Browse Exams Pricing

ExamsCISMQuestions

CISM Exam Questions

989 real CISM exam questions with expert-verified answers and explanations. Page 5 of 20.

Question #201Information Security Governance
Which of the following is the MOST important reason to ensure information security is aligned with the organization's strategy?
Information Security GovernanceStrategic AlignmentRisk Management OptimizationBusiness Objectives
Question #202Information Security Governance
An organization has updated its business goals in the middle of the fiscal year to respond to changes in market conditions. Which of the following is MOST important for the informa...
Security StrategyBusiness AlignmentStrategic PlanningSecurity Governance
Question #203Information Security Risk Management
Of the following, who is BEST suited to own the risk discovered in an application?
Risk ownershipRoles and responsibilitiesSystem ownerApplication security
Question #204Information Security Risk Management
A penetration test was conducted by an accredited third party. Which of the following should be the information security manager's FIRST course of action?
Penetration TestingRisk AssessmentVulnerability ManagementSecurity Management
Question #205Information Security Governance
Which of the following is the MOST important consideration when investing in information security improvement initiatives?
Risk AppetiteSecurity InvestmentInformation Security GovernanceStrategic Decision Making
Question #206Information Security Governance
To help users apply appropriate controls related to data privacy regulation, what is MOST important to communicate to the users?
Data privacyData classificationUser awarenessInformation handling policy
Question #207Information Risk Management
What should be used to determine whether an information asset should be protected with multi- layered security?
Asset classificationInformation protectionSecurity controlsMulti-layered security
Question #208Information Security Risk Management
An information security manager is considering options for protecting the data on a web-facing legacy application that cannot be patched. Which of the following would provide the B...
Compensating controlsSecurity testingPenetration testingLegacy systems security
Question #209Information Security Risk Management
When analyzing the emerging risk and threat landscape, an information security manager should FIRST:
Threat AnalysisRisk AssessmentAsset IdentificationEmerging Risks
Question #210Information Security Risk Management
An organization is in the process of selecting a third party to process customer information. Which of the following provides the BEST evidence that the third party's controls will...
Third-party risk managementVendor due diligenceControl assuranceIndependent assessments
Question #211Information Security Incident Management
Which of the following should be given the HIGHEST priority during recovery after a cybersecurity incident?
Incident recoverySystem restorationBusiness continuityPrioritization
Question #212Information Security Incident Management
Post-incident analysis of a recent security incident revealed that although the incident was identified in a timely manner, assigning it to the correct team took longer than expect...
Incident ManagementIncident TriageProcess Improvement
Question #213Information Security Incident Management
Which of the following is the BEST indicator of a successful intrusion into an organization's systems?
Intrusion detectionIncident indicatorsSecurity monitoringCompromise detection
Question #214Information Security Risk Management
An information security manager performs a gap analysis and discovers several information security program components missing. Which of the following should be done NEXT as a resul...
Gap analysisRisk assessment processSecurity program managementControl identification
Question #215Information Security Governance
Which of the following is MOST important to the effectiveness of an information security steering committee?
Information security governanceSteering committeeOrganizational structureCommittee effectiveness
Question #216Information Security Risk Management
Data entry functions for a web-based application have been outsourced to a third-party service provider who will work from a remote site. Which of the following issues would be of...
Third-party risk managementSecure communicationData in transit protectionWeb application security
Question #217Information Security Program Development and Management
Which of the following is MOST important to consider when developing a disaster recovery plan (DRP)?
Disaster Recovery Plan (DRP)Business Impact Analysis (BIA)Business ContinuityPlanning
Question #218Information Security Incident Management
Which of the following techniques should be applied FIRST to limit the impact of a malware incident?
Incident ResponseMalware IncidentContainment StrategySystem Isolation
Question #219Information Security Governance
Which of the following is a PRIMARY reason for senior management to review reports on information security?
Senior management oversightSecurity program effectivenessPerformance measurementInformation security reporting
Question #220Information Security Risk Management
Which of the following is MOST important for an information security manager to regularly report to senior management?
Reporting to senior managementRisk communicationUntreated risksBusiness impact
Question #221Information Security Incident Management
Which of the following processes determines whether an event gets classified as an incident?
Incident classificationTriageIncident handlingIncident response process
Question #222Information Security Incident Management
Which of the following is the MOST cost-effective method for assessing an organization's incident response capabilities?
Incident Response TestingTabletop ExercisesCost-EffectivenessIncident Response Assessment
Question #223Information Security Governance
Which of the following would BEST ensure that security risk assessment is integrated into the life cycle of major IT projects?
Security Risk AssessmentProject Life Cycle IntegrationInformation Security GovernanceSteering Committee
Question #224Information Security Program Development and Management
Which of the following is the BEST control for preventing unauthorized device access to an organization's network?
Network Access ControlDevice SecurityPreventative ControlsAuthentication
Question #225Information Security Incident Management
Which of the following should be the NEXT step after a security incident has been reported?
Incident Response ProcessIncident Management LifecycleContainment
Question #226Incident Management
Which of the following is MOST important to ensuring an incident response team has the necessary authorization to perform its role?
Incident Response TeamTeam CharterAuthorizationIncident Management Planning
Question #227Information Security Governance
Which of the following is the BEST source of information for determining when to dispose of data records?
Data RetentionData DisposalRegulatory ComplianceInformation Governance
Question #228Information Security Incident Management
Which of the following BEST measures the effectiveness of handling incidents that threaten business operations?
Incident ManagementPerformance MetricsMean Time to ResolutionEffectiveness Measurement
Question #229Information Security Program Development and Management
An experienced information security manager joins a new organization and begins by conducting an audit of all key IT processes. Which of the following findings about the vulnerabil...
Vulnerability ManagementProgram EffectivenessRisk RemediationSecurity Audit Findings
Question #230Information Security Governance
Which of the following BEST defines security requirements for an organization that shares information with a business partner?
Third-party securityContractual agreementsInformation sharing
Question #231Information Security Governance
Which of the following is the BEST source of information to support an organization's information security vision and strategy?
Information Security ArchitectureSecurity StrategyGovernance FrameworkStrategic Alignment
Question #232Information Security Governance
Which of the following should be senior management's PRIMARY role with regard to information security policies?
Information security policiesSenior management responsibilityPolicy approvalGovernance roles
Question #233Information Security Governance
Which of the following is the GREATEST benefit of integrating information security governance into corporate governance?
Security GovernanceCorporate GovernanceStrategic AlignmentBusiness Value
Question #234Information Security Risk Management
An organization decided to move its email to a Software as a Service (SaaS) model. Which of the following would pose the GREATEST security concern?
Cloud SecuritySaaSData Retention PoliciesCompliance Risk
Question #235Information Security Incident Management
Which of the following BEST enables the restoration of operations after a limited ransomware incident occurs?
Ransomware recoveryBackup and restoreIncident recoveryRecovery operations
Question #236Information Security Governance
Which of the following provides the BEST evidence that the information security program is aligned to the business strategy?
Security program alignmentBusiness strategy integrationInformation security governanceEvidence of alignment
Question #237Information Security Incident Management
Which of the following should be done FIRST upon learning that a production web server used by clients has a critical vulnerability?
Vulnerability managementIncident response processVulnerability validationSecurity operations
Question #238Information Security Program Development and Management
An organization has experienced a ransomware attack. Which of the following is the BEST course of action to prevent further attacks?
Ransomware preventionApplication whitelistingPreventative controlsEndpoint security
Question #239Information Security Incident Management
A hacking group has posted an organization's employee data on social media. What should the information security manager do FIRST?
Incident ResponseData BreachIncident Management ProcessFirst Steps
Question #240Information Security Governance
Data classification is PRIMARILY the responsibility of:
Data classificationData ownerRoles and responsibilitiesInformation governance
Question #241Information Security Risk Management
After logging in to a web application, additional authentication is checked at various application points. Which of the following is the PRIMARY reason for such an approach?
AuthenticationAuthorizationAccess ControlData Classification
Question #242Information Security Incident Management
Which of the following is the MOST important reason for logging firewall activity?
Firewall loggingIncident investigationSecurity operations
Question #243Information Security Risk Management
Which of the following should an information security manager do FIRST upon learning that a competitor has experienced a ransomware attack?
Risk AssessmentThreat IntelligenceRansomware
Question #244Information Security Incident Management
Which of the following is the MOST effective way to detect information security incidents?
Incident DetectionKey Risk Indicators (KRIs)Risk MonitoringSecurity Monitoring
Question #245Information Security Governance
Which of the following is the BEST way to address data availability concerns when outsourcing information security administration?
OutsourcingService Level Agreements (SLAs)Data AvailabilityContract Management
Question #246Information Security Incident Management
An organization has been penalized by regulatory authorities for failing to notify them of a major security breach that may have compromised customer data. Which of the following i...
Incident communicationRegulatory complianceBreach notificationIncident response planning
Question #247Information Security Risk Management
Which of the following is the BEST way to build a risk-aware culture?
Risk cultureRisk awarenessRisk reportingEmployee engagement
Question #248Information Security Risk Management
Which of the following should be implemented to BEST reduce the likelihood of a security breach?
Security ArchitectureRisk MitigationDefense in DepthPreventive Controls
Question #249Information Security Governance
Which of the following is the MOST critical consideration when shifting IT operations to an Infrastructure as a Service (IaaS) model hosted in a foreign country?
Cloud ComputingLegal ComplianceData SovereigntyForeign Jurisdiction
Question #250Information Security Program Development and Management
The PRIMARY purpose of conducting a business impact analysis (BIA) is to determine the:
Business Impact Analysis (BIA)Business Continuity Planning (BCP)Disaster Recovery (DR)Recovery Resources

PreviousPage 5 of 20Next

study smarter, certify faster.

Product

Browse Exams
Pricing
PDF Downloads

Resources

Blog
Glossary
Topics
FAQ
Contact Us

Legal

Terms of Service
Privacy Policy
Cookie Policy
DMCA
Refund Policy

Company

About
Contact

© 2026 NerdExam. All rights reserved.Built for IT professionals

NerdExam is a trading name of WADL Solutions Limited, a company incorporated in Hong Kong (CR# 80143234). Registered office: Unit 2904-05, 29/F, Universal Trade Centre, 3 Arbuthnot Road, Central, Hong Kong.

CompTIA, AWS, Cisco, Microsoft, Google Cloud, Oracle, VMware, and other certification names referenced on this site are trademarks of their respective owners. NerdExam is not affiliated with, endorsed by, or sponsored by any certification vendor.