Is this exam completely free?

Examcademy offers a free preview for every exam, covering around 20% of the total questions. Full access is available with a paid upgrade.

Can I practice IT certification exams from Microsoft, AWS, or CompTIA?

Yes! Examcademy supports a wide range of IT certification exams including Microsoft Azure, AWS Cloud Practitioner, and CompTIA A+ and Security+.

How accurate are the mock exams?

Our mock exams are built and reviewed with the help of AI and community contributions, staying aligned with real-world exam objectives.

Free preview mode

Enjoy the free questions and consider upgrading to gain full access!

CISMFree trial

By isaca

Verified

25Q per page

Question 101

Which of the following should an information security manager do FIRST when a vulnerability has been disclosed?

A: Perform a patch update.
B: Conduct a risk assessment.
C: Conduct an impact assessment.
D: Perform a penetration test.

—

Question 102

A recent audit found that an organization's new user accounts are not set up uniformly. Which of the following is MOST important for the information security manager to review?

A: Security policies
B: Automated controls
C: Guidelines
D: Standards

—

Question 103

When an organization experiences a disruptive event, the business continuity plan (BCP) should be triggered PRIMARILY based on:

A: expected duration of outage.
B: the root cause of the event.
C: type of security incident.
D: management direction.

—

Question 104

Which of the following controls would BEST help to detect a targeted attack exploiting a zero-day vulnerability?

A: Intrusion prevention system (IPS)
B: Vulnerability scanning
C: Endpoint detection and response (EDR)
D: Extended detection and response (XDR)

—

Question 105

Which of the following is the MOST relevant control to address the integrity of information?

A: Implementation of a redundant server system
B: Encryption of email
C: Implementation of an Internet security application
D: Assignment of appropriate access permissions

—

Question 106

What should be the PRIMARY objective of an information classification scheme?

A: To define data retention requirements
B: To develop an asset inventory
C: To meet legislative and regulatory requirements
D: To implement controls proportionate to risk

—

Question 107

Which of the following is MOST important to consider when prioritizing threats during the risk assessment process?

A: Regulatory requirements on the organization
B: The severity of exploited vulnerabilities
C: The threat landscape within the industry
D: The potential impact on operations

—

Question 108

Which of the following would BEST fulfill a board of directors' request for a concise overview of information security risk facing the business?

A: Business impact analysis (BIA)
B: Balanced scorecard
C: Risk heat map
D: Risk scenario summary

—

Question 109

Which of the following is the PRIMARY purpose of a business impact analysis (BIA)?

A: To define security roles and responsibilities
B: To determine the criticality of information assets
C: To establish incident severity levels
D: To determine return on investment (ROI)

—

Question 110

An organization wants to integrate information security into its HR management processes. Which of the following should be the FIRST step?

A: Calculate the return on investment (ROI).
B: Provide security awareness training to HR.
C: Assess the business objectives of the processes.
D: Benchmark the processes with best practice to identify gaps.

—

Question 111

Following a breach where the risk has been isolated and forensic processes have been performed, which of the following should be done NEXT?

A: Place the web server in quarantine.
B: Rebuild the server from the last verified backup.
C: Shut down the server in an organized manner.
D: Rebuild the server with relevant patches from the original media.

—

Question 112

Which of the following is MOST important for effective cybersecurity incident management?

A: Early detection and response
B: Regular tabletop exercises
C: Root cause analysis
D: Investigation and forensics

—

Question 113

Which of the following is the BEST method to protect consumer private information for an online public website?

A: Apply strong authentication to online accounts
B: Encrypt consumer data in transit and at rest
C: Use secure encrypted transport layer
D: Apply a masking policy to the consumer data

—

Question 114

Which of the following metrics is the BEST measure of the effectiveness of an information security program?

A: Reduction in the amount of risk exposure in an organization
B: Reduction in the number of threats to an organization
C: Reduction in the cost of risk remediation for an organization
D: Reduction in the number of vulnerabilities in an organization

—

Question 115

An organization uses a security standard that has undergone a major revision by the certifying authority. The old version of the standard will no longer be used for organizations wishing to maintain their certifications. Which of the following should be the FIRST course of action?

A: Modify policies to ensure new requirements are covered.
B: Review the new standard for applicability to the business.
C: Evaluate the cost of maintaining the certification.
D: Communicate the new standard to senior leadership.

—

Question 116

Which of the following is the MOST appropriate metric to demonstrate the effectiveness of information security controls to senior management?

A: Number of security vulnerabilities uncovered with network scans
B: Percentage of servers patched
C: Downtime due to malware infections
D: Annualized loss resulting from security incidents

—

Question 117

Which of the following is the BEST indication that an organization has integrated information security governance with corporate governance?

A: Impact is measured according to business loss when assessing IT risk.
B: Service levels for security vendors are defined according to business needs.
C: Security policies are reviewed whenever business objectives are changed.
D: Security performance metrics are measured against business objectives.

—

Question 118

The MOST effective way to present information security risk to senior management is to highlight:

A: business impact.
B: countermeasures.
C: threat intelligence.
D: risk mitigation over time.

—

Question 119

Which of the following should be the PRIMARY objective for creating a culture of security within an organization?

A: To obtain resources for information security initiatives
B: To reduce risk to acceptable levels
C: To prioritize security within the organization
D: To demonstrate control effectiveness to senior management

—

Question 120

Which of the following should be updated FIRST when aligning the incident response plan with the corporate strategy?

A: Security procedures
B: Disaster recovery plan (DRP)
C: Incident notification plan
D: Risk response scenarios

—

Question 121

Which of the following is the MOST effective way to ensure the security of services and solutions delivered by third-party vendors?

A: Review third-party contracts as part of the vendor management process.
B: Perform an audit on vendors' security controls and practices.
C: Integrate risk management into the vendor management process.
D: Conduct security reviews on the services and solutions delivered.

—

Question 122

Which of the following eradication methods is MOST appropriate when responding to an incident resulting in malware on an application server?

A: Disconnect the system from the network.
B: Change passwords on the compromised system.
C: Restore the system from a known good backup.
D: Perform operation system hardening.

—

Question 123

Which of the following is MOST important for guiding the development and management of a comprehensive information security program?

A: Adopting information security program management best practices
B: Aligning the organization's business objectives with IT objectives
C: Establishing and maintaining an information security governance framework
D: Implementing policies and procedures to address the information security strategy