Is this exam completely free?

ExamCademy offers a free preview for every exam, covering around 20% of the total questions. Full access to all questions is available for free by signing up for an account. Optional supporters unlock AstroTutor (AI tutor) and advanced study modes.

Can I practice IT certification exams from Microsoft, AWS, or CompTIA?

Yes! ExamCademy supports a wide range of IT certification exams including Microsoft Azure, AWS Cloud Practitioner, and CompTIA A+ and Security+.

How accurate are the mock exams?

Our practice questions are community-created and moderator-reviewed to align with realistic exam objectives, style, and difficulty.

CISM by ISACA - Page 1 | ExamCademy

Mode Selection

Question 1

Question 2

Question 3

Which of the following would BEST enable effective decision-making?

A Annualized loss estimates determined from past security events
B A universally applied list of generic threats, impacts, and vulnerabilities
C A consistent process to analyze new and historical information risk
D Formalized acceptance of risk analysis by business management

Question 4

Which of the following is the BEST option to lower the cost to implement application security controls?

A Include standard application security requirements.
B Perform security tests in the development environment.
C Perform a risk analysis after project completion.
D Integrate security activities within the development process.

Question 5

Which of the following is the GREATEST benefit of effective information security governance?

A Treatment priorities are based on risk exposure.
B Information security standards are communicated to primary stakeholders.
C The information security budget is aligned to the organization.
D Executive management's strategy is aligned to the information security strategy.

Question 6

The ability to integrate information security governance into corporate governance is PRIMARILY driven by:

A the percentage of corporate budget allocated to the information security program.
B how often information security metrics are presented to senior management.
C how often the information security steering committee reviews and updates security policies.
D how well the information security program supports business objectives.

Question 7

Which of the following presents the GREATEST challenge for protecting Internet of Things (IoT) devices?

A IoT vendor reputation
B IoT architecture diversity
C IoT-specific training
D IoT device policies

Question 8

Which of the following parameters is MOST helpful when designing a disaster recovery strategy?

A Maximum tolerable downtime (MTD)
B Mean time between failures (MTBF)
C Allowable interruption window (AIW)
D Recovery point objective (RPO)

Question 9

An IT service desk was not adequately prepared for a recent ransomware attack on user workstations. Which of the following should be given HIGHEST priority by the information security team when creating an action plan to improve service desk readiness?

A Investing in threat intelligence capability
B Implementing key risk indicators (KRIs) for ransomware attacks
C Updating the information security incident response manual
D Strengthening the organization's data backup capability

Question 10

After a risk has been identified, analyzed, and evaluated, which of the following should be done NEXT?

A Monitor the risk.
B Prioritize the risk for treatment
C Identify the risk owner.
D Identify controls for risk mitigation.

Question 11

Which of the following will BEST facilitate timely and effective incident response?

A Including penetration test results in incident response planning
B Assessing the risk of compromised assets
C Notifying stakeholders when invoking the incident response plan
D Classifying the severity of an incident

Question 12

Which of the following MOST effectively communicates the current risk profile to senior management after controls are applied?

A Residual risk
B Impact of loss events
C Inherent risk
D Number of risks avoided

Question 13

Which of the following processes should be done NEXT after completing a business impact analysis (BIA)?

A Evaluate the disaster recovery plan (DRP).
B Develop the requirements for the incident response plan.
C Develop a business continuity plan (BCP).
D Identify resources for business recovery.

Question 14

Which of the following has the GREATEST impact on efforts to improve an organization's security posture?

A Well-documented security policies and procedures
B Supportive tone at the top regarding security
C Regular reporting to senior management
D Automation of security controls

Question 15

Which of the following is MOST important to include in an information security policy?

A Maturity levels
B Baselines
C Best practices
D Management objectives

Question 16

Which of the following should an information security manager do FIRST when creating an organization's disaster recovery plan (DRP)?

A Develop response and recovery strategies.
B Identify the response and recovery teams.
C Review the communications plan.
D Conduct a business impact analysis (BIA).

Question 17

Which of the following would be the MOST effective use of findings from a post-incident review?

A Providing input for updates to the incident response plan
B Developing cost reports regarding the incident
C Providing justification for an increase in the incident response plan budget
D Incorporating the results into information security awareness training materials

Question 18

During a post-incident review, it was determined that a known vulnerability was exploited in order to gain access to a system. The vulnerability was patched as part of the remediation on the offending system. Which of the following should be done NEXT?

A Scan to determine whether the vulnerability is present on other systems.
B Review the vulnerability management process.
C Install patches an all existing systems.
D Report the root cause of the vulnerability to senior management.

Question 19

Which of the following is MOST helpful in determining the realization of benefits from an information security program?

A Vulnerability assessments
B Key risk indicators (KRIs)
C Business impact analysis (BIA)
D Key performance indicators (KPIs)

Question 20

During an internal compliance review, the review team discovers that a critical legacy application is unable to meet the organization's mandatory security requirements. Which of the following should be done FIRST?

A Update the risk register.
B Recommend taking the application out of service.
C Implement compensating controls.
D Monitor the application until it can be replaced.

Question 21

Which of the following is the BEST way to improve an organization's ability to detect and respond to incidents?

A Conduct a business impact analysis (BIA).
B Conduct periodic awareness training.
C Perform a security gap analysis.
D Perform network penetration testing.

Question 22

Of the following, who would provide the MOST relevant input when aligning the information security strategy with organizational goals?

A Data privacy officer (DPO)
B Chief information security officer (CISO)
C Information security steering committee
D Enterprise risk committee

Question 23

Which of the following is the PRIMARY role of the information security manager in application development?

A To ensure control procedures address business risk
B To ensure enterprise security controls are implemented
C To ensure compliance with industry best practice
D To ensure security is integrated into the system development life cycle (SDLC)

Question 24

Which of the following actions by senior management would BEST enable a successful implementation of an information security governance framework?

A Demonstrating support for the business and information security governance functions
B Delegating the implementation of the framework to information security management
C Promoting the use of an internationally recognized governance framework
D Engaging a consulting firm specializing in information security governance and standards

Question 25

Which of the following is the BEST strategy to implement an effective operational security posture?

A Increased security awareness
B Defense in depth
C Threat management
D Vulnerability management

Page 1 of 50 • Questions 1-25 of 1249

1 2 3 4 5

→

Know a question that should be here? Contribute to this exam

An information security risk analysis BEST assists an organization in ensuring that:

A the infrastructure has the appropriate level of access control.
B cost-effective decisions are made with regard to which assets need protection
C an appropriate level of funding is applied to security processes.
D the organization implements appropriate security technologies

Which of the following is the MOST effective way to address an organization's security concerns during contract negotiations with a third party?

A Review the third-party contract with the organization's legal department.
B Communicate security policy with the third-party vendor.
C Ensure security is involved in the procurement process.
D Conduct an information security audit on the third-party vendor.

CISMPreview