Browse Exams Pricing

ExamsCISMQuestions

CISM Exam Questions

989 real CISM exam questions with expert-verified answers and explanations. Page 2 of 20.

Question #51Information Security Incident Management
Which of the following BEST enables an organization to enhance its incident response plan processes and procedures?
Incident ResponseProcess ImprovementLessons LearnedPost-Incident Review
Question #52Information Security Risk Management
A business impact analysis (BIA) BEST enables an organization to establish:
Business Impact AnalysisBusiness ContinuityRecovery PlanningRestoration Priorities
Question #53Information Security Risk Management
Which of the following is MOST important to include in an information security framework?
Information Security FrameworkRisk AssessmentSecurity Program FoundationRisk Management Principles
Question #54Information Security Incident Management
When an organization experiences a disruptive event, the business continuity plan (BCP) should be triggered PRIMARILY based on:
Business Continuity Plan (BCP)BCP ActivationOutage ManagementRecovery Time Objective (RTO)
Question #55Information Security Incident Management
Which of the following controls would BEST help to detect a targeted attack exploiting a zero-day vulnerability?
Extended Detection and Response (XDR)Zero-Day ExploitsTargeted AttacksSecurity Controls
Question #56Information Security Program Development and Management
Which of the following is the MOST relevant control to address the integrity of information?
Information IntegrityAccess ControlCISM ControlsCIA Triad
Question #57Information Security Risk Management
What should be the PRIMARY objective of an information classification scheme?
Information ClassificationRisk ManagementSecurity ControlsProportionality
Question #58Information Security Risk Management
Which of the following is MOST important to consider when prioritizing threats during the risk assessment process?
Risk PrioritizationRisk AssessmentImpact AnalysisThreat Management
Question #59Information Security Risk Management
Which of the following would BEST fulfill a board of directors' request for a concise overview of information security risk facing the business?
Risk reportingExecutive communicationRisk visualizationInformation security risk
Question #60Information Risk Management
Which of the following is the PRIMARY purpose of a business impact analysis (BIA)?
Business Impact Analysis (BIA)Asset CriticalityRisk AssessmentBusiness Continuity
Question #61Information Security Governance
An organization wants to integrate information security into its HR management processes. Which of the following should be the FIRST step?
Security integrationHR processes securityBusiness objectivesStrategic alignment
Question #62Information Security Incident Management
Following a breach where the risk has been isolated and forensic processes have been performed, which of the following should be done NEXT?
Incident ResponseRecovery PhaseSystem RebuildPatch Management
Question #63Information Security Incident Management
Which of the following is MOST important for effective cybersecurity incident management?
Incident management effectivenessIncident detectionIncident responseIncident priorities
Question #64Information Security Program Development and Management
An organization uses a security standard that has undergone a major revision by the certifying authority. The old version of the standard will no longer be used for organizations w...
Security StandardsCompliance ManagementProgram ManagementRegulatory Change
Question #65Information Security Governance
Which of the following is the MOST appropriate metric to demonstrate the effectiveness of information security controls to senior management?
Security MetricsReporting to ManagementRisk QuantificationControl Effectiveness
Question #66Information Security Risk Management
The MOST effective way to present information security risk to senior management is to highlight:
Risk CommunicationSenior Management ReportingBusiness ImpactInformation Security Risk
Question #67Information Security Program Development and Management
Within the confidentiality, integrity, and availability (CIA) triad, which of the following activities BEST supports the concept of confidentiality?
ConfidentialityCIA TriadEncryptionData Protection
Question #68Information Security Risk Management
Which of the following should be the PRIMARY objective for creating a culture of security within an organization?
Security CultureRisk ReductionInformation Security ObjectivesSecurity Program
Question #69Information Security Risk Management
Which of the following should be updated FIRST when aligning the incident response plan with the corporate strategy?
Incident Response PlanningCorporate Strategy AlignmentRisk ResponseInformation Security Governance
Question #70Information Security Risk Management
Which of the following is the MOST effective way to ensure the security of services and solutions delivered by third-party vendors?
Third-party risk managementVendor security assuranceSecurity control verificationService delivery security
Question #71Information Security Incident Management
Which of the following eradication methods is MOST appropriate when responding to an incident resulting in malware on an application server?
Incident ResponseMalware EradicationSystem RestorationRecovery
Question #72Information Security Governance
Which of the following is MOST important for guiding the development and management of a comprehensive information security program?
Information Security GovernanceSecurity Program DevelopmentStrategic AlignmentProgram Management
Question #73Information Risk Management
Which of the following is the BEST way to ensure data is not co-mingled or exposed when using a cloud service provider?
Cloud SecurityData ClassificationData ProtectionVendor Risk Management
Question #74Information Security Governance
Before approving the implementation of a new security solution, senior management requires a business case. Which of the following would BEST support the justification for investme...
Business alignmentStrategic investmentBusiness caseSenior management
Question #75Information Security Governance
When an organization implements an information security governance framework, it is MOST important for executive leadership to have a direct role in:
Executive LeadershipInformation Security GovernanceSecurity PolicyFramework Implementation
Question #76Information Security Governance
Which of the following should have the MOST influence on an organization's response to a new industry regulation?
Risk AppetiteRegulatory ComplianceInformation Security GovernanceStrategic Risk Management
Question #77Information Security Program Development and Management
Biometrics are BEST used for:
BiometricsAuthenticationAccess ControlIdentity Management
Question #78Information Security Incident Management
Predetermined containment methods to be used in a cybersecurity incident response should be based PRIMARILY on the:
Incident ResponseContainment StrategyIncident ClassificationCybersecurity Incident
Question #79Information Security Risk Management
Which of the following is the PRIMARY objective of information asset classification?
Information asset classificationRisk managementAsset managementSecurity objectives
Question #80Information Security Risk Management
Management would like to understand the risk associated with engaging an Infrastructure-as-a- Service (IaaS) provider compared to hosting internally. Which of the following would p...
Risk Assessment MethodologyRisk ComparisonLikelihood and ImpactCloud Security Risk
Question #81Information Security Program Development and Management
Which of the following is the PRIMARY reason to regularly update business continuity and disaster recovery documents?
Business ContinuityDisaster RecoveryBCDR maintenanceOperational Resilience
Question #82Information Security Risk Management
Which of the following will have the GREATEST impact on the development of the information classification scheme consisting of various classification levels?
Information classificationData classificationInformation valueSecurity controls
Question #83Information Security Incident Management
To prepare for a third-party forensics investigation following an incident involving malware, the incident response team should:
Incident ResponseDigital ForensicsEvidence PreservationMalware Incidents
Question #84Information Security Risk Management
Of the following, who should own the risk associated with unauthorized access to application data?
Risk ownershipRoles and responsibilitiesApplication securityAccountability
Question #85Information Security Incident Management
The categorization of incidents is MOST important for evaluating which of the following?
Incident CategorizationIncident PriorityRisk SeverityIncident Management Process
Question #86Information Security Risk Management
An organization learns that a third party has outsourced critical functions to another external provider. Which of the following is the information security manager's MOST importan...
Third-party risk managementFourth-party riskVendor agreementsSupply chain security
Question #87Information Security Program Development and Management
The PRIMARY benefit of using http secure (https) is that it provides:
HTTPSConfidentialityNetwork SecurityData Protection
Question #88Information Security Program Development and Management
An organization provides notebook PCs, cable wire locks, smartphone access, and virtual private network (VPN) access to its remote employees. Which of the following is MOST importa...
Acceptable Use PolicySecurity Awareness TrainingPolicy EnforcementRemote Access Security
Question #89Information Security Governance
To improve an organization's information security culture, it is MOST important for senior management to:
Information Security CultureSenior Management RoleLeadership by ExampleTone at the Top
Question #90Information Security Risk Management
Which of the following BEST illustrates residual risk within an organization?
Residual RiskRisk ReportingRisk VisualizationRisk Heat Map
Question #91Information Security Governance
Which of the following is the MOST effective way to determine the alignment of an information security program with the business strategy?
Strategic AlignmentInformation Security GovernanceStakeholder EngagementBusiness Value
Question #92Incident Management
An organization experienced a loss of revenue during a recent disaster. Which of the following would BEST prepare the organization to recover?
Business Continuity PlanningDisaster RecoveryOrganizational ResilienceRecovery Planning
Question #93Information Security Governance
Which of the following is the MOST important success factor when developing an information security strategy?
Information Security StrategyExecutive Buy-inGovernanceStrategic Alignment
Question #94Information Security Incident Management
Which of the following BEST demonstrates a security-conscious organizational culture?
Organizational cultureSecurity awarenessIncident reportingEmployee engagement
Question #95Information Security Risk Management
Which of the following is the MOST effective data loss control when connecting a personally owned mobile device to the corporate email system?
Mobile Device SecurityBYODData Loss PreventionEncryption
Question #96Information Security Incident Management
Which of the following should be the FIRST step when performing triage of a malware incident?
Incident responseMalware incidentTriageContainment
Question #97Information Security Program Development and Management
Which of the following BEST helps to enable the desired information security culture within an organization?
Information security cultureSecurity awareness trainingBehavioral security
Question #98Information Security Incident Management
Which of the following should be the GREATEST concern for an information security manager when an annual audit reveals the organization's business continuity plan (BCP) has not bee...
Business Continuity Plan (BCP)Incident RecoveryAudit FindingsOperational Resilience
Question #99Information Security Program
Which of the following is the MOST important goal of an information security program?
Information Security ProgramProgram GoalsRisk ReductionObjectives
Question #100Information Security Incident Management
Which of the following would be MOST effective in reducing the impact of a distributed denial of service (DDoS) attack?
DDoS MitigationNetwork RedundancyAvailabilityIncident Preparedness

PreviousPage 2 of 20Next

study smarter, certify faster.

Product

Browse Exams
Pricing
PDF Downloads

Resources

Blog
Glossary
Topics
FAQ
Contact Us

Legal

Terms of Service
Privacy Policy
Cookie Policy
DMCA
Refund Policy

Company

About
Contact

© 2026 NerdExam. All rights reserved.Built for IT professionals

NerdExam is a trading name of WADL Solutions Limited, a company incorporated in Hong Kong (CR# 80143234). Registered office: Unit 2904-05, 29/F, Universal Trade Centre, 3 Arbuthnot Road, Central, Hong Kong.

CompTIA, AWS, Cisco, Microsoft, Google Cloud, Oracle, VMware, and other certification names referenced on this site are trademarks of their respective owners. NerdExam is not affiliated with, endorsed by, or sponsored by any certification vendor.