Browse Exams Pricing

ExamsCISMQuestions

CISM Exam Questions

989 real CISM exam questions with expert-verified answers and explanations. Page 3 of 20.

Question #101Information Security Governance
The PRIMARY reason for senior management to monitor information security metrics is to ensure:
Information security governanceMetricsSenior management oversightStrategic alignment
Question #102Information Security Risk Management
Which of the following is the MOST important reason to perform a privacy impact assessment?
Privacy Impact Assessment (PIA)Risk AssessmentPrivacy RiskData Processing
Question #103Information Security Risk Management
When reporting information security risk to senior management, it is MOST important to include:
Residual riskRisk reportingSenior management communicationInformation security risk management
Question #104Information Security Governance
Which of the following is MOST likely to improve an organization's security culture?
Security CultureStakeholder EngagementSecurity PlanningInformation Security Governance
Question #105Information Security Incident Management
Which of the following is MOST important to complete during the recovery phase of an incident response process before bringing affected systems back online?
Incident ResponseRecovery PhaseSystem RemediationVerification
Question #106Information Security Governance
What is the BEST way for an information security manager to improve the effectiveness of risk management in an organization that currently manages risk at the departmental level?
Risk Management IntegrationEnterprise Risk ManagementCommon Risk RegisterOrganizational Risk Strategy
Question #107Information Security Program Development and Management
Which of the following is MOST helpful to an information security manager when determining service level requirements for an outsourced application?
Data ClassificationService Level RequirementsThird-Party Risk ManagementOutsourced Applications
Question #108Information Security Incident Management
Which of the following is MOST important to consider when planning the eradication of a cyberattack?
Incident ResponseEradicationThreat AnalysisIncident Planning
Question #109Information Security Risk Management
Which of the following BEST enables an information security manager to identify changes in the threat landscape due to emerging technologies?
Threat LandscapeEmerging TechnologiesRisk AssessmentRisk Identification
Question #110Information Security Governance
An enterprise has decided to procure security services from a third-party vendor to support its information security program. Which of the following is MOST important to include in...
Vendor managementThird-party riskStrategic alignmentService procurement
Question #111Information Security Risk Management
The resilience requirements of an application are BEST determined by:
Business Impact Analysis (BIA)ResilienceBusiness ContinuityRecovery Objectives
Question #112Information Security Incident Management
Which of the following BEST facilitates recovery of data lost as a result of a cybersecurity incident?
Data RecoveryBackupsIncident Response
Question #113Information Security Governance
Which of the following is MOST important to the successful implementation of a new information security program?
Senior management commitmentInformation security governanceProgram implementation successCritical success factors
Question #114Information Security Incident Management
An information security team has confirmed that threat actors are taking advantage of a newly announced critical vulnerability within an application. Which of the following should...
Incident Response PlanIncident ManagementFirst ResponseSecurity Incident
Question #115Information Security Program Development and Management
Which of the following is the MOST important consideration when evaluating the performance of existing security controls?
Security control testingControl performance evaluationTesting methodologyProgram management
Question #116Information Security Program Development and Management
Which of the following metrics BEST demonstrates the effectiveness of an organization's security awareness program?
Security AwarenessSecurity MetricsProgram EffectivenessIncident Reporting
Question #117Information Risk Management
Who should decide whether a specific control should be changed once risk is approved for mitigation?
Control ownershipRisk mitigationRoles and responsibilitiesInformation security controls
Question #118Information Security Risk Management
When determining key risk indicators (KRIs) for use in an information security program it is MOST important to select:
Key Risk Indicators (KRIs)Business alignmentRisk management principlesInformation security program
Question #119Information Security Program Development and Management
Senior management has requested a budget cut for the information security program in the coming fiscal year. Which of the following should be the information security manager's FIR...
Budget managementProgram managementImpact analysisStrategic planning
Question #120Information Security Governance
What is the MOST important consideration when establishing metrics for reporting to the information security strategy committee?
Security MetricsStrategic ReportingOrganizational CultureInformation Security Governance
Question #121Information Security Risk Management
Which of the following presents the GREATEST challenge when assessing the impact of emerging risk?
Emerging riskRisk assessment challengesData scarcityRisk analysis
Question #122Information Security Governance
Which of the following is the MOST useful input for an information security manager when updating the organization's security policy?
Security PolicyRisk AppetiteGovernance Input
Question #123Information Security Governance
The MOST effective way for an information security manager to secure senior management support for the information security strategy is by:
Senior management supportSecurity strategy communicationStakeholder managementManagement education
Question #124Information Security Risk Management
When engaging an external party to perform a penetration test, it is MOST important to:
Penetration testingThird-party engagementProject scopeRisk management
Question #125Information Security Program Development and Management
Which of the following is the MOST effective way to convey information security responsibilities across an organization?
Security AwarenessEmployee ResponsibilitiesCommunicationSecurity Program Management
Question #126Information Security Risk Management
A financial institution is expanding to international jurisdictions and is mindful of protecting customer information. Which of the following should be of GREATEST concern?
Data PrivacyInternational ComplianceRegulatory RiskCustomer Data Protection
Question #127Information Security Governance
When evaluating cloud storage solutions, the FIRST consideration should be:
Data ClassificationCloud Security EvaluationPolicy AlignmentData Governance
Question #128Information Security Governance
Which of the following is the GREATEST benefit resulting from the introduction of data security standards for payment cards?
Data Security StandardsIndustry StandardsHolistic SecurityInformation Asset Protection
Question #129Information Security Governance
Which of the following should an information security manager establish FIRST to ensure security-related activities are adequately monitored?
AccountabilitySecurity MonitoringInformation Security ManagementGovernance
Question #130Information Security Program Development and Management
Which of the following is the BEST approach for data owners to use when defining access privileges for users?
Access ControlRole-Based Access Control (RBAC)Data OwnershipPrivilege Management
Question #131Information Security Program Development and Management
Which of the following is the BEST control to protect customer personal information that is stored in the cloud?
Cloud SecurityData ProtectionEncryptionConfidentiality
Question #132Information Security Governance
Which of the following is MOST important to include in an enterprise information security policy?
Information Security PolicySecurity ObjectivesPolicy DevelopmentGovernance
Question #133Information Security Risk Management
An information security manager wants to upgrade an organization's workstations to a new operating system version. Which of the following would be MOST helpful to gain senior manag...
Senior Management Buy-inRisk-based Decision MakingBusiness Case DevelopmentSecurity Upgrade Justification
Question #134Information Security Program Development and Management
Which of the following is MOST important to define when creating information security management metrics?
Information Security MetricsPerformance MeasurementStrategic ObjectivesSecurity Program Management
Question #135Information Security Governance
A PRIMARY benefit of adopting an information security framework is that it provides:
Information Security FrameworksSecurity ControlsStandardizationSecurity Governance
Question #136Information Security Risk Management
It is MOST important that risk owners understand they are accountable for:
Risk OwnerAccountabilityControl EffectivenessRisk Oversight
Question #137Information Security Incident Management
Which of the following is MOST important to include in security incident escalation procedures?
Incident escalationIncident responseNotification criteria
Question #138Information Security Governance
An organization has implemented a new email filter to mitigate risk associated with its email system. Who is BEST suited to be the control owner?
Control OwnershipRoles and ResponsibilitiesRisk MitigationInformation Security Management
Question #139Information Security Governance
When introducing a new information asset, what is the MOST important responsibility of the asset owner?
Information asset ownerInformation classificationAsset lifecycleSecurity responsibilities
Question #140Information Security Governance
When establishing an information security governance framework, it is MOST important for an information security manager to understand:
Information Security Governance FrameworkCorporate CultureOrganizational AlignmentFramework Establishment
Question #141Information Security Program Development and Management
When updating the information security policy to accommodate a new regulation, the information security manager should FIRST:
Policy managementRegulatory complianceGap analysisSecurity program management
Question #142Information Security Incident Management
A Software as a Service (SaaS) application has been implemented to support a critical business process. Which of the following is MOST important to include within the service level...
SaaS securityService Level Agreement (SLA)Incident responseRoles and responsibilities
Question #143Information Security Risk Management
Of the following, who is BEST positioned to perform a business impact analysis (BIA)?
Business Impact Analysis (BIA)Process OwnersBusiness Continuity Management (BCM)Risk Assessment
Question #144Information Security Incident Management
Which of the following should be the FIRST consideration for an information security manager after a security incident has been confirmed?
Incident ResponseContainment ProceduresIncident Management Process
Question #145Information Security Incident Management
Which of the following actions will BEST resolve the root cause of a cyber incident involving unauthorized network access due to a critical vulnerability on a web server?
Root Cause AnalysisIncident RemediationVulnerability ManagementPatch Management
Question #146Information Security Risk Management
Which of the following risk assessment findings for an online-only business should be given the HIGHEST priority to address availability concerns?
Risk AssessmentAvailabilityRisk PrioritizationBusiness Impact
Question #147Information Security Risk Management
At which stage of business continuity planning is risk identification performed?
Business Continuity PlanningBusiness Impact AnalysisRisk IdentificationRisk Assessment
Question #148Information Security Incident Management
Which of the following BEST demonstrates the potential for successful business continuity in the event of a disaster?
Business ContinuityDisaster RecoveryTesting and ExercisesBCP/DRP Validation
Question #149Information Security Incident Management
Which of the following is MOST important for the information security manager to confirm when reviewing an incident response plan?
Incident Response PlanBusiness Impact AnalysisPlan ReviewBusiness Alignment
Question #150Information Security Program Development and Management
When developing a business case for a new security initiative, an information security manager should FIRST:
Business Case DevelopmentSecurity Program PlanningNeeds AssessmentProject Initiation

PreviousPage 3 of 20Next

study smarter, certify faster.

Product

Browse Exams
Pricing
PDF Downloads

Resources

Blog
Glossary
Topics
FAQ
Contact Us

Legal

Terms of Service
Privacy Policy
Cookie Policy
DMCA
Refund Policy

Company

About
Contact

© 2026 NerdExam. All rights reserved.Built for IT professionals

NerdExam is a trading name of WADL Solutions Limited, a company incorporated in Hong Kong (CR# 80143234). Registered office: Unit 2904-05, 29/F, Universal Trade Centre, 3 Arbuthnot Road, Central, Hong Kong.

CompTIA, AWS, Cisco, Microsoft, Google Cloud, Oracle, VMware, and other certification names referenced on this site are trademarks of their respective owners. NerdExam is not affiliated with, endorsed by, or sponsored by any certification vendor.