and procedures for ensuring the continuity of
critical business functions or processes in the event of a disruption. Disaster recovery plan
(DRP) is the document that describes the technical steps and resources for restoring IT
systems and data in the event of a disruption. Service level agreement (SLA) is the
document that defines the expectations and obligations between a service provider and a
Question # 71
Which of the following is necessary to ensure consistent protection for an organization'sinformation assets?
A. Classification model B. Control assessment C. Data ownership D. Regulatory requirements
Answer: A
Explanation:
The answer to the question is A. Classification model. This is because a classification
model is a system of assigning labels or categories to information assets based on their
value, sensitivity, and criticality to the organization. A classification model helps to ensure
consistent protection for the organization’s information assets by:
Providing a common language and criteria for defining and communicating the security
requirements and expectations for the information assets
Enabling the identification and prioritization of the information assets that need the most
protection and resources
Facilitating the implementation and enforcement of the appropriate level of security controls
and measures for the information assets, based on their classification Supporting the compliance with the legal, regulatory, and contractual obligations regarding
the information assets, such as the General Data Protection Regulation (GDPR) or the
Health Insurance Portability and Accountability Act (HIPAA)
A classification model is a system of assigning labels or categories to information assets
based on their value, sensitivity, and criticality to the organization. A classification model
helps to ensure consistent protection for the organization’s information assets by providing
a common language and criteria for defining and communicating the security requirements
and expectations for the information assets, enabling the identification and prioritization of
the information assets that need the most protection and resources, facilitating the
implementation and enforcement of the appropriate level of security controls and measures
for the information assets, based on their classification, and supporting the compliance with
the legal, regulatory, and contractual obligations regarding the information assets. (From
Domain 4, Task 4.12; CISM 2020: Incident Management; How to Respond to a Data
Breach
Question # 73
The MOST important element in achieving executive commitment to an information securitygovernance program is:
A. a defined security framework. B. a process improvement model C. established security strategies. D. identified business drivers.
Answer: D
Explanation: The most important element in achieving executive commitment to an
information security governance program is to align the program with the identified
business drivers of the organization. Business drivers are the factors that influence the
strategic objectives, goals, and priorities of the organization. They reflect the needs and
expectations of the stakeholders, customers, regulators, and other parties that are relevant
to the organization’s mission and vision. By aligning the information security governance
program with the business drivers, the executive can demonstrate the value and benefits of
information security to the organization’s performance, reputation, and competitiveness.
The other options are not the most important element, although they may be part of an
information security governance program. A defined security framework is a set of
standards, guidelines, and best practices that provide a structure and direction for
implementing information security. A process improvement model is a methodology that
helps to identify, analyze, and improve the processes related to information security.
Established security strategies are the plans and actions that define how information
security supports and enables the business objectives and goals. These elements are
important for developing and executing an information security governance program, but
they do not necessarily ensure executive commitment unless they are aligned with the
business drivers
Question # 74
Senior management has expressed concern that the organization's intrusion preventionsystem (IPS) may repeatedly disrupt business operations Which of the following BESTindicates that the information security manager has tuned the system to address thisconcern?
A. Increasing false negatives B. Decreasing false negatives C. Decreasing false positives D. Increasing false positives
Answer: C
Explanation: Decreasing false positives is the best indicator that the information security
manager has tuned the system to address senior management’s concern that the
organization’s intrusion prevention system (IPS) may repeatedly disrupt business
operations. False positives are alerts generated by the IPS when it mistakenly blocks
legitimate traffic or activity, causing disruption or downtime. Decreasing false positives
means that the IPS has been configured to reduce such errors and minimize unnecessary
interruptions. Increasing false negatives is not a good indicator because it means that the
IPS has failed to detect or block malicious traffic or activity, increasing the risk of
compromise or damage. Decreasing false negatives is not a good indicator because it does
not affect business operations, but rather improves security detection or prevention.
Increasing false positives is not a good indicator because it means that the IPS has
increased its errors and interruptions, worsening senior management’s concern.
Which of the following should be the PRIMARY focus of a lessons learned exercisefollowing a successful response to a cybersecurity incident?
A. Establishing the root cause of the incident B. Identifying attack vectors utilized in the incident C. When business operations were restored after the incident D. How incident management processes were executed
Answer: D
Explanation:
The primary focus of a lessons learned exercise following a successful response to a
cybersecurity incident is to evaluate how the incident management processes were
executed, and to identify the strengths, weaknesses, best practices, and improvement
opportunities for future incidents. A lessons learned exercise is not meant to determine the
root cause, the attack vectors, or the recovery time of the incident, but rather to assess the
performance and effectiveness of the incident response team and the incident response
plan.
References: The CISM Review Manual 2023 states that “post-incident reviews are an
essential part of the incident response process” and that “they provide an opportunity to
assess the performance of the incident response team, identify areas for improvement, and
document lessons learned and best practices” (p. 191). The CISM Review Questions,
Answers & Explanations Manual 2023 also provides the following rationale for this answer:
“How incident management processes were executed is the correct answer because it is the primary focus of a lessons learned exercise, which aims to evaluate the incident
response capability and to implement corrective actions and improvement plans” (p. 97).
Additionally, the Cybersecurity Incident Response Exercise Guidance article from the
ISACA Journal 2022 states that “The AAR [after-action review] should include the date and
time of the exercise, a list of participants, scenario descriptions, findings (generic and
specific), observations with recommendations, lessons learned and an evaluation of the
Which of the following BEST illustrates residual risk within an organization?
A. Heat map B. Risk management framework C. Business impact analysis (BIA) D. Balanced scorecard
Answer: A
Question # 77
Which of the following is the BEST indication that an organization has integratedinformation security governance with corporate governance?
A. Security performance metrics are measured against business objectives. B. Impact is measured according to business loss when assessing IT risk. C. Security policies are reviewed whenever business objectives are changed. D. Service levels for security vendors are defined according to business needs.
Answer: A
Explanation:
Security performance metrics are quantitative or qualitative measures that indicate the
effectiveness and efficiency of the information security program in achieving the
organization’s security goals and objectives. Measuring security performance metrics
against business objectives is the best indication that an organization has integrated
information security governance with corporate governance, as it demonstrates that the
security program is aligned with and supports the business strategy, value delivery, and
An employee of an organization has reported losing a smartphone that contains sensitiveinformation The BEST step to address this situation is to:
A. disable the user's access to corporate resources. B. terminate the device connectivity. C. remotely wipe the device D. escalate to the user's management
Answer: C
Explanation:
The best step to address the situation of losing a smartphone that contains sensitive
information is to remotely wipe the device, which means erasing all the data on the device
and restoring it to factory settings. Remotely wiping the device can prevent unauthorized
access to the sensitive information and protect the organization from data breaches or
leaks. Remotely wiping the device can be done through services such as Find My Device
for Android or Find My iPhone for iOS, or through mobile device management (MDM)
solutions. The other options, such as disabling the user’s access, terminating the device
connectivity, or escalating to the user’s management, may not be effective or timely
enough to secure the sensitive information on the device. References:
Which of the following should an information security manager do FIRST to address therisk associated with a new third-party cloud application that will not meet organizationalsecurity requirements?
A. Include security requirements in the contract. B. Update the risk register. C. Consult with the business owner. D. Restrict application network access temporarily.
Answer: C
Explanation: Consulting with the business owner is the FIRST course of action that the
information security manager should take to address the risk associated with a new thirdparty
cloud application that will not meet organizational security requirements, because it
helps to understand the business needs and expectations for using the application, and to
communicate the security risks and implications. The information security manager and the
business owner should work together to evaluate the trade-offs between the benefits and
the risks of the application, and to determine the best course of action, such as modifying
the requirements, finding an alternative solution, or accepting the risk.
References =
CISM Review Manual, 16th Edition, ISACA, 2020, p. 41: “The information security manager
should consult with the business owners to understand their needs and expectations for
using third-party services, and to communicate the security risks and implications.”
CISM Review Manual, 16th Edition, ISACA, 2020, p. 42: “The information security manager
and the business owners should collaborate to evaluate the trade-offs between the benefits
and the risks of using third-party services, and to determine the best course of action, such
as modifying the requirements, finding an alternative solution, or accepting the risk.”
Best Practices to Manage Risks in the Cloud - ISACA: “The information security manager
should work with the business owner to define the security requirements for the cloud
service, such as data protection, access control, incident response, and compliance.”
Question # 80
A recent audit found that an organization's new user accounts are not set up uniformly.Which of the following is MOST important for the information security manager to review?
A. Automated controls B. Security policies C. Guidelines D. Standards
Answer: D
Explanation:
Standards are the most important thing to review, as they define the specific and
mandatory requirements for setting up new user accounts, such as the naming
conventions, access rights, password policies, and expiration dates. Standards help to
ensure consistency, security, and compliance across the organization’s information
systems and users. If the standards are not followed, the organization may face increased
risks of unauthorized access, data breaches, or audit failures.
1, Knowledge Statement 1.32; CISM 2020: IT Security Policies; Information Security Policy,
Standards, and Guidelines
Question # 81
An organization's information security manager reads on social media that a recentlypurchased vendor product has been compromised and customer data has been postedonline. What should the information security manager do FIRST?
A. Perform a business impact analysis (BIA). B. Notify local law enforcement agencies of a breach. C. Activate the incident response program. D. Validate the risk to the organization.
Answer: D
Explanation: The first thing that the information security manager should do after reading
about a vendor product compromise on social media is to validate the risk to the
organization. This means verifying the source and credibility of the information, determining
if the organization uses the affected product, and assessing the potential impact and
likelihood of the compromise on the organization’s data and systems. Validating the risk to
the organization will help the information security manager to decide on the appropriate
course of action, such as activating the incident response program, notifying relevant
stakeholders, or performing a BIA.
References: The CISM Review Manual 2023 states that “the information security manager
is responsible for identifying and assessing the risks associated with the use of third-party
products and services” and that “the information security manager should monitor and
review the security performance and incidents of third-party products and services on a
regular basis and take corrective actions when deviations or violations are detected” (p.
138). The CISM Review Questions, Answers & Explanations Manual 2023 also provides
the following rationale for this answer: “Validating the risk to the organization is the correct
answer because it is the first and most important step to take after reading about a vendor
product compromise on social media, as it will help the information security manager to
confirm the accuracy and relevance of the information, and to evaluate the potential
consequences and probability of the compromise on the organization’s data and systems”
(p. 63). Additionally, the article Defending Against Software Supply Chain Attacks from the
CISA website states that “the first step in responding to a software supply chain attack is to
validate the risk to the organization by verifying the source and credibility of the information,
determining if the organization uses the affected software, and assessing the potential
impact and likelihood of the compromise on the organization’s data and systems” (p. 2)
Question # 82
An information security manager has identified that security risks are not being treated in atimely manner. Which of the following
A. Provide regular updates about the current state of the risks. B. Re-perform risk analysis at regular intervals. C. Assign a risk owner to each risk D. Create mitigating controls to manage the risks.
Answer: B
Explanation: An email digital signature will verify to recipient the integrity of an email
message because it ensures that the message has not been altered or tampered with
during transit, and confirms that the message originated from the sender and not an
imposter. An email digital signature will not protect the confidentiality of an email message
because it does not encrypt or hide the message content from unauthorized parties. An email digital signature will not automatically correct unauthorized modification of an email
message because it does not change or restore the message content if it has been altered
or tampered with. An email digital signature will not prevent unauthorized modification of an
email message because it does not block or stop any attempts to alter or tamper with the
Governance, Section: Enterprise Governance, Subsection: Board of Directors, Page 18.
Question # 84
Which of the following is the FIRST step when conducting a post-incident review?
A. Identify mitigating controls. B. Assess the costs of the incident. C. Perform root cause analysis. D. Assign responsibility for corrective actions.
Answer: C
Explanation:
A post-incident review is a process of analyzing an incident and its impact, identifying the
root causes, and recommending corrective actions to prevent recurrence. The first step of a
post-incident review is to perform root cause analysis, which is the process of identifying
the underlying factors that contributed to the occurrence and severity of the incident. Root
cause analysis helps to determine the most effective and efficient solutions to address the
problem and avoid future incidents. References = CISM Review Manual, 16th Edition,
Chapter 5, Section 5.5.2.11
Question # 85
Which of the following should an organization do FIRST when confronted with the transferof personal data across borders?
A. Define policies and standards for data processing. B. Implement applicable privacy principles C. Assess local or regional regulations D. Research cyber insurance policies
Answer: C
Explanation: Before transferring personal data across borders, an organization should
first assess the local or regional regulations that apply to the data protection and privacy of
the data subjects. This will help the organization to identify the legal requirements and risks
involved in the data transfer, and to choose the appropriate tools and safeguards to ensure
compliance and protection. For example, the organization may need to obtain consent from
the data subjects, use adequacy decisions, standard contractual clauses, or other
mechanisms to ensure an adequate level of protection in the third country, or rely on
specific derogations for certain situations. The other options are not the first steps to take,
although they may be relevant at later stages of the data transfer process. References =
Guide to the cross-border transfer of personal data in the GDPR
New guidance issued by the EDPB on international transfers of personal data
Requirements for transferring personal information across borders
Question # 86
Which of the following is MOST important to the successful implementation of aninformation security program?
A. Adequate security resources are allocated to the program. B. Key performance indicators (KPIs) are defined. C. A balanced scorecard is approved by the steering committee. D. The program is developed using global security standards.
Answer: A
Explanation: The successful implementation of an information security program depends
largely on the availability and allocation of adequate security resources, such as budget,
staff, technology, and training. Without sufficient resources, the program may not be able to
achieve its objectives, comply with the security strategy, or address the security risks. Key
performance indicators (KPIs), a balanced scorecard, and global security standards are
also important elements of an information security program, but they are not as critical as
DDoS Attacks—A Cyberthreat and Possible Solutions2
Question # 91
An organization's automated security monitoring tool generates an excessively large
amount of falsq positives. Which of the following is the BEST method to optimize the
monitoring process?
A. Report only critical alerts. B. Change reporting thresholds. C. Reconfigure log recording. D. Monitor incidents in a specific time frame.
Answer: B Explanation: Changing reporting thresholds is the best method to optimize the monitori process when the automated security monitoring tool generates an excessively large
amount of false positives. Changing reporting thresholds means adjusting the criteria or
parameters that trigger the alerts, such as the severity level, the frequency, the source, or
the destination of the events. Changing reporting thresholds can help to reduce the number
of false positives, filter out the irrelevant or benign events, and focus on the most critical
and suspicious events that require further investigation or response.
References = Cybersecurity tool sprawl leading to burnout, false positives: report, Security
tools’ effectiveness hampered by false positives
Question # 92
An organization has implemented a new customer relationship management (CRM)system. Who should be responsible for enforcing authorized and controlled access to theCRM data?
A. Internal IT audit B. The data custodian C. The information security manager D. The data owner
Answer: D
Explanation: The data owner is the person who has the authority and responsibility to
classify, grant access, and monitor the use of the CRM data. The data owner should
ensure that the data is protected according to its classification and business requirements.
The data custodian is the person who implements the controls and procedures to protect
the data as directed by the data owner. The information security manager is the person
who advises the data owner on the best practices and standards for data security. The
internal IT audit is the function that evaluates the effectiveness and compliance of the data
Governance, Section: Information Security Roles and Responsibilities, Subsection: Data
Owner, Page 23.
Question # 93
Which of the following would BEST demonstrate the status of an organization's informationsecurity program to the board of directors?
A. Information security program metrics B. Results of a recent external audit C. The information security operations matrix D. Changes to information security risks
Answer: A
Explanation: Information security program metrics are the best way to demonstrate the
status of an organization’s information security program to the board of directors, as they
provide relevant and meaningful information on the performance, effectiveness, and value
of the program, as well as the current and emerging risks and the corresponding mitigation
strategies. Information security program metrics should be aligned with the business
objectives and risk appetite of the organization, and should be presented in a clear and
concise manner that enables the board of directors to make informed decisions and
provide oversight. (From CISM Review Manual 15th Edition)
Which of the following is the MOST effective way to detect security incidents?
A. Analyze recent security risk assessments. B. Analyze security anomalies. C. Analyze penetration test results. D. Analyze vulnerability assessments.
Answer: B
Explanation: Analyzing security anomalies is the most effective way to detect security incidents, as it involves comparing the current state of the information system and network
with the expected or normal state, and identifying any deviations or irregularities that may
indicate a security breach or compromise. Security anomalies can be detected by using
various tools and techniques, such as security information and event management (SIEM)
systems, intrusion detection and prevention systems (IDS/IPS), log analysis, network traffic
analysis, and behavioral analysis. (From CISM Review Manual 15th Edition)
To help ensure that an information security training program is MOST effective, its contents
should be based on employees’ roles. This is because different roles have different
responsibilities and access levels to information and systems, and therefore face different
types of threats and risks. By tailoring the training content to the specific needs and
expectations of each role, the training program can increase the relevance and retention of
the information security knowledge and skills for the employees. Role-based training can
also help employees understand their accountability and obligations for protecting
information assets in their daily tasks
Question # 96
When preventive controls to appropriately mitigate risk are not feasible, which of thefollowing is the MOST important action for the information security manager?
A. Managing the impact B. Identifying unacceptable risk levels C. Assessing vulnerabilities D. Evaluating potential threats
Answer: A
Explanation:
When preventive controls to appropriately mitigate risk are not feasible, the most important
action for the information security manager is to manage the impact, which means taking
measures to reduce the likelihood or severity of the consequences of the risk. Managing
the impact can involve using alternative controls, such as engineering, administrative, or
personal protective controls, that can lower the exposure or harm to the organization. The
other options, such as identifying unacceptable risk levels, assessing vulnerabilities, or
evaluating potential threats, are part of the risk assessment process, but they are not
actions to mitigate risk when preventive controls are not feasible. References:
to the business case for information security investments by identifying and prioritizing the
most critical risks that need to be addressed and evaluating the costs and benefits of the
proposed solutions.”
Question # 99
What is the PRIMARY objective of implementing standard security configurations?
A. Maintain a flexible approach to mitigate potential risk to unsupported systems. B. Minimize the operational burden of managing and monitoring unsupported systems. C. Control vulnerabilities and reduce threats from changed configurations. D. Compare configurations between supported and unsupported systems.
Answer: C
Explanation: The primary objective of implementing standard security configurations is to
control vulnerabilities and reduce threats from changed configurations. Standard security
configurations are the baseline settings and parameters that define the desired security
level and functionality of information systems and devices. By implementing standard
security configurations, the organization can ensure that the information systems and
devices are configured in a consistent and secure manner, and that any deviations or
changes from the standard are detected and corrected. This can help to prevent or mitigate
potential security incidents caused by misconfigurations, unauthorized modifications, or
malicious attacks.
References: The CISM Review Manual 2023 states that “the information security manager
is responsible for ensuring that the security configuration of information systems is in
compliance with the security policies and standards of the organization” and that “the
information security manager should establish and implement standard security
configurations for information systems and devices, and monitor and review the security
configuration on a regular basis and take corrective actions when deviations or violations
are detected” (p. 138). The CISM Review Questions, Answers & Explanations Manual 2023
also provides the following rationale for this answer: “Control vulnerabilities and reduce
threats from changed configurations is the correct answer because it is the primary
objective of implementing standard security configurations, as it helps to maintain the
security posture and functionality of information systems and devices, and to prevent or
mitigate potential security incidents caused by misconfigurations, unauthorized
modifications, or malicious attacks” (p. 63). Additionally, the article Standard Security
Configurations from the ISACA Journal 2017 states that “standard security configurations
are the baseline settings and parameters that define the desired security level and
functionality of information systems and devices” and that “standard security configurations
can help to control vulnerabilities and reduce threats from changed configurations by
ensuring that the information systems and devices are configured in a consistent and
secure manner, and that any deviations or changes from the standard are detected and
corrected” (p. 1)
Question # 100
A risk owner has accepted a large amount of risk due to the high cost of controls. Which ofthe following should be the information security manager's PRIMARY focus in this situation?
A. Establishing a strong ongoing risk monitoring process B. Presenting the risk profile for approval by the risk owner C. Conducting an independent review of risk responses D. Updating the information security standards to include the accepted risk
Answer: A
Explanation: The information security manager’s PRIMARY focus in this situation should
be establishing a strong ongoing risk monitoring process, which is the process of tracking
and evaluating the changes in the risk environment, the effectiveness of the risk responses,
and the impact of the residual risk on the organization. A strong ongoing risk monitoring
process can help the information security manager to identify any deviations from the
expected risk level, to report any significant changes or issues to the risk owner and other
stakeholders, and to recommend any adjustments or improvements to the risk
management strategy. Presenting the risk profile for approval by the risk owner is not the
primary focus in this situation, as it is a step that should be done before the risk owner
accepts the risk, not after. Conducting an independent review of risk responses is not the
primary focus in this situation, as it is a quality assurance activity that can be performed by
an external auditor or a third-party expert, not by the information security
manager. Updating the information security standards to include the accepted risk is not
the primary focus in this situation, as it is a documentation activity that does not address
the ongoing monitoring and reporting of the risk. References = CISM Review Manual, 16th
Which of the following BEST provides an information security manager with sufficientassurance that a service provider complies with the organization's information securityrequirements?
A. Alive demonstration of the third-party supplier's security capabilities B. The ability to i third-party supplier's IT systems and processes C. Third-party security control self-assessment (CSA) results D. An independent review report indicating compliance with industry standards
Answer: B
Explanation: A service provider is a third-party supplier that provides IT services or
products to an organization. A service provider should comply with the organization’s
information security requirements, such as policies, standards, procedures, and controls, to
ensure the confidentiality, integrity, and availability of the organization’s data and systems.
The best way to provide an information security manager with sufficient assurance that a
service provider complies with the organization’s information security requirements is to
have the ability to audit the third-party supplier’s IT systems and processes. An audit is a
systematic and independent examination of evidence to determine the degree of conformity
to predetermined criteria. An audit can verify the effectiveness and efficiency of the service
provider’s security controls, identify any gaps or weaknesses, and provide
recommendations for improvement. An audit can also ensure that the service provider
adheres to the contractual obligations and service level agreements (SLAs) with the
organization. Therefore, option B is the most appropriate answer.
Option A is not the best answer because a live demonstration of the third-party supplier’s
security capabilities may not be comprehensive, objective, or reliable. A live demonstration
may only show the positive aspects of the service provider’s security, but not reveal any
hidden or potential issues. A live demonstration may also be subject to manipulation or
deception by the service provider.
Option C is not the best answer because third-party security control self-assessment (CSA)
results may not be accurate, complete, or consistent. A self-assessment is a process
where the service provider evaluates its own security controls against a set of criteria or
standards. A self-assessment may be biased, subjective, or incomplete, as the service
provider may not disclose or report all the relevant information or issues. A self-assessment
may also vary in quality and scope depending on the service provider’s expertise,
resources, and methodology.
Option D is not the best answer because an independent review report indicating
compliance with industry standards may not be sufficient or specific for the organization’s
information security requirements. An independent review is a process where an external
party evaluates the service provider’s security controls against a set of industry standards
or best practices, such as ISO/IEC 27001, NIST CSF, PCI DSS, etc. An independent
review report may provide a general overview of the service provider’s security posture, but
not address the organization’s unique or specific security needs, risks, or expectations. An
independent review report may also be outdated, limited, or generic, as the industry
standards or best practices may not reflect the current or emerging security threats or
An independent review report indicating compliance with industry standards BEST provides
an information security manager with sufficient assurance that a service provider complies
with the organization’s information security requirements. This is because an independent review report is an objective and reliable source of evidence that the service provider has
implemented and maintained effective security controls that meet the industry standards
and best practices. An independent review report can also provide assurance that the
service provider has addressed any gaps or weaknesses identified in previous audits or
assessments.
Question # 102
When determining an acceptable risk level which of the following is the MOST importantconsideration?
A. Threat profiles B. System criticalities C. Vulnerability scores D. Risk matrices
Answer: C
Explanation: The effectiveness of an incident response team will be greatest when the
incident response process is updated based on lessons learned. This ensures that the
team can continuously improve its performance and capabilities, and address any gaps or
weaknesses identified during previous incidents. Updating the incident response process
based on lessons learned also helps to align the process with the changing business and
security environment, and to incorporate best practices and standards. Meeting on a
regular basis to review log files, having trained security personnel as team members, and
using a security information and event monitoring (SIEM) system are all important factors
for an incident response team, but they are not sufficient to ensure the effectiveness of the
team. Reviewing log files may help to detect and analyze incidents, but it does not
guarantee that the team can respond appropriately and efficiently. Having trained security
personnel may enhance the skills and knowledge of the team, but it does not ensure that
the team can work collaboratively and communicate effectively. Using a SIEM system may
facilitate the identification and prioritization of incidents, but it does not ensure that the team
can follow the established procedures and protocols. References = CISM Review Manual,
Spoofing should be prevented because it may be used to:
A. gain illegal entry to a secure system by faking the sender's address, B. predict which way a program will branch when an option is presented C. assemble information, track traffic, and identify network vulnerabilities. D. capture information such as passwords traveling through the network
Answer: A
Explanation:
Gaining illegal entry to a secure system by faking the sender’s address is one of the
reasons why spoofing should be prevented. Spoofing is a technique that involves
impersonating someone or something else to deceive or manipulate the recipient or target.
Spoofing can be applied to various communication channels, such as emails, websites,
phone calls, IP addresses, or DNS servers. One of the common goals of spoofing is to gain
unauthorized access to a secure system by faking the sender’s address, such as an email
address or an IP address. For example, an attacker may spoof an email address of a
trusted person or organization and send a phishing email that contains a malicious link or
attachment. If the recipient clicks on the link or opens the attachment, they may be
redirected to a fake website that asks for their credentials or downloads malware onto their
device. Alternatively, an attacker may spoof an IP address of a trusted source and send
packets to a secure system that contains malicious code or commands. If the system
accepts the packets as legitimate, it may execute the code or commands and compromise
its security. Therefore, gaining illegal entry to a secure system by faking the sender’s
address is one of the reasons why spoofing should be prevented.
Which of the following BEST facilitates the effective execution of an incident response plan?
A. The plan is based on risk assessment results. B. The response team is trained on the plan C. The plan is based on industry best practice. D. The incident response plan aligns with the IT disaster recovery plan (DRP).
Answer: B
Explanation: The effective execution of an incident response plan depends largely on the
competence and readiness of the response team, who are responsible for carrying out the
tasks and activities defined in the plan. Therefore, the best way to facilitate the effective
execution of an incident response plan is to ensure that the response team is trained on the
plan, and that they are familiar with their roles, responsibilities, procedures, and tools.
Training the response team on the plan will also help to improve their confidence,
communication, coordination, and collaboration during an incident response. The other
options are not the best ways to facilitate the effective execution of an incident response
plan, although they may be important factors for developing or improving the plan. The plan
should be based on risk assessment results and industry best practice, but these do not
guarantee that the plan will be executed effectively. The incident response plan should
align with the IT disaster recovery plan, but this does not ensure that the response team is
prepared and capable of executing the plan. References = CISM Review Manual, 16th
Edition, page 1031 The best way to facilitate the effective execution of an incident response plan is to ensure
that the response team is trained on the plan. An incident response plan is a set of
instructions that defines the roles, responsibilities, procedures, and tools for detecting,
responding to, and recovering from security incidents. An incident response team is a
group of individuals that are assigned to perform specific tasks and activities during an
incident response process. The response team may include security analysts, IT staff, legal
counsel, public relations, and other stakeholders. To execute an incident response plan
effectively, the response team needs to be trained on the plan, which means they need to
be familiar with the following aspects of the plan: The scope and objectives of the plan The
roles and responsibilities of each team member The communication and escalation
protocols The incident classification and prioritization criteria The incident response
procedures and tools The incident documentation and reporting requirements The incident
review and improvement processes By training the response team on the plan, the
organization can ensure that the team members are prepared and confident to handle any
security incidents that may occur, and that they can perform their tasks efficiently and
consistently. The other options are not the best way to facilitate the effective execution of
an incident response plan, although they may be some steps or outcomes of the process.
The plan being based on risk assessment results is a desirable practice, as it ensures that
the plan is aligned with the organization’s risk profile and addresses the most relevant and
likely threats and vulnerabilities. However, it does not guarantee that the plan will be
executed effectively unless the response team is trained on the plan. The plan being based
on industry best practice is a desirable practice, as it ensures that the plan follows
established standards and guidelines for incident response. However, it does not
guarantee that the plan will be executed effectively unless the response team is trained on
the plan. The incident response plan aligning with the IT disaster recovery plan (DRP) is a
desirable practice, as it ensures that the plans are consistent and coordinated in terms of
objectives, scope, roles, procedures, and tools. However, it does not guarantee that the
plan will be executed effectively unless the response team is trained on the plan
Question # 108
A penetration test against an organization's external web application shows severalvulnerabilities. Which of the following presents the GREATEST concern?
A. A rules of engagement form was not signed prior to the penetration test B. Vulnerabilities were not found by internal tests C. Vulnerabilities were caused by insufficient user acceptance testing (UAT) D. Exploit code for one of the vulnerabilities is publicly available
Answer: D
Explanation:
Exploit code for one of the vulnerabilities is publicly available presents the greatest concern
because it means that anyone can easily exploit the vulnerability and compromise the web
application. This increases the risk of data breach, denial of service, or other malicious
attacks. Therefore, exploit code for one of the vulnerabilities is publicly available is the
An organization's information security manager is performing a post-incident review of asecurity incident in which the following events occurred:• A bad actor broke into a business-critical FTP server by brute forcing an administrativepassword • The third-party service provider hosting the server sent an automated alert message tothe help desk, but was ignored• The bad actor could not access the administrator console, but was exposed to encrypteddata transferred to the server• After three hours, the bad actor deleted the FTP directory, causing incoming FTPattempts by legitimate customers to failWhich of the following could have been prevented by conducting regular incident responsetesting?
A. Ignored alert messages B. The server being compromised C. The brute force attack D. Stolen data
Answer: A
Explanation: Ignored alert messages could have been prevented by conducting regular
incident response testing because it would have ensured that the help desk staff are
familiar with and trained on how to handle different types of alert messages from different
sources, and how to escalate them appropriately. The server being compromised could not
have been prevented by conducting regular incident response testing because it is related
to security vulnerabilities or weaknesses in the server configuration or authentication
mechanisms. The brute force attack could not have been prevented by conducting regular
incident response testing because it is related to security threats or attacks from external
sources. Stolen data could not have been prevented by conducting regular incident
response testing because it is related to security breaches or incidents that may occur
despite the incident response plan or process. References:
Which of the following is the PRIMARY responsibility of the information security functionwhen an organization adopts emerging technologies?
A. Developing security training for the new technologies B. Designing new security controls C. Creating an acceptable use policy for the technologies D. Assessing the potential security risk
Answer: D
Explanation: The primary responsibility of the information security function when an
organization adopts emerging technologies is to assess the potential security risk, which
means identifying and evaluating the threats, vulnerabilities, and impacts that the new
technologies may pose to the organization’s data, systems, and objectives. Assessing the
potential security risk helps the information security function to determine the appropriate
security requirements, controls, and measures to mitigate the risk and ensure the safe and
secure adoption of the emerging technologies.
References = Performing Risk Assessments of Emerging Technologies, CISM Review
answer of the following questions very carefully.) Use the following format please:
**Verified Answer** = (From CISM Manual or related resources) **Very Short Explanation**
= (From CISM Manual or related resources) **References** = (From CISM Manual or
related resources) =========================
Question # 111
Which of the following would be of GREATEST assistance in determining whether toaccept residual risk of a critical security system?
A. Available annual budget B. Cost-benefit analysis of mitigating controls C. Recovery time objective (RTO) D. Maximum tolerable outage (MTO)
Answer: B
Explanation:
Cost-benefit analysis of mitigating controls is the BEST way to assist in determining
whether to accept residual risk of a critical security system, because it helps to compare
the costs of implementing and maintaining the controls with the benefits of reducing the risk
and the potential losses. Cost-benefit analysis can help to justify the investment in security
controls and to optimize the level of residual risk that is acceptable for the organization.
References =
CISM Review Manual, 16th Edition, ISACA, 2020, p. 50: “Cost-benefit analysis is the
process of comparing the costs of risk treatment options with the benefits of risk reduction
and the potential losses from risk events.”
CISM Review Manual, 16th Edition, ISACA, 2020, p. 51: “Cost-benefit analysis can help to
justify the investment in information security controls and to optimize the level of residual
risk that is acceptable for the enterprise.”
CISM Domain 2: Information Risk Management (IRM) [2022 update]: “Cost-benefit
analysis: This is a comparison of the costs of implementing and maintaining security
controls with the benefits of reducing risk and potential losses. It helps to justify the
investment in security controls and optimize the level of residual risk.”
Question # 112
A business requires a legacy version of an application to operate but the application cannotbe patched. To limit the risk exposure to the business, a firewall is implemented in front ofthe legacy application. Which risk treatment option has been applied?
A. Mitigate B. Accept C. Transfer D. Avoid
Answer: A
Explanation: Mitigate is the risk treatment option that has been applied by implementing a
firewall in front of the legacy application because it helps to reduce the impact or probability
of a risk. Mitigate is a process of taking actions to lessen the negative effects of a risk, such
as implementing security controls, policies, or procedures. A firewall is a security device
that monitors and filters the network traffic between the legacy application and the external
network, blocking or allowing packets based on predefined rules. A firewall helps to
mitigate the risk of unauthorized access, exploitation, or attack on the legacy application
that cannot be patched. Therefore, mitigate is the correct answer.
Which of the following BEST minimizes information security risk in deploying applications tothe production environment?
A. Integrating security controls in each phase of the life cycle B. Conducting penetration testing post implementation C. Having a well-defined change process D. Verifying security during the testing process
Answer: A
Explanation: = Integrating security controls in each phase of the life cycle is the best way
to minimize information security risk in deploying applications to the production
environment. This ensures that security requirements are defined, designed, implemented,
tested, and maintained throughout the development process. Conducting penetration
testing post implementation, having a well-defined change process, and verifying security during the testing process are all important activities, but they are not sufficient to address
all the potential risks that may arise during the application life cycle. Penetration testing
may reveal some vulnerabilities, but it cannot guarantee that all of them are identified and
fixed. A change process may help to control and document the modifications made to the
application, but it does not ensure that the changes are secure and do not introduce new
risks. Verifying security during the testing process may help to validate the functionality and
performance of the security controls, but it does not ensure that the security requirements
are complete and consistent with the business objectives and the risk appetite of the
An organization is planning to outsource network management to a service provider.Including which of the following in the contract would be the MOST effective way to mitigateinformation security risk?
A. Requirement for regular information security awareness B. Right-to-audit clause C. Service level agreement (SLA) D. Requirement to comply with corporate security policy
Answer: D
Explanation: The most effective way to mitigate information security risk when outsourcing
network management to a service provider is to include a requirement for the service
provider to comply with the corporate security policy in the contract. This requirement
ensures that the service provider follows the same security standards, procedures, and
controls as the organization, and protects the confidentiality, integrity, and availability of the
organization’s data and systems. The requirement also defines the roles and
responsibilities, the reporting and escalation mechanisms, and the penalties for noncompliance.
References = A Risk-Based Management Approach to Third-Party Data Security, Risk and
Compliance, CISM Domain 2: Information Risk Management (IRM) [2022 update]
Question # 115
Which of the following would BEST support the business case for an increase in theinformation security budget?
A. Cost-benefit analysis results B. Comparison of information security budgets with peer organizations C. Business impact analysis (BIA) results D. Frequency of information security incidents
Answer: A
Explanation: Cost-benefit analysis results are the best way to support the business case
for an increase in the information security budget because they help to demonstrate the
value and return on investment of the proposed security initiatives or projects. A costbenefit
analysis is a method of comparing the costs and benefits of different alternatives or
options, taking into account both quantitative and qualitative factors. A cost-benefit analysis
helps to justify the need and feasibility of the security budget, as well as to prioritize the
security spending based on the expected outcomes and impacts. Therefore, cost-benefit
Which of the following should an information security manager do FIRST upon confirming aprivileged user's unauthorized modifications to a security application?
A. Report the risk associated with the policy breach. B. Enforce the security configuration and require the change to be reverted. C. Implement compensating controls to address the risk. D. Implement a privileged access management system.
Answer: B
Explanation: The first thing that an information security manager should do upon
confirming a privileged user’s unauthorized modifications to a security application is to
enforce the security configuration and require the change to be reverted. This is because
the unauthorized modification may have compromised the security of the application and
the data it protects, and may have violated the security policies and standards of the
organization. By enforcing the security configuration and requiring the change to be
reverted, the information security manager can restore the security posture of the
application and prevent further unauthorized modifications.
References: The CISM Review Manual 2023 states that “the information security manager
is responsible for ensuring that the security configuration of information systems is in
compliance with the security policies and standards of the organization” and that “the
information security manager should monitor and review the security configuration of
information systems on a regular basis and take corrective actions when deviations or violations are detected” (p. 138). The CISM Review Questions, Answers & Explanations
Manual 2023 also provides the following rationale for this answer: “Enforcing the security
configuration and requiring the change to be reverted is the correct answer because it is
the most immediate and effective action to address the unauthorized modification and to
maintain the security of the application” (p. 63). Additionally, the Effective Interactive
Privileged Access Review article from the ISACA Journal 2018 states that “any
unauthorized changes to the production environment should be reverted back to the
original state and the incident should be reported to the appropriate authority” (p. 4)1.
Question # 117
Which of the following is MOST important to include in an information security status report to senior management?
A. Key risk indicators (KRIs) B. Review of information security policies C. Information security budget requests D. List of recent security events
Answer: A
Explanation:
According to the CISM Review Manual, key risk indicators (KRIs) are the most important
information to include in an information security status report to senior management, as
they provide a measure of the current level of risk exposure and the effectiveness of the
risk management activities. KRIs also help to identify trends, patterns and emerging risks
An organization wants to integrate information security into its HR management processes.Which of the following should be the FIRST step?
A. Benchmark the processes with best practice to identify gaps. B. Calculate the return on investment (ROI). C. Provide security awareness training to HR. D. Assess the business objectives of the processes.
Answer: D
Explanation: The first step when integrating information security into HR management
processes is to assess the business objectives of the processes, which means
understanding the purpose, scope, and expected outcomes of the HR functions and
activities, and how they relate to the organization’s strategy and goals. The assessment will
help to identify the information security requirements, risks, and controls that are relevant
and applicable to the HR processes, and to align the information security objectives with
Which of the following is the MOST appropriate metric to demonstrate the effectiveness ofinformation security controls to senior management?
A. Downtime due to malware infections B. Number of security vulnerabilities uncovered with network scans C. Percentage of servers patched D. Annualized loss resulting from security incidents
Answer: D
Explanation:
Annualized loss resulting from security incidents is the most appropriate metric to
demonstrate the effectiveness of information security controls to senior management, as it
quantifies the financial impact of security breaches on the organization’s assets,
operations, and reputation. This metric helps to communicate the value of security
investments, justify the security budget, and prioritize the security initiatives based on the
potential loss reduction. Annualized loss resulting from security incidents can be calculated
by multiplying the annualized rate of occurrence (ARO) of an incident by the single loss
expectancy (SLE) of an incident. ARO is the estimated frequency of an incident occurring
in a year, and SLE is the estimated cost of an incident. For example, if an organization
estimates that a ransomware attack may occur once every two years, and that each attack
may cost $100,000 to recover, then the annualized loss resulting from ransomware attacks
Domain 4, Knowledge Statement 4.112; Key Performance Indicators for Security
Governance, Part 1; Performance Measurement Guide for Information Securit
Question # 121
A technical vulnerability assessment on a personnel information management server should be performed when:
A. the data owner leaves the organization unexpectedly. B. changes are made to the system configuration. C. the number of unauthorized access attempts increases. D. an unexpected server outage has occurred.
Answer: C
Explanation: A technical vulnerability assessment is a process of identifying and
evaluating the weaknesses and risks associated with a specific system, component, or
network. A technical vulnerability assessment can help to determine the potential impact
and likelihood of a security breach, as well as the appropriate measures to prevent or
mitigate it. A technical vulnerability assessment should be performed on a personnel
information management server whenever there is an increase in the number of
unauthorized access attempts to the server, as this indicates that the server may have
been compromised or targeted by an attacker12. Therefore, option C is the correct
answer. References =
CISM Review Manual (Digital Version), Chapter 5: Information Security Program
Management
CISM Review Manual (Print Version), Chapter 5: Information Security Program
Management
Question # 122
When assigning a risk owner, the MOST important consideration is to ensure the owner has:
A. adequate knowledge of risk treatment and related control activities. B. decision-making authority and the ability to allocate resources for risk. C. sufficient time for monitoring and managing the risk effectively. D. risk communication and reporting skills to enable decision-making.
Answer: B
Explanation: Comprehensive and Detailed Explanation = The risk owner is the person or
entity with the accountability and authority to manage a risk. The risk owner should have
the decision-making authority and the ability to allocate resources for risk treatment and
related control activities. The risk owner should also be responsible for monitoring and
reporting on the risk, but these are not the most important considerations when assigning a
risk owner. The risk owner may not have adequate knowledge of risk treatment and related
control activities, but can delegate or consult with experts as needed. The risk owner
should also have sufficient time for managing the risk effectively, but this is not a
prerequisite for assigning a risk owner.
References =
CISM Review Manual 15th Edition, page 76
CISM Practice Quiz, question 4171
Question # 123
The PRIMARY advantage of performing black-box control tests as opposed to white-boxcontrol tests is that they:
A. cause fewer potential production issues. B. require less IT staff preparation. C. simulate real-world attacks. D. identify more threats.
Answer: C
Explanation: The primary advantage of performing black-box control tests as opposed to
white-box control tests is that they simulate real-world attacks. Black-box control tests are a
software testing methodology in which the tester analyzes the functionality of an application
without a thorough knowledge of its internal design. Conversely, in white-box control tests,
the tester is knowledgeable of the internal design of the application and analyzes it during testing. By performing black-box control tests, the tester can mimic the perspective and
behavior of an external attacker who does not have access to the source code or the
implementation details of the application. This way, the tester can evaluate how the
application responds to different inputs and scenarios, and identify any vulnerabilities or
errors that may affect its functionality or security. The other options are not the primary
advantage of performing black-box control tests, although they may be some benefits or
drawbacks depending on the context. Causing fewer potential production issues is not
necessarily true, as black-box control tests may still introduce errors or disruptions to the
application if not performed carefully. Requiring less IT staff preparation is not always true,
as black-box control tests may still require a lot of planning and documentation to ensure
adequate test coverage and quality. Identifying more threats is not necessarily true, as
black-box control tests may miss some threats that are hidden in the internal logic or
structure of the application.
Question # 124
Which of the following is MOST important when developing an information security strategy?
A. Engage stakeholders. B. Assign data ownership. C. Determine information types. D. Classify information assets.
Answer: A
Explanation: Engaging stakeholders is the most important step when developing an
information security strategy, as it ensures that the strategy is aligned with the business
objectives, risks, and needs of the organization. Stakeholders include senior management,
business units, IT staff, customers, regulators, and other relevant parties who have an
interest or influence on the information security of the organization. By engaging
stakeholders, the information security manager can gain their support, input, feedback, and
buy-in for the strategy, as well as identify and prioritize the security requirements,
1, Task 1.32; IT Asset Valuation, Risk Assessment and Control Implementation Model1;
Managing Data as an Asset3
Question # 126
Which of the following is MOST important in order to obtain senior leadership support when presenting an information security strategy?
A. The strategy aligns with management’s acceptable level of risk. B. The strategy addresses ineffective information security controls. C. The strategy aligns with industry benchmarks and standards. D. The strategy addresses organizational maturity and the threat environment.
Answer: A
Explanation: The most important factor to obtain senior leadership support when
presenting an information security strategy is that the strategy aligns with management’s
acceptable level of risk because it ensures that the strategy is consistent and compatible
with the organization’s risk appetite and thresholds, and reflects management’s
expectations and priorities for security risk management. The strategy addresses
ineffective information security controls is not a very important factor because it does not indicate how the strategy will improve or enhance the security controls or performance. The
strategy aligns with industry benchmarks and standards is not a very important factor
because it does not indicate how the strategy will differentiate or innovate the
organization’s security capabilities or practices. The strategy addresses organizational
maturity and the threat environment is not a very important factor because it does not
indicate how the strategy will advance or adapt the organization’s security posture or
Which of the following is the PRIMARY role of the information security manager inapplication development?
A. To ensure security is integrated into the system development life cycle (SDLC) B. To ensure compliance with industry best practice C. To ensure enterprise security controls are implemented D. To ensure control procedures address business risk
Answer: A
Explanation:
According to the CISM Review Manual, one of the primary roles of the information security manager in application development is to ensure that security is integrated into the SDLC.
This means that security requirements, design, testing, deployment, and maintenance are
all considered and addressed throughout the application development process. By doing
so, the information security manager can help to prevent or mitigate security risks, ensure
compliance with standards and regulations, and improve the quality and reliability of the
application1
The other options are not as accurate as ensuring security is integrated into the SDLC.
Ensuring compliance with industry best practices is a secondary role of the information
security manager in application development, as it involves following established guidelines
and frameworks for secure application development. However, compliance alone does not
guarantee that security is actually implemented in the application. Ensuring enterprise
security controls are implemented is a tertiary role of the information security manager in
application development, as it involves applying existing policies and procedures for
managing and monitoring security activities across the organization. However, enterprise
controls alone do not ensure that security is tailored to the specific needs and context of
each application. Ensuring control procedures address business risk is a quaternary role of
the information security manager in application development, as it involves identifying and
assessing potential threats and vulnerabilities that could affect the business objectives and
operations of each application. However, business risk alone does not ensure that security
measures are aligned with the value proposition and benefits of each application1
The PRIMARY goal of the eradication phase in an incident response process is to:
A. maintain a strict chain of custody. B. provide effective triage and containment of the incident. C. remove the threat and restore affected systems D. obtain forensic evidence from the affected system.
Answer: C
Explanation: The primary goal of the eradication phase in an incident response process is
to remove the threat and restore affected systems because it eliminates any traces or
remnants of malicious activity or compromise from the systems or network, and returns
them to their normal or secure state. Maintaining a strict chain of custody is not a goal of
the eradication phase, but rather a requirement for preserving and documenting digital
evidence throughout the incident response process. Providing effective triage and
containment of the incident is not a goal of the eradication phase, but rather a goal of the
containment phase, which isolates and stops the spread of malicious activity or
compromise. Obtaining forensic evidence from the affected system is not a goal of the
eradication phase, but rather a goal of the identification phase, which collects and analyzes
data or artifacts related to malicious activity or compromise. References:
A new application has entered the production environment with deficient technical securitycontrols. Which of the following is MOST Likely the root cause?
A. Inadequate incident response controls B. Lack of legal review C. Inadequate change control D. Lack of quality control
Answer: C
Explanation: Change control is the process of ensuring that changes to an information
system are authorized, tested, documented and implemented in a controlled manner.
Inadequate change control can result in deficient technical security controls, such as
missing patches, misconfigurations, vulnerabilities or errors in the new application.
Which of the following is the BEST justification for making a revision to a password policy?
A. Vendor recommendation B. Audit recommendation C. A risk assessment D. Industry best practice
Answer: C
Explanation: The best justification for making a revision to a password policy is a risk
assessment. A risk assessment is a process of identifying, analyzing, and evaluating the
potential threats and vulnerabilities that may affect the confidentiality, integrity, and
availability of information assets and systems. By conducting a risk assessment, the
organization can determine the appropriate level of security controls and measures to
protect its information assets and systems, including password policies. A risk assessment
can also help identify any gaps or weaknesses in the existing password policy, and provide
recommendations for improvement based on the organization’s risk appetite and tolerance.
The other options are not the best justification for making a revision to a password policy,
although they may be some inputs or outputs of the risk assessment process. A vendor
recommendation is an external source of advice or guidance that may or may not be
relevant or applicable to the organization’s specific context and needs. A vendor
recommendation should not be followed blindly without conducting a risk assessment to
evaluate its suitability and effectiveness. An audit recommendation is an internal source of
feedback or suggestion that may or may not be accurate or complete. An audit recommendation should not be implemented without conducting a risk assessment to verify
its validity and feasibility. An industry best practice is a general standard or guideline that
may or may not reflect the organization’s unique characteristics and requirements. An
industry best practice should not be adopted without conducting a risk assessment to
customize it according to the organization’s goals and priorities
Question # 133
Who is accountable for approving an information security governance framework?
A. The board of directors B. The chief information security officer (ClSO) C. The enterprise risk committee D. The chief information officer (CIO)
Answer: A
Explanation:
The board of directors is ultimately responsible for the governance of the organization,
including the approval of the information security governance framework and the oversight
of its implementation and performance. References = CISM Review Manual, 16th Edition,
Domain 1: Information Security Governance, Chapter 2: Establish and Maintain an
Information Security Governance Framework, Section: Roles and Responsibilities of Senior
Management and the Board of Directors1
Question # 134
What should an information security manager verify FIRST when reviewing an informationasset management program?
A. System owners have been identified. B. Key applications have been secured. C. Information assets have been classified. D. Information assets have been inventoried.
Answer: C
Explanation: According to the CISM Review Manual, information asset classification is the
first step in an information asset management program, as it provides the basis for
determining the level of protection required for each asset. System owners, key
applications and information asset inventory are subsequent steps that depend on the
Leave a comment
Your email address will not be published. Required fields are marked *