Browse Exams Pricing

ExamsCISMQuestions

CISM Exam Questions

989 real CISM exam questions with expert-verified answers and explanations. Page 9 of 20.

Question #401Information Security Program Development and Management
A financial company is using mission critical software. Due to technical limitations, several individuals share one administrator account. In this situation it is MOST important fo...
Privileged Access ManagementAccess ControlAccountabilityInformation Security Program Management
Question #402Information Security Incident Management
An incident response policy should include:
Incident Response PolicyNotification RequirementsIncident ManagementPolicy Components
Question #403Information Security Program Development and Management
Which of the following should be the information security manager's FIRST step to address a trend of new vulnerabilities appearing in an internally-developed application?
Change ManagementSDLC SecurityVulnerability ManagementProcess Effectiveness
Question #404Information Security Risk Management
Which of the following BEST reduces the risk to an organization from advanced persistent threats (APTs)?
Advanced Persistent Threats (APTs)Defense in DepthRisk MitigationSecurity Strategy
Question #405Information Security Program Development and Management
An information security manager has been hired to fix a failed security program. What is the FIRST step when preparing an information security plan for executive management?
Security program planningCurrent state assessmentSecurity program management
Question #406Information Security Governance
When supporting a large corporation's board of directors in the development of governance, which of the following is the PRIMARY function of the information security manager?
Information Security GovernanceBoard of DirectorsISM RoleStrategic Advisory
Question #407Information Security Incident Management
A security operations center (SOC) indicated that a system has been infected by malware and the IT department promptly moved the infected system to an isolated network. Which of th...
Incident ResponseMalwareImpact AssessmentContainment
Question #408Information Security Program Development and Management
Which of the following is a fundamental principle for controlling access within a Zero Trust security model?
Zero TrustAccess ControlAuthenticationSecurity Models
Question #409Information Security Risk Management
An organization engages many different service providers. With limited resources, which of the following would be the BEST way to help ensure each service provider receives an appr...
Third-party risk managementVendor risk assessmentDue diligenceRisk-based approach
Question #410Information Security Risk Management
Which of the following is MOST important for an information security manager to consider when reviewing a security investment plan?
Security InvestmentRisk ManagementThreat AssessmentVulnerability Assessment
Question #411Information Security Risk Management
A business unit has designed a mobile app to provide services to customers. Which of the following is an information security manager's BEST approach when the business resists impl...
Risk CommunicationStakeholder ManagementPassword PoliciesSecurity vs. Usability
Question #412Information Security Incident Management
Which of the following should be the PRIMARY focus when activating a disaster recovery plan (DRP)?
Disaster RecoveryDRP ActivationCritical Service RestorationBusiness Continuity
Question #413Information Security Incident Management
Which of the following BEST enables an organization to improve its incident response plan?
Incident Response PlanLessons LearnedContinuous ImprovementIncident Management
Question #414Information Security Risk Management
An organization engages a third-party vendor to monitor and support a financial application under scrutiny by regulators. Which of the following controls would MOST effectively man...
Third-party risk managementVendor contractsRisk mitigationCompliance
Question #415Information Security Incident Management
Which of the following provides the MOST comprehensive insight into ongoing threats facing an organization?
SIEMThreat DetectionSecurity MonitoringLog Analysis
Question #416Information Security Governance
Which of the following BEST demonstrates the alignment of information security governance with corporate governance?
Information Security GovernanceCorporate GovernanceReporting IntegrationStrategic Alignment
Question #417Information Risk Management
Which of the following is MOST useful for providing senior management an overview of information risk that may impact the organization?
Risk registerRisk communicationInformation risk managementManagement reporting
Question #418Information Security Incident Management
An information security manager has been notified about a compromised endpoint device. Which of the following is the BEST course of action to prevent further damage?
Incident ResponseContainmentEndpoint SecurityImmediate Action
Question #419Information Security Program Development and Management
Which of the following BEST helps to reduce system configuration errors?
Configuration ManagementSecurity BaselinesSystem HardeningError Reduction
Question #420Information Security Program Development and Management
Which of the following is the GREATEST benefit of business continuity plan (BCP) testing?
Business Continuity Planning (BCP)BCP TestingRecovery ManagementPlan Validation
Question #421Information Security Risk Management
A software bug reported by external sources should trigger which of the following processes to assess the affected applications?
Vulnerability managementSoftware bugsApplication assessmentExternal reports
Question #422Information Security Governance
Which of the following is MOST important for obtaining senior management commitment for an updated information security strategy following the identification of new risk?
Senior Management CommitmentRisk CommunicationBusiness Impact AnalysisInformation Security Strategy
Question #423Information Security Risk Management
Which of the following is the MOST important goal when analyzing controls to address a specific vulnerability?
Risk Management GoalControl AnalysisAcceptable RiskRisk Treatment
Question #424Information Security Incident Management
Which of the following actions is MOST important to perform following a post-incident review to ensure similar incidents are not repeated?
Post-incident reviewIncident preventionControl redesignContinuous improvement
Question #425Information Security Incident Management
Which of the following BEST enables an information security manager to determine the organization's level of incident management readiness?
Incident Management ReadinessTabletop ExercisesIncident Response TestingSecurity Operations
Question #426Information Security Incident Management
Which of the following is CRITICAL for an organization to escalate security incidents appropriately?
Incident EscalationIncident ClassificationIncident CategorizationIncident Response Process
Question #427Information Security Governance
Which of the following BEST indicates misalignment of security policies with business objectives?
Security PolicyPolicy AlignmentBusiness ObjectivesPolicy Exceptions
Question #428Information Security Governance
Which of the following is MOST important to include in information security program reporting to the board of directors?
Board reportingInformation security governanceRisk communicationEnterprise risk management
Question #429Information Security Risk Management
Which of the following is the GREATEST potential risk associated with an organization's use of public AI tools?
AI SecurityData ExposureSensitive InformationRisk Identification
Question #430Information Security Governance
Which of the following has the GREATEST impact on the success of an information security roadmap?
Management SupportInformation Security RoadmapStrategic PlanningGovernance
Question #431Information Security Program Development and Management
An organization plans to offer clients a new service that is subject to regulations. What should the organization do FIRST when developing a security strategy in support of this ne...
Security strategy developmentNew service securityGap analysisRegulatory compliance
Question #432Information Security Governance
Of the following, who is BEST positioned to assume ownership of a security control to prevent fraudulent activity?
Control ownershipRoles and responsibilitiesFraud preventionProcess management
Question #433Information Security Risk Management
Which of the following approaches BEST enables effective decision-making on risk treatment options?
Risk TreatmentRisk Decision MakingQualitative Risk AnalysisQuantitative Risk Analysis
Question #434Information Security Risk Management
Which of the following BEST enables an organization to continuously assess the information security risk posture?
Risk ManagementKey Risk IndicatorsContinuous MonitoringRisk Posture
Question #435Information Security Program
Which of the following is the PRIMARY purpose of monitoring social media as part of the information security program?
Social Media SecurityInformation DisclosureSecurity MonitoringData Loss Prevention
Question #436Information Security Governance
Which of the following BEST contributes to a strong information security culture within an organization?
Information Security CultureLeadership Buy-inSecurity GovernanceOrganizational Culture
Question #437Information Security Risk Management
Which of the following is the BEST course of action when using a web application that has known vulnerabilities?
Risk MitigationSecurity ControlsWeb Application FirewallVulnerability Management
Question #438Information Security Incident Management
Which of the following is the MOST important consideration when responding to an incident?
Incident ResponseIncident RecoveryBusiness ContinuityPrioritization
Question #439Information Security Program Development and Management
What is the BEST way to identify noncompliance with password policies?
Password policiesCompliance assessmentInternal auditSecurity program evaluation
Question #440Information Security Governance
An organization's main product is a customer-facing application delivered using Software as a Service (SaaS). The lead security engineer has just identified a major security vulner...
Risk accountabilityData ownershipCloud security governanceRoles and responsibilities
Question #441Information Security Program Development and Management
Which of the following is the BEST way for an information security manager to ensure security controls effectively address new vulnerabilities?
Security control reviewControl effectivenessVulnerability managementInformation security program management
Question #442Information Security Program Development and Management
Which of the following is MOST important to have in place when conducting a security control assessment of a system?
Security control assessmentAssurance test planControl testingSecurity program management
Question #443Information Security Governance
Which of the following is the PRIMARY benefit of assigning control ownership to specific individuals?
Control OwnershipAccountabilityRisk MitigationInformation Security Governance
Question #444Information Security Governance
Which of the following communicates the MOST meaningful information regarding the state of the information security program to the board and executives?
Information security governanceRisk communicationExecutive reportingBoard oversight
Question #445Information Security Governance
Which of the following information security activities is MOST helpful to support compliance with information security policy?
Management CommitmentPolicy ComplianceInformation Security GovernanceProgram Effectiveness
Question #446Information Security Incident Management
Which of the following should be the FIRST step after identifying a potential security breach at a cloud service provider?
Cloud SecurityIncident ResponseIncident ValidationCloud Provider Management
Question #447Information Security Program Development and Management
Which of the following would be the BEST indicator that a recently implemented security awareness training has been effective?
Security Awareness TrainingEffectiveness MeasurementSecurity Incident ReportingSecurity Program Metrics
Question #448Information Security Program Development and Management
Which of the following is the BEST indication of an effective information security program?
Information Security Program EffectivenessRisk AcceptanceProgram Goals
Question #449Information Security Incident Management
The PRIMARY goal of the incident eradication phase is to:
Incident ManagementIncident Response PhasesEradication PhaseBreach Mitigation
Question #450Information Security Governance
Which of the following is the PRIMARY reason to present a business case for an information security initiative to senior management?
Business CaseStrategic AlignmentSenior Management Buy-inInformation Security Governance

PreviousPage 9 of 20Next

study smarter, certify faster.

Product

Browse Exams
Pricing
PDF Downloads

Resources

Blog
Glossary
Topics
FAQ
Contact Us

Legal

Terms of Service
Privacy Policy
Cookie Policy
DMCA
Refund Policy

Company

About
Contact

© 2026 NerdExam. All rights reserved.Built for IT professionals

NerdExam is a trading name of WADL Solutions Limited, a company incorporated in Hong Kong (CR# 80143234). Registered office: Unit 2904-05, 29/F, Universal Trade Centre, 3 Arbuthnot Road, Central, Hong Kong.

CompTIA, AWS, Cisco, Microsoft, Google Cloud, Oracle, VMware, and other certification names referenced on this site are trademarks of their respective owners. NerdExam is not affiliated with, endorsed by, or sponsored by any certification vendor.