Browse Exams Pricing

ExamsCISMQuestions

CISM Exam Questions

989 real CISM exam questions with expert-verified answers and explanations. Page 7 of 20.

Question #301Information Security Incident Management
Which of the following groups is BEST positioned to consult on a communication plan directed towards satisfying a regulatory requirement when an incident occurs?
Incident communicationRegulatory complianceLegal counselIncident response planning
Question #302Information Security Governance
Information security policies should PRIMARILY reflect alignment with:
Information Security PoliciesSecurity GovernanceManagement IntentPolicy Development
Question #303Information Security Risk Management
For an application hosted in a public cloud, which of the following controls is MOST critical for the confidentiality of stored data?
Data ConfidentialityEncryptionCloud SecuritySecurity Controls
Question #304Information Security Governance
Which of the following roles should be PRIMARILY responsible for assigning sensitivity levels to an organization's information assets?
Data ownerRoles and responsibilitiesInformation asset classificationData sensitivity
Question #305Information Security Incident Management
Which of the following would BEST help to determine incident response readiness?
Incident Response ReadinessTabletop ExercisesIncident Management TestingReadiness Assessment
Question #306Information Security Governance
Which of the following is the PRIMARY benefit of considering an organization's culture when establishing its security posture?
Organizational cultureSecurity program alignmentBusiness value integrationInformation security governance
Question #307Information Security Program Development and Management
Which of the following is the BEST approach for an information security manager when developing new information security policies?
Policy DevelopmentInformation Security PoliciesIndustry StandardsSecurity Frameworks
Question #308Information Security Program Development and Management
Which of the following is the BEST indication that an organization's phishing awareness training is a success?
Phishing Awareness TrainingSecurity Awareness ProgramTraining Effectiveness MetricsUser Behavior
Question #309Information Security Incident Management
An organization is evaluating mobile device management (MDM) software for use in a bring your own device (BYOD) environment. The MOST important feature of the MDM software would be...
MDMBYODRemote WipeData Protection
Question #310Information Security Governance
Which of the following BEST indicates an organization's information security posture?
Information Security PostureSecurity Controls AuditAssuranceSecurity Program Effectiveness
Question #311Information Security Incident Management
Which of the following activities is MOST appropriate to conduct during the eradication phase of a cyber incident response?
Incident ResponseEradication PhaseVulnerability ManagementCyber Incident Management
Question #312Information Security Incident Management
Which of the following will BEST enable an organization to meet incident response requirements when outsourcing its incident response function?
Incident Response OutsourcingService Level Agreements (SLAs)Contract ManagementPerformance Metrics
Question #313Information Security Risk Management
When taking a risk-based approach to vulnerability management, which of the following is MOST important to consider when prioritizing a vulnerability?
Risk managementVulnerability managementRisk prioritizationAsset sensitivity
Question #314Information Security Risk Management
Which of the following provides the BEST assurance of a security control's effectiveness?
Security Control EffectivenessAssurance MethodsIndependent Verification
Question #315Information Security Incident Management
Which of the following is CRITICAL to ensure the appropriate stakeholder makes decisions during a cybersecurity incident?
Incident ManagementStakeholder CommunicationDecision MakingIncident Response
Question #316Information Security Governance
Which of the following should be the PRIMARY expectation of management when an organization introduces an information security governance framework?
Information Security Governance FrameworkStrategy ExecutionManagement ExpectationsOrganizational Objectives
Question #317Information Security Incident Management
Which of the following is the MOST important component of the containment phase of an incident response plan?
Incident Response PlanContainment PhaseIncident PlaybooksIncident Management
Question #318Information Security Governance
Which of the following should an information security manager do FIRST when a security standard hinders the achievement of an identified business objective?
Security-business alignmentBusiness objectivesSecurity standardsGovernance
Question #319Information Security Governance
When adopting an information security framework, it is MOST important to select controls that:
Information Security FrameworksSecurity Control SelectionBusiness AlignmentInformation Security Governance
Question #320Information Security Risk Management
Which of the following is the MOST important consideration when assigning risk and control ownership?
Risk ownershipControl ownershipAccountabilityCapability
Question #321Information Security Incident Management
During a post-incident review, it was determined that a known vulnerability was exploited in order to gain access to a system. The vulnerability was patched as part of the remediat...
Incident ResponseVulnerability ManagementPost-Incident ReviewRemediation
Question #322Information Risk Management
A company has purchased a rival organization and is looking to align security strategies. Which of the following issues is MOST important to address?
Data ClassificationM&A SecurityInformation Asset ProtectionRisk Prioritization
Question #323Information Security Program
The PRIMARY benefit of integrating information security activities into change management processes is to:
Change ManagementSecurity ControlsProcess IntegrationInformation Security Program
Question #324Information Security Program Development and Management
Which of the following is the MOST important objective of an IT acceptable use policy?
Acceptable Use PolicyPolicy ObjectivesInformation Security PolicyUser Expectations
Question #325Information Security Risk Management
A cross-functional leadership team met to review and approve a disaster recovery plan (DRP) that was recently updated due to changes in business processes and underlying system arc...
Disaster Recovery PlanningBusiness Continuity ManagementCriticality AssessmentRisk Identification
Question #326Information Security Program Development and Management
Which of the following is MOST important to include in a social media policy?
Social media policyAcceptable use policyPolicy developmentInformation security policies
Question #327Information Security Program Development and Management
Which of the following should be the PRIMARY consideration when designing an organization's information security awareness and training program?
Security AwarenessSecurity TrainingSecurity CultureProgram Design
Question #328Information Security Incident Management
An information security manager has confirmed the organization's cloud provider has unintentionally published some of the organization's business data. Which of the following shoul...
Incident ResponseData BreachCloud SecuritySecurity Incident Management
Question #329Information Security Risk Management
Which of the following BEST mitigates risk associated with an increase in brute force attacks on critical internet-facing systems?
Brute-force mitigationMulti-factor authenticationAccess controlRisk mitigation
Question #330Information Security Risk Management
Which of the following is the BEST way to help ensure an organization's risk appetite will be considered as part of the risk treatment process?
Risk AppetiteRisk TreatmentGovernance OversightDecision Making
Question #331Information Security Risk Management
What is the BEST way to address the risk of residual data on hardware being incorrectly disposed of by a cloud service provider?
Cloud SecurityData DestructionThird-Party RiskContract Management
Question #332Information Security Risk Management
The MOST important input for determining the severity of an incident is provided by the organization's:
Incident SeverityRisk EvaluationImpact AssessmentRisk Management
Question #333Information Security Risk Management
An organization has determined that fixing a security vulnerability in a critical application is too costly to be feasible, but the impact is material to the business. Which of the...
Risk treatmentCompensating controlsRisk mitigationRisk acceptance
Question #334Information Security Incident Management
Which of the following is the MOST appropriate response to a highly sophisticated new ransomware threat?
RansomwareData RecoveryImmutable BackupsCyber Resilience
Question #335Information Security Program Development and Management
An organization is selecting security metrics to measure security performance, and a firewall specialist suggests tracking the number of external attacks blocked by the firewalls....
Security MetricsPerformance MeasurementThreat ProfileRisk Indicators
Question #336Information Security Program Development and Management
An access rights review revealed that some former employees' access is still active. Once the access is revoked, which of the following is the BEST course of action to help prevent...
Access ManagementOffboardingPreventive ControlsHR Security
Question #337Information Security Risk Management
Which of the following devices, when placed in a demilitarized zone (DMZ), would be considered the MOST significant exposure?
DMZRisk AssessmentNetwork SecurityData Exposure
Question #338Information Security Incident Management
Which types of controls are MOST useful during the eradication process after a cyberattack has been contained?
Incident ManagementEradication PhaseCorrective ControlsSecurity Controls
Question #339Information Security Risk Management
Which of the following is the BEST method for determining whether new risks exist in legacy systems?
Risk assessmentRisk identificationLegacy systemsInformation security risk management
Question #340Information Security Program
Which of the following is the PRIMARY goal of an information security program?
Information Security ProgramProgram ObjectivesAsset ProtectionSecurity Goals
Question #341Information Security Incident Management
A disaster recovery plan (DRP) is MOST likely to be activated in response to which of the following?
Disaster Recovery PlanDRP ActivationBusiness ContinuityIT Disruption
Question #342Information Security Governance
Which of the following will be MOST useful for obtaining senior management approval for funding a new security initiative?
Business CaseFunding ApprovalSenior Management Buy-inSecurity Program Governance
Question #343Information Security Program Development and Management
Motivating employees to fulfill their security responsibilities is BEST accomplished through:
Security awarenessSecurity trainingEmployee motivationSecurity culture
Question #344Information Security Risk Management
The PRIMARY reason to establish a business continuity plan (BCP) is to create a strategy to:
Business Continuity Plan (BCP)Operational ResilienceCritical Business FunctionsRisk Mitigation
Question #345Information Security Incident Management
Which of the following is the MOST important factor to consider when categorizing the severity of information security incidents?
Incident SeverityBusiness ImpactIncident ManagementIncident Prioritization
Question #346Information Security Risk Management
An organization would like to invest in a new emerging technology. Which of the following is MOST important for the information security manager to consider when evaluating its imp...
Technology evaluationVulnerability assessmentRisk identificationEmerging technology security
Question #347Information Security Risk Management
Which of the following is the MOST important objective for conducting a business impact analysis (BIA)?
Business Impact AnalysisAsset CriticalityBusiness Continuity
Question #348Information Security Incident Management
A possible breach of an organization's IT system is reported by a project manager. Which of the following should the information security manager do FIRST?
Incident ResponseIncident IdentificationIncident ConfirmationFirst Responder Actions
Question #349Information Security Risk Management
When designing security controls, it is MOST important to:
Security ControlsRisk ManagementControl DesignRisk-based Approach
Question #350Information Security Incident Management
In the event of an information security incident, which of the following would be MOST helpful in ensuring consistent and accurate information is communicated to the public?
Incident CommunicationIncident Response PlanningPublic RelationsCross-functional Coordination

PreviousPage 7 of 20Next

study smarter, certify faster.

Product

Browse Exams
Pricing
PDF Downloads

Resources

Blog
Glossary
Topics
FAQ
Contact Us

Legal

Terms of Service
Privacy Policy
Cookie Policy
DMCA
Refund Policy

Company

About
Contact

© 2026 NerdExam. All rights reserved.Built for IT professionals

NerdExam is a trading name of WADL Solutions Limited, a company incorporated in Hong Kong (CR# 80143234). Registered office: Unit 2904-05, 29/F, Universal Trade Centre, 3 Arbuthnot Road, Central, Hong Kong.

CompTIA, AWS, Cisco, Microsoft, Google Cloud, Oracle, VMware, and other certification names referenced on this site are trademarks of their respective owners. NerdExam is not affiliated with, endorsed by, or sponsored by any certification vendor.