Browse Exams Pricing

ExamsCISMQuestions

CISM Exam Questions

989 real CISM exam questions with expert-verified answers and explanations. Page 12 of 20.

Question #551Information Security Risk Management
Which of the following BEST mitigates the risk associated with the deployment of a new production system?
Release ManagementRisk MitigationSystem DeploymentIT Service Management Processes
Question #552Information Security Program Development and Management
Which of the following is the BEST indication that an information security awareness program is effective?
Information Security AwarenessSecurity Training EffectivenessSocial EngineeringSecurity Program Metrics
Question #553Information Security Incident Management
Which of the following should be of GREATEST concern to an IS auditor conducting an audit of an organization that recently experienced a ransomware attack?
Ransomware ResponseBackup StrategyIncident RecoveryData Protection
Question #554Information Security Program Development and Management
Which of the following is the PRIMARY objective of capacity management in an environment with extensive use of blockchain technology?
Capacity managementBlockchainNetwork performanceResource management
Question #555Information Security Governance
Which of the following is MOST important to include in a security strategy plan?
Security StrategyPrioritizationInformation Security GovernanceStrategic Planning
Question #556Information Security Program Development and Management
When building or upgrading enterprise cryptographic infrastructure, which of the following is the MOST critical requirement for growing business environments?
Cryptographic InfrastructureScalabilityEnterprise ArchitectureBusiness Growth
Question #557Information Security Governance
A job is scheduled to transfer data from a transactional system database to a data lake for reporting purposes. Which of the following would be of GREATEST concern to an IS auditor...
Control MonitoringScheduled JobsAudit ConcernsChange Management
Question #558Information Security Program Development and Management
Which of the following should be an IS auditor's PRIMARY focus when auditing an organization's transition to a Zero Trust architecture?
Zero Trust ArchitectureIS AuditAccess ControlAuthentication and Authorization
Question #559Information Security Incident Management
Which of the following is the PRIMARY role of digital forensics during an IT investigation?
Digital ForensicsIT InvestigationIncident ResponseEvidence Analysis
Question #560Information Security Program Development and Management
Which of the following is the purpose of media access control (MAC) address filtering in wireless network security?
Wireless SecurityMAC Address FilteringAccess ControlNetwork Security Controls
Question #561Information Security Governance
Which of the following indicates an effective change control environment?
Change ManagementIT GovernanceSecurity ControlsAuthorization
Question #562Information Security Risk Management
An organization has recently implemented additional application programming interfaces (APIs) to enhance data exchange with vendors. Which of the following is MOST important to ens...
API SecurityAuthorizationRisk ManagementSecurity Audit
Question #563Information Security Incident Management
Which of the following should be the PRIMARY focus of an organization with immature incident detection capabilities?
Incident detectionUser awarenessSecurity controlsIncident management
Question #564Information Security Governance
Which of the following roles is accountable for the protection of data?
Data ownershipAccountabilityRoles and responsibilitiesInformation asset protection
Question #565Information Security Incident Management
Which of the following is the BEST course of action when SIEM monitoring indicates that a network attack is in progress?
Incident ResponseContainment StrategyNetwork AttackSIEM
Question #566Information Security Incident Management
Which of the following is MOST important when responding to a major security incident?
Incident ResponseEscalation ProcessMajor Security IncidentIncident Management Process
Question #567Information Security Governance
A global organization is moving its customer relationship management (CRM) system to a cloud platform. Which of the following is the MOST important consideration for legal and regu...
Cloud ComplianceData ResidencyRegulatory RequirementsData Sovereignty
Question #568Information Security Incident Management
Which of the following is the BEST approach when conducting a forensic examination of data from an infected hard disk?
Digital ForensicsEvidence PreservationIncident ResponseForensic Imaging
Question #569Information Security Risk Management
Which of the following is the PRIMARY reason to perform regular reviews of the cybersecurity threat landscape?
Threat LandscapeSecurity PostureRisk AssessmentEmerging Threats
Question #570Information Security Incident Management
An organization's automated security monitoring tool generates an excessively large amount of false positives. Which of the following is the BEST method to optimize the monitoring...
Security MonitoringFalse PositivesSystem TuningSecurity Operations
Question #571Information Security Program Development and Management
Which of the following BEST contributes to establishing an information security culture within an organization?
Information security cultureSecurity awarenessSecurity trainingBehavioral security
Question #572Information Security Governance
Which of the following BEST indicates that an organization has a mature security culture?
Security CultureSenior Management SupportInformation Security GovernanceSecurity Program Effectiveness
Question #573Information Risk Management
Which of the following is the BEST course of action after management has reviewed identified risk and determines the risk is below the defined risk appetite?
Risk appetiteRisk treatment optionsRisk acceptance
Question #574Information Security Program Development and Management
An organization is looking to incorporate DevSecOps practices to enhance the security of applications used for processing large volumes of data. Which of the following is the BEST...
DevSecOpsApplication SecurityCI/CD SecuritySecure SDLC
Question #575Information Security Governance
The PRIMARY reason for establishing a data classification scheme is to identify:
Data ClassificationSecurity ControlsInformation ProtectionInformation Asset Management
Question #576Information Security Program Development and Management
What is the BEST way to verify the effectiveness of a newly implemented firewall?
FirewallSecurity TestingPenetration TestingControl Effectiveness
Question #577Information Security Risk Management
A vulnerability assessment reveals endpoints have unapproved open ports. Which of the following should the information security manager do FIRST?
Vulnerability ManagementRisk AssessmentImpact AnalysisSecurity Management
Question #578Information Security Risk Management
Which of the following is MOST important to emphasize when presenting cyberattack information to gain senior management support for control enhancements?
Residual RiskRisk CommunicationSenior Management EngagementSecurity Control Justification
Question #579Information Security Risk Management
The department head of application development has decided to accept the risks identified in a recent assessment. No recommendations will be implemented, even though the recommenda...
risk acceptanceregulatory non-complianceescalationISM responsibilities
Question #580Information Security Risk Management
Which of the following provides the BEST indication of the return on information security investment?
Return on Security Investment (ROSI)Annualized Loss Expectancy (ALE)Risk Management MetricsSecurity Program Effectiveness
Question #581Information Security Risk Management
When conducting a post-implementation review for a security investment, it is MOST important to determine whether the investment:
Post-implementation reviewSecurity investmentRisk reductionPerformance measurement
Question #582Information Security Governance
Which of the following BEST informs the design of an information security framework?
Information Security Framework DesignRisk AppetiteInformation Security GovernanceSecurity Program Development
Question #583Information Security Incident Management
Which of the following is the MOST important consideration when developing an incident classification approach?
Incident ClassificationRisk AlignmentIncident Management Process
Question #584Information Security Risk Management
A small organization needs to use a solution that is out of support in order to meet business objectives. Which of the following is the information security manager's BEST course o...
Risk MitigationCompensating ControlsUnsupported SystemsRisk Management Strategies
Question #585Information Security Governance
The executive management of a domestic organization has announced plans to expand operations to multiple international locations. Which of the following should be the information s...
Legal & Regulatory ComplianceInternational ExpansionStrategic PlanningInformation Security Governance Fundamentals
Question #586Information Security Program Development and Management
Which of the following is MOST likely to require an organization to update its information security program?
Information Security ProgramProgram ManagementComplianceRegulatory Requirements
Question #587Information Security Incident Management
Which of the following activities would provide the MOST assurance that a disaster recovery plan (DRP) meets an organization's requirements?
DRP TestingDisaster RecoveryAssuranceTabletop Exercises
Question #588Information Security Risk Management
A new risk has been identified in a high availability system. The BEST course of action is to:
Risk AssessmentRisk PrioritizationRisk Management Process
Question #589Information Security Governance
Which of the following is the MOST effective way to involve relevant stakeholders in information security initiatives?
Stakeholder involvementInformation security governanceSteering committeeProgram management
Question #590Information Security Governance
An organization has an ongoing security awareness training program. Employee participation has been decreasing over the year, while the number of malware and phishing incidents fro...
Security Awareness ProgramProgram EffectivenessSenior Management CommunicationInformation Security Governance
Question #591Information Security Program Development and Management
An information security manager has become aware that system administrators are not changing server administrator accounts from the default usernames. A policy has been created and...
Policy CommunicationPolicy ImplementationInformation Security Policy
Question #592Information Security Risk Management
Which of the following is the MOST valuable input for determining the approach to implement an organization's security strategy?
Security StrategyRisk EnvironmentStrategic Planning InputsRisk Assessment
Question #593Information Security Program Development and Management
Which of the following is MOST important for the development of an information security strategy?
Information Security StrategyStrategy DevelopmentSecurity RequirementsStrategic Planning
Question #594Information Security Risk Management
Which of the following provides an information security manager with the MOST useful information on new threats and emerging risks that could impact business objectives?
Threat IntelligenceEmerging RisksRisk IdentificationThreat Monitoring
Question #595Information Security Governance
Which of the following is the BEST way to communicate the importance of the security program to executive leadership?
Executive CommunicationBusiness AlignmentSecurity Program StrategyValue Proposition
Question #596Information Security Incident Management
Which of the following BEST enables an organization to identify and contain security incidents?
Security Incident ManagementIncident DetectionIncident ContainmentContinuous Monitoring
Question #597Information Security Risk Management
Which of the following is the MOST critical activity for an information security manager to perform periodically throughout the term of a contract with an outsourced third party?
Third-party risk managementVendor risk assessmentOutsourcing securityContinuous monitoring
Question #598Information Security Governance
Of the following, who should be PRIMARILY responsible for ensuring the information security policy is executed according to corporate objectives?
Information Security GovernanceSenior Management AccountabilityRoles and ResponsibilitiesPolicy Execution
Question #599Information Security Risk Management
During the selection of a Software as a Service (SaaS) vendor for a business process, the vendor provides evidence of a globally accepted information security certification. Which...
Third-party risk managementVendor security assessmentSaaS securityCertification scope
Question #600Information Security Program Development and Management
Which of the following is the BEST method to ensure compliance with password standards?
Password managementCompliance enforcementAutomated security controlsAccess control

PreviousPage 12 of 20Next

study smarter, certify faster.

Product

Browse Exams
Pricing
PDF Downloads

Resources

Blog
Glossary
Topics
FAQ
Contact Us

Legal

Terms of Service
Privacy Policy
Cookie Policy
DMCA
Refund Policy

Company

About
Contact

© 2026 NerdExam. All rights reserved.Built for IT professionals

NerdExam is a trading name of WADL Solutions Limited, a company incorporated in Hong Kong (CR# 80143234). Registered office: Unit 2904-05, 29/F, Universal Trade Centre, 3 Arbuthnot Road, Central, Hong Kong.

CompTIA, AWS, Cisco, Microsoft, Google Cloud, Oracle, VMware, and other certification names referenced on this site are trademarks of their respective owners. NerdExam is not affiliated with, endorsed by, or sponsored by any certification vendor.