Sample Questions and Answers
In the context of risk management, what does residual risk represent?
A. Risk remaining after all mitigation measures are applied
B. Risk ignored by the organization
C. Risk transferred to vendors
D. Risk completely eliminated
Answer: A
Explanation: Residual risk is accepted after controls are in place.
How should a CISM prioritize risks in a large organization?
A. Based on business impact and likelihood, aligned with risk appetite
B. Based on the ease of mitigation alone
C. By ignoring low-probability events
D. Randomly selecting risks for treatment
Answer: A
Explanation: Prioritization must consider business context and risk tolerance.
Which risk assessment methodology is most suitable for quantifying potential financial impact?
A. Quantitative risk assessment
B. Qualitative risk assessment
C. Scenario-based assessment
D. Compliance checklist
Answer: A
Explanation: Quantitative methods use numerical values to estimate financial impact.
✅ Domain 3: Information Security Program Development and Management
What is the MOST effective way to manage security program resources?
A. Align resources with priority initiatives and business needs
B. Assign all tasks to the security team regardless of capacity
C. Outsource all security functions immediately
D. Use a fixed budget irrespective of program goals
Answer: A
Explanation: Resource allocation should support strategic priorities.
Which of the following helps ensure that security controls remain effective over time?
A. Regular monitoring, testing, and audits
B. Setting controls once and not reviewing
C. Relying on user reports exclusively
D. Disabling controls when not in use
Answer: A
Explanation: Continuous assessment ensures controls adapt to evolving threats.
Why is change management critical to information security?
A. It prevents unauthorized or harmful changes to systems and processes
B. It slows down business operations unnecessarily
C. It eliminates the need for security policies
D. It focuses only on software upgrades
Answer: A
Explanation: Controls around change help maintain security posture.
What role do key performance indicators (KPIs) play in security program management?
A. Measure progress toward security objectives and inform decision-making
B. Track only compliance activities
C. Report only incident counts
D. Replace security policies
Answer: A
Explanation: KPIs provide insight into program health and effectiveness.
What is the BEST approach to vendor security management?
A. Include security requirements in contracts and monitor compliance regularly
B. Avoid involving vendors in security planning
C. Trust vendors implicitly without oversight
D. Rely solely on vendor self-assessments
Answer: A
Explanation: Contractual obligations and oversight mitigate third-party risks.
✅ Domain 4: Information Security Incident Management
What is the FIRST step in incident response?
A. Identification and detection of potential incidents
B. Eradication of the threat
C. Communication with media
D. Root cause analysis
Answer: A
Explanation: Early detection is critical to effective incident response.
Why should an incident response plan be tested regularly?
A. To validate effectiveness and prepare the response team
B. To comply with regulations only
C. To reduce the frequency of incidents
D. To eliminate the need for documentation
Answer: A
Explanation: Testing identifies gaps and improves readiness.
During incident containment, which approach is generally preferred?
A. Short-term containment to isolate affected systems, followed by long-term fixes
B. Immediate system shutdown without analysis
C. Ignoring the incident if impact seems low
D. Publicly announcing the incident immediately
Answer: A
Explanation: A phased approach balances operational continuity with risk mitigation.
Which type of incident requires notification to external parties due to legal or regulatory obligations?
A. Data breach involving personal information
B. Internal system misconfiguration with no data loss
C. Password change
D. Routine software update
Answer: A
Explanation: Breaches of sensitive data often trigger breach notification laws.
Post-incident reviews should focus on:
A. Identifying lessons learned and improving controls and response processes
B. Assigning blame to individuals
C. Ignoring minor incidents
D. Avoiding documentation
Answer: A
Explanation: Reviews help improve future incident handling and reduce risk.
What is the MOST important reason for involving senior management in security governance?
A. To ensure security initiatives align with business objectives and have executive support
B. To delegate all security tasks to IT staff
C. To reduce the security budget
D. To bypass compliance requirements
Answer: A
Explanation: Senior management buy-in ensures security supports business goals and gets required resources.
Which component is critical in defining a security governance framework?
A. Roles, responsibilities, policies, and procedures aligned with business objectives
B. Technical network diagrams
C. Daily incident reports
D. Software update schedules
Answer: A
Explanation: Governance frameworks define organizational roles and policies to guide security activities.
How does a security policy contribute to risk management?
A. By establishing a baseline of expected behavior and controls to reduce risk
B. By eliminating all risks entirely
C. By delaying security decisions
D. By documenting only compliance requirements
Answer: A
Explanation: Policies provide consistent rules that help mitigate risks.
What is the role of a CISM in establishing an information security governance framework?
A. To ensure alignment with organizational strategy and risk appetite
B. To implement all technical security tools personally
C. To write software code for security applications
D. To manage only user passwords
Answer: A
Explanation: The CISM oversees strategic alignment between security and business needs.
What is a key benefit of integrating information security governance into enterprise governance?
A. Improved overall risk management and strategic alignment
B. Isolated security decisions without business input
C. Increased complexity without business value
D. Focus solely on IT department activities
Answer: A
Explanation: Integration aligns security with broader organizational goals and risks.
✅ Domain 2: Information Risk Management
Which risk treatment option involves accepting risk and preparing to manage its impact?
A. Risk acceptance
B. Risk avoidance
C. Risk transfer
D. Risk mitigation
Answer: A
Explanation: Acceptance acknowledges risk without active mitigation but plans for impact.
What is the BEST way to communicate risk to senior management?
A. Use business impact language and link risks to organizational objectives
B. Use only technical jargon
C. Avoid reporting low-level risks
D. Send raw risk data without interpretation
Answer: A
Explanation: Business-focused communication increases understanding and informed decisions.
What is the primary purpose of a risk register?
A. To document identified risks, their assessment, and treatment plans
B. To list all assets without risk details
C. To replace security policies
D. To document only incidents
Answer: A
Explanation: The risk register centralizes risk tracking and management activities.
How often should risk assessments be updated?
A. Regularly and when significant changes occur in the environment
B. Once at project start only
C. Only after an incident
D. Never after initial approval
Answer: A
Explanation: Ongoing updates ensure risk management remains current and effective.
When transferring risk, which of the following is the MOST common method?
A. Purchasing cybersecurity insurance or outsourcing
B. Ignoring the risk
C. Discontinuing the affected activity
D. Implementing controls internally
Answer: A
Explanation: Transferring risk involves shifting responsibility to third parties.
✅ Domain 3: Information Security Program Development and Management
What is a primary reason to establish a security awareness program?
A. To reduce human-related security incidents by educating employees
B. To replace technical controls
C. To meet audit requirements only
D. To increase complexity for users
Answer: A
Explanation: Awareness helps prevent security breaches caused by user actions.
Which document should define acceptable use of organizational assets?
A. Acceptable Use Policy (AUP)
B. Network architecture document
C. Incident report
D. Backup schedule
Answer: A
Explanation: The AUP clearly outlines permitted and prohibited actions.
Why is it important to align security projects with business priorities?
A. To ensure resources are used effectively and deliver business value
B. To delay project approvals
C. To avoid senior management involvement
D. To ignore compliance needs
Answer: A
Explanation: Alignment maximizes impact and supports strategic goals.
What is the MOST effective way to measure security program success?
A. Use key performance indicators (KPIs) linked to defined objectives
B. Count the number of security devices deployed
C. Track only incident reports
D. Rely on anecdotal evidence
Answer: A
Explanation: KPIs provide objective insight into program effectiveness.
Which activity is essential during the development of security standards?
A. Defining specific technical requirements that support policy objectives
B. Leaving standards vague to allow flexibility
C. Avoiding stakeholder input
D. Only documenting procedures
Answer: A
Explanation: Standards specify how policies are implemented in practice.
✅ Domain 4: Information Security Incident Management
What should be included in an incident response plan?
A. Roles, responsibilities, procedures, and communication plans
B. Only contact phone numbers
C. A list of software tools only
D. Daily backup schedules
Answer: A
Explanation: Comprehensive plans enable efficient and effective incident handling.
What is the PRIMARY goal of incident detection?
A. Identify potential security events quickly to minimize impact
B. Collect user complaints only
C. Perform routine system maintenance
D. Prepare quarterly reports
Answer: A
Explanation: Early detection enables faster containment and mitigation.
What is a common indicator of a security breach?
A. Unexplained system behavior or unusual network traffic
B. Regular software updates
C. Routine password changes
D. Normal user logins
Answer: A
Explanation: Anomalies often signify potential compromise.
Which phase of incident response focuses on restoring affected systems?
A. Recovery
B. Identification
C. Containment
D. Eradication
Answer: A
Explanation: Recovery returns operations to normal securely.
Why is documentation critical during incident management?
A. It supports forensic analysis, compliance, and lessons learned
B. It is optional
C. It should be kept confidential from management
D. It delays the response process
Answer: A
Explanation: Proper records help understand and prevent future incidents.
Reviews
There are no reviews yet.