Isaca

CISM

Exam Name:
Certified Information Security Manager

Questions & Answers

(Demo Version – Limited Content)

Thank you for Downloading CISM exam PDF Demo

You can also try our CISM practice exam software

Download Free Demo:

https://www.testcollections.com/CISM.html
 Version: 23.2

Question: 1

Which of the following metrics would be considered an accurate measure of an information security
program's performance?

A. The number of key risk indicators (KRIs) identified, monitored, and acted upon
B. A collection of qualitative indicators that accurately measure security exceptions
C. A combination of qualitative and quantitative trends that enable decision making
D. A single numeric score derived from various measures assigned to the security program

Answer: A

Question: 2

Which of the following BEST ensures timely and reliable access to services?

A. Nonrepudiation
B. Recovery lime objective (RTO)
C. Availability
D. Authenticity

Answer: B

Question: 3

When trying to integrate information security across an organization, the MOST important goal for a
governing body should be to ensure:

A. funding is approved for requested information security projects.

B. the resources used for information security projects are kept to a minimum.
C. periodic information security audits are conducted.
D. information security is treated as a business critical issue.

Answer: D

Question: 4

An organization is considering the purchase of a competitor. To determine the competitor's security

posture, the BEST course of action for the organization's information security manager would be to:

A. assess the key technical controls of the competitor.

B. assess the security policy of the competitor.
C. conduct a penetration test of the competitor,

Page | 2
D. perform a security gap analysis on the competitor.

Answer: B

Question: 5

Which of the following would be the MOST effective incident response team structure for an
organization with a large headquarters and worldwide branch offices?

A. Coordinated
B. Decentralized
C. Outsourced
D. Centralized

Answer: D

Question: 6

Which of the following is MOST helpful for prioritizing the recovery of IT assets during a disaster?

A. Vulnerability assessment
B. Business impact analysis (BIA)
C. Cost- benefit analysis
D. Risk assessment

Answer: B

Question: 7

Which of the following BEST helps to identify vulnerabilities introduced by changes to an

organization's technical infrastructure?

A. Log aggregation and correlation

B. Established security baselines
C. An intrusion detection system (IDS)
D. Penetration testing

Answer: A

Question: 8

Which of the following is the MOST important function of information security?

A. Managing risk to the organization

B. Identifying system vulnerabilities
C. Preventing security incidents
D. Reducing the financial impact of security breaches

Answer: A

Question: 9

Page | 3
Which of the following is the BEST strategy to implement an effective operational security posture?

A. Defense in depth
B. Threat management
C. Vulnerability management
D. Increased security awareness

Answer: D

Question: 10

Which of the following is the PRIMARY reason to conduct periodic business impact assessments?

A. Update recovery objectives based on new risks.

B. Decrease the recovery times.
C. Improve the results of last business impact assessment (BIA).
D. Meet the needs of the business continuity policy.

Answer: A

Question: 11

Which of the following is the BEST way to address any gaps identified during an outsourced provider
selection and contract negotiation process?

A. Make the provider accountable for security and compliance.

B. Implement compensating controls.
C. Perform continuous gap assessments.
D. Include audit rights in the service level agreement (SLA).

Answer: A

Question: 12

When facilitating the alignment of corporate governance and information security governance,
which of the following is the MOST important role of an organizations security steering committee?

A. Obtaining support for the integration from business owners

B. Evaluating and reporting the degree of integration
C. Obtaining approval for the information security budget
D. Defining metrics to demonstrate alignment

Answer: D

Question: 13

An information security manager is evaluating the key risk indicators (KRls) for an organization s
information security program. Which of the following would be the information security manager s
GREATEST concern?

Page | 4
A. Use of qualitative measures
B. Multiple KRls for a single control process
C. Undefined thresholds to trigger alerts
D. Lack of formal KRI approval from IT management

Answer: C

Question: 14

Reviewing which of the following would provide the GREATEST Input to the asset classification
process?

A. Sensitivity of the data

B. Compliance requirements
C. Replacement cost of the asset
D. Risk assessment

Answer: A

Question: 15

Which of the following is MOST likely to increase end user security awareness in an organization?

A. A dedicated channel for reporting suspicious emails

B. Security objectives included in job descriptions
C. Simulated phishing attacks
D. Red team penetration testing

Answer: C

Question: 16

Which of the following is the PRIMARY goal of a risk management program?

A. Manage compliance with organizational polices.

B. Implement preventive controls against threats
C. Reduce the organization s risk appetite
D. Manage the business impact of inherent risks.

Answer: D

Question: 17

An organization has detected sensitive data leakage caused by an employee of a third-party

contractor. What is the BEST course of action to address this issue?

A. Activate the organization's incident response plan.

B. Limit access to the third-party contractor
C. Include security requirements in outsourcing contracts
D. Terminate the agreement with the third-party contractor

Page | 5
 Answer: A

Question: 18

Which of the following is the MOST important influence to the continued success of an organization's
information security strategy?

A. Information systems
B. Security processes
C. Organizational culture
D. Policy development

Answer: C

Question: 19

Which of the following is the MOST important consideration for designing an effective information
security governance framework?

A. Security controls automation

B. Defined security metrics
C. Continuous audit cycle
D. Security policy provisions

Answer: B

Question: 20

When recommending a preventive control against cross-site scripting in web applications, an

information security manager is MOST likely to suggest:

A. consolidating multiple sites into a single portal.

B. coding standards and code review.
C. using https in place of http.
D. hardening of the web server s operating system.

Answer: B

Page | 6
 Thank You for trying CISM PDF Demo

Start Your CISM Preparation

Use Coupon “20OFF” for extra 20% discount on the purchase of
Practice Test Software. Test your CISM preparation with actual
exam questions.

To try our CISM practice exam software visit link below

https://www.testcollections.com/CISM.html

Page | 7