CISMFree trialFree trial

By isaca
Aug, 2025

Verified

25Q per page

Question 1

An information security risk analysis BEST assists an organization in ensuring that:

  • A: the infrastructure has the appropriate level of access control.
  • B: cost-effective decisions are made with regard to which assets need protection
  • C: an appropriate level of funding is applied to security processes.
  • D: the organization implements appropriate security technologies

Question 2

Which of the following is the MOST effective way to address an organization's security concerns during contract negotiations with a third party?

  • A: Review the third-party contract with the organization's legal department.
  • B: Communicate security policy with the third-party vendor.
  • C: Ensure security is involved in the procurement process.
  • D: Conduct an information security audit on the third-party vendor.

Question 3

Which of the following would BEST enable effective decision-making?

  • A: Annualized loss estimates determined from past security events
  • B: A universally applied list of generic threats, impacts, and vulnerabilities
  • C: A consistent process to analyze new and historical information risk
  • D: Formalized acceptance of risk analysis by business management

Question 4

Which of the following is the BEST option to lower the cost to implement application security controls?

  • A: Include standard application security requirements.
  • B: Perform security tests in the development environment.
  • C: Perform a risk analysis after project completion.
  • D: Integrate security activities within the development process.

Question 5

Which of the following is the GREATEST benefit of effective information security governance?

  • A: Treatment priorities are based on risk exposure.
  • B: Information security standards are communicated to primary stakeholders.
  • C: The information security budget is aligned to the organization.
  • D: Executive management's strategy is aligned to the information security strategy.

Question 6

The ability to integrate information security governance into corporate governance is PRIMARILY driven by:

  • A: the percentage of corporate budget allocated to the information security program.
  • B: how often information security metrics are presented to senior management.
  • C: how often the information security steering committee reviews and updates security policies.
  • D: how well the information security program supports business objectives.

Question 7

Which of the following presents the GREATEST challenge for protecting Internet of Things (IoT) devices?

  • A: IoT vendor reputation
  • B: IoT architecture diversity
  • C: IoT-specific training
  • D: IoT device policies

Question 8

Which of the following parameters is MOST helpful when designing a disaster recovery strategy?

  • A: Maximum tolerable downtime (MTD)
  • B: Mean time between failures (MTBF)
  • C: Allowable interruption window (AIW)
  • D: Recovery point objective (RPO)

Question 9

An IT service desk was not adequately prepared for a recent ransomware attack on user workstations. Which of the following should be given HIGHEST priority by the information security team when creating an action plan to improve service desk readiness?

  • A: Investing in threat intelligence capability
  • B: Implementing key risk indicators (KRIs) for ransomware attacks
  • C: Updating the information security incident response manual
  • D: Strengthening the organization's data backup capability

Question 10

After a risk has been identified, analyzed, and evaluated, which of the following should be done NEXT?

  • A: Monitor the risk.
  • B: Prioritize the risk for treatment
  • C: Identify the risk owner.
  • D: Identify controls for risk mitigation.

Question 11

Which of the following will BEST facilitate timely and effective incident response?

  • A: Including penetration test results in incident response planning
  • B: Assessing the risk of compromised assets
  • C: Notifying stakeholders when invoking the incident response plan
  • D: Classifying the severity of an incident

Question 12

Which of the following MOST effectively communicates the current risk profile to senior management after controls are applied?

  • A: Residual risk
  • B: Impact of loss events
  • C: Inherent risk
  • D: Number of risks avoided

Question 13

Which of the following processes should be done NEXT after completing a business impact analysis (BIA)?

  • A: Evaluate the disaster recovery plan (DRP).
  • B: Develop the requirements for the incident response plan.
  • C: Develop a business continuity plan (BCP).
  • D: Identify resources for business recovery.

Question 14

Which of the following has the GREATEST impact on efforts to improve an organization's security posture?

  • A: Well-documented security policies and procedures
  • B: Supportive tone at the top regarding security
  • C: Regular reporting to senior management
  • D: Automation of security controls

Question 15

Which of the following is MOST important to include in an information security policy?

  • A: Maturity levels
  • B: Baselines
  • C: Best practices
  • D: Management objectives

Question 16

Which of the following should an information security manager do FIRST when creating an organization's disaster recovery plan (DRP)?

  • A: Develop response and recovery strategies.
  • B: Identify the response and recovery teams.
  • C: Review the communications plan.
  • D: Conduct a business impact analysis (BIA).

Question 17

Which of the following would be the MOST effective use of findings from a post-incident review?

  • A: Providing input for updates to the incident response plan
  • B: Developing cost reports regarding the incident
  • C: Providing justification for an increase in the incident response plan budget
  • D: Incorporating the results into information security awareness training materials

Question 18

During a post-incident review, it was determined that a known vulnerability was exploited in order to gain access to a system. The vulnerability was patched as part of the remediation on the offending system. Which of the following should be done NEXT?

  • A: Scan to determine whether the vulnerability is present on other systems.
  • B: Review the vulnerability management process.
  • C: Install patches an all existing systems.
  • D: Report the root cause of the vulnerability to senior management.

Question 19

Which of the following is MOST helpful in determining the realization of benefits from an information security program?

  • A: Vulnerability assessments
  • B: Key risk indicators (KRIs)
  • C: Business impact analysis (BIA)
  • D: Key performance indicators (KPIs)

Question 20

During an internal compliance review, the review team discovers that a critical legacy application is unable to meet the organization's mandatory security requirements. Which of the following should be done FIRST?

  • A: Update the risk register.
  • B: Recommend taking the application out of service.
  • C: Implement compensating controls.
  • D: Monitor the application until it can be replaced.

Question 21

Which of the following is the BEST way to improve an organization's ability to detect and respond to incidents?

  • A: Conduct a business impact analysis (BIA).
  • B: Conduct periodic awareness training.
  • C: Perform a security gap analysis.
  • D: Perform network penetration testing.

Question 22

Of the following, who would provide the MOST relevant input when aligning the information security strategy with organizational goals?

  • A: Data privacy officer (DPO)
  • B: Chief information security officer (CISO)
  • C: Information security steering committee
  • D: Enterprise risk committee

Question 23

Which of the following is the PRIMARY role of the information security manager in application development?

  • A: To ensure control procedures address business risk
  • B: To ensure enterprise security controls are implemented
  • C: To ensure compliance with industry best practice
  • D: To ensure security is integrated into the system development life cycle (SDLC)

Question 24

Which of the following actions by senior management would BEST enable a successful implementation of an information security governance framework?

  • A: Demonstrating support for the business and information security governance functions
  • B: Delegating the implementation of the framework to information security management
  • C: Promoting the use of an internationally recognized governance framework
  • D: Engaging a consulting firm specializing in information security governance and standards

Question 25

Which of the following is the BEST strategy to implement an effective operational security posture?

  • A: Increased security awareness
  • B: Defense in depth
  • C: Threat management
  • D: Vulnerability management
Page 1 of 50 • Questions 1-25 of 1249
12345

Free preview mode

Enjoy the free questions and consider upgrading to gain full access!