Browse Exams Pricing

ExamsCISMQuestions

CISM Exam Questions

989 real CISM exam questions with expert-verified answers and explanations. Page 13 of 20.

Question #601Incident Management
Which of the following is the PRIMARY purpose of performing a tabletop exercise?
Incident response planTabletop exercisesPlan testingIncident management
Question #602Information Security Governance
Which of the following should have the MOST influence on the development of information security policies?
Information Security PoliciesBusiness AlignmentSecurity GovernanceStrategic Planning
Question #603Information Security Risk Management
Which of the following provides an information security manager with the MOST timely information regarding emerging security threats?
Threat intelligenceEmerging threatsSecurity information sourcesRisk management
Question #604Information Security Risk Management
Which of the following is MOST important when determining the value of information during a risk assessment?
Information valueRisk assessmentAsset valuationTangible and intangible assets
Question #605Information Security Incident Management
A security review identifies that confidential information on the file server has been accessed by unauthorized users in the organization. Which of the following should the informa...
Incident responseUnauthorized accessSecurity incident managementFirst responder actions
Question #606Information Security Risk Management
In an organization that has an established social media policy, which of the following is the BEST way to reduce the risk associated with personally identifiable information (PII)...
Social Media SecurityPII ProtectionEmployee TrainingRisk Mitigation
Question #607Information Security Governance
Who is BEST positioned to take ownership of critical IT security risks identified in an application?
Risk OwnershipApplication SecurityRoles & ResponsibilitiesInformation Security Governance
Question #608Information Security Governance
Which of the following is MOST important for an organization to have in place to determine the effectiveness of information security governance?
Information Security GovernancePerformance MeasurementSecurity Program MetricsEffectiveness Assessment
Question #609Information Security Risk Management
At what point should risk ownership be assigned?
Risk ownershipRisk identificationRisk management processAccountability
Question #610Information Security Risk Management
Which of the following is the PRIMARY benefit of a vulnerability scanning tool to an organization?
Vulnerability ScanningRisk IdentificationSecurity ToolsNetwork Security
Question #611Information Security Incident Management
Which of the following is MOST important to ensure incident management readiness?
Incident Management ReadinessIncident Response TestingPlan ValidationOperational Effectiveness
Question #612Information Security Governance
Which of the following BEST helps to ensure a third-party backup site continues to meet the organization's information security standards?
Service level agreements (SLA)Third-party risk managementVendor managementContractual agreements
Question #613Information Security Risk Management
Which of the following BEST enables an organization to evaluate the security posture of a cloud service?
Cloud SecurityThird-Party Risk ManagementVendor AssessmentSecurity Audits
Question #614Information Security Risk Management
Which of the following should be of GREATEST concern to an information security manager assessing the use of generative AI by the marketing team for content creation?
Generative AI SecurityData LeakageThird-Party Risk ManagementData Confidentiality
Question #615Information Risk Management
An organization plans to implement a new e-commerce operation in a highly regulated market. Which of the following is MOST important to consider when updating the risk management s...
Risk management strategyRegulatory complianceHighly regulated marketE-commerce risk
Question #616Information Security Incident Management
Which of the following is the BEST way to evaluate the effectiveness of physical and environmental security controls implemented for fire-related disasters?
Physical Security ControlsEnvironmental Security ControlsDisaster Recovery TestingFire Safety
Question #617Information Security Incident Management
Which of the following is the PRIMARY goal of the eradication phase of an information security incident response process?
Incident ResponseEradication PhaseIncident Management Process
Question #618Information Security Risk Management
Which of the following is the MOST important consideration during the design phase of a business impact analysis (BIA)?
Business Impact Analysis (BIA)Business Continuity Planning (BCP)Critical FunctionsRisk Assessment
Question #619Information Security Governance
What is the PRIMARY benefit to an organization that maintains an information security governance framework?
Information security governanceRisk managementBusiness alignmentPrimary benefit
Question #620Information Security Risk Management
Who has the PRIMARY authority to decide if additional risk treatments are required to mitigate an identified risk?
Risk ownershipRisk treatmentRoles and responsibilitiesRisk management process
Question #621Information Security Incident Management
As part of incident response activities, the BEST time to begin the recovery process is after:
Incident Response LifecycleRecovery PhaseEradication PhaseIncident Management Phases
Question #622Information Security Program
What is the PRIMARY role of the information security program?
Information Security ProgramRisk ManagementOrganizational SecurityProgram Objectives
Question #623Information Security Risk Management
Responsibility for risks associated with which of the following should be shared by both cloud customers and Software as a Service (SaaS) providers?
Cloud SecuritySaaSShared Responsibility ModelAccess Management
Question #624Information Security Incident Management
Which of the following is the GREATEST benefit of using AI tools in security operations?
AI in Security OperationsThreat DetectionIncident ResponseSecurity Automation
Question #625Information Security Governance
An organization is planning to open a new office in another country. Sensitive data will be routinely sent between the two offices. What should be the information security manager'...
Regulatory complianceInternational operationsSecurity policy frameworkLegal requirements
Question #626Information Security Program Development and Management
Which of the following security initiatives should be the FIRST step in helping an organization maintain compliance with privacy regulations?
Data ClassificationPrivacy ComplianceSecurity Program DevelopmentFoundational Controls
Question #627Information Security Program Development and Management
Which of the following is the MOST effective long-term method to educate users about the identification, reporting, and impact of malicious emails?
Security Awareness TrainingPhishingUser EducationSecurity Program Effectiveness
Question #628Information Security Governance
Which of the following is the MOST important component of information security governance?
Information Security GovernanceSecurity StrategyGovernance Components
Question #629Information Security Risk Management
An information security manager is assessing security risk associated with a cloud service provider. Which of the following is the MOST appropriate reference to consult when perfor...
Cloud securityRisk assessmentSecurity control frameworksVendor risk management
Question #630Information Security Program Development and Management
An organization requires that business critical applications be recovered within 30 minutes in the event of a disaster. Which of the following metrics should be defined in the busi...
Recovery Time Objective (RTO)Business Continuity PlanningDisaster RecoveryBCP Metrics
Question #631Information Security Incident Management
From a business perspective, the GREATEST benefit of an incident response plan is that it:
Incident Response PlanBusiness BenefitImpact LimitationDisruptive Events
Question #632Information Security Governance
An organization wants to migrate a proprietary application to be hosted by a third-party cloud hosting provider using a Platform as a Service (PaaS) model. Prior to selecting the c...
Third-party riskRegulatory complianceCloud PaaSVendor selection
Question #633Information Security Incident Management
Which of the following is MOST important when developing an effective ransomware response strategy?
Ransomware ResponseBackup and RecoveryIncident ManagementData Resilience
Question #634Information Security Incident Management
Which of the following is the GREATEST benefit of classifying information security incidents?
Incident ClassificationIncident PrioritizationIncident RecoveryIncident Management
Question #635Information Security Incident Management
Which of the following should a newly appointed information security manager do FIRST when evaluating the current incident notification and escalation processes?
Incident Response EvaluationStakeholder ManagementProcess AssessmentIncident Notification
Question #636Information Security Governance
Which of the following BEST helps to ensure risk appetite is considered during the risk treatment process?
Risk AppetiteRisk TreatmentRisk Management FrameworkInformation Security Governance
Question #637Information Security Governance
Which of the following would BEST enable a new information security manager to assess the current state of information security governance within the organization?
Information Security Governance AssessmentGovernance EffectivenessSecurity IntegrationOrganizational Embedding
Question #638Information Security Governance
Which of the following is MOST important to understand when developing information security processes to comply with a global organization's legal requirements?
Global ComplianceLegal RequirementsRegulatory FrameworksInformation Security Processes
Question #639Information Security Program Development and Management
For an e-business that requires high availability, which of the following design principles is BEST?
High AvailabilitySystem DesignBusiness ContinuityFailover
Question #640Information Security Governance
Which of the following BEST indicates an effective security culture?
Security CultureBusiness AlignmentStrategic SecuritySecurity Governance
Question #641Information Security Governance
During an information security audit, it was determined that IT staff did not follow the established standard when configuring and managing IT systems. Which of the following is th...
Change ControlConfiguration ManagementCompliancePreventive Controls
Question #642Information Security Program Development and Management
Which of the following is the MOST effective way to identify weaknesses in security controls?
Red TeamingSecurity AssessmentVulnerability IdentificationControl Effectiveness
Question #643Information Security Governance
Of the following, who is PRIMARILY responsible for determining an organization's risk appetite and risk tolerance?
risk appetiterisk tolerancegovernanceroles and responsibilities
Question #644Information Security Incident Management
Which of the following is the BEST course of action when it is discovered that a server has been infected by malware?
Incident ResponseMalwareContainmentNetwork Isolation
Question #645Information Security Risk Management
A policy has been established requiring users to install mobile device management (MDM) software on their personal devices. Which of the following would BEST mitigate the risk crea...
MDMPolicy EnforcementRisk MitigationAccess Control
Question #646Information Security Program Development and Management
Which of the following should be the PRIMARY focus for an information security manager when reviewing access controls for data stored in an off-premise cloud environment?
Access ControlCloud SecurityLeast PrivilegeInformation Security Management
Question #647Information Security Program Development and Management
Which of the following is the MOST important consideration when attempting to create a security- focused culture?
Security CultureSecurity AwarenessHuman FactorsProgram Development
Question #648Information Security Program Development and Management
An organization recently activated its business continuity plan (BCP). Employees were notified during the event, but some did not fully follow the communications plan. What is the...
Business Continuity Plan (BCP)BCP TestingCommunication PlanEmployee Training
Question #649Incident Management
Which of the following is the BEST way to facilitate alignment between an organization's incident response and its disaster recovery and business continuity plans?
Incident ResponseDisaster RecoveryBusiness ContinuityPlan Integration
Question #650Information Security Risk Management
While reviewing a business case, an information security manager has determined that the residual risk will be higher than the organization's risk tolerance. As a result, which of...
Risk managementResidual riskRisk toleranceMitigation

PreviousPage 13 of 20Next

study smarter, certify faster.

Product

Browse Exams
Pricing
PDF Downloads

Resources

Blog
Glossary
Topics
FAQ
Contact Us

Legal

Terms of Service
Privacy Policy
Cookie Policy
DMCA
Refund Policy

Company

About
Contact

© 2026 NerdExam. All rights reserved.Built for IT professionals

NerdExam is a trading name of WADL Solutions Limited, a company incorporated in Hong Kong (CR# 80143234). Registered office: Unit 2904-05, 29/F, Universal Trade Centre, 3 Arbuthnot Road, Central, Hong Kong.

CompTIA, AWS, Cisco, Microsoft, Google Cloud, Oracle, VMware, and other certification names referenced on this site are trademarks of their respective owners. NerdExam is not affiliated with, endorsed by, or sponsored by any certification vendor.