DON'T WANT TO MISS A THING?

Certification Exam Passing Tips

Latest exam news and discount info

Curated and up-to-date by our experts

Yes, send me the newsletter

Boost Your Certification Prep with CISM Mock Tests, Certified Information Security Manager | SPOTO

Elevate your certification preparation with SPOTO's CISM Mock Tests. Our comprehensive practice tests, including free test options, are meticulously designed to sharpen your skills and boost confidence. Access a wealth of exam dumps, sample questions, and detailed exam materials to reinforce your understanding of key concepts. Engage in realistic mock exams that mirror the actual testing environment, coupled with precise exam answers and questions for thorough preparation. Utilize our advanced exam simulator to enhance your exam practice and simulate real exam scenarios. With SPOTO, streamline your exam preparation and achieve success in the Certified Information Security Manager (CISM) certification exam!
Take other online exams

Question #1
An organization's recent risk assessment has identified many areas of security risk, and senior management has asked for a five-minute overview of the assessment results. Which of the following is the information security manager's BEST option for presenting this information?
A. Risk register
B. Risk heat map
C. Spider diagram
D. Balanced scorecard
View answer
Correct Answer: B

View The Updated CISM Exam Questions

SPOTO Provides 100% Real CISM Exam Questions for You to Pass Your CISM Exam!

Question #2
What is the MOST important consideration when establishing metrics for reporting to the information security strategy committee?
A. Agreeing on baseline values for the metrics
B. Developing a dashboard for communicating the metrics
C. Providing real-time insight on the security posture of the organization
D. Benchmarking the expected value of the metrics against industry standards
View answer
Correct Answer: A
Question #3
Several significant risks have been identified after a centralized risk register was compiled and prioritized. The information security manager’s most important action is to:
A. provide senior management with risk treatment options
B. design and implement controls to reduce the risk
C. consult external third parties on how to treat the risk
D. ensure that employees are aware of the risk
View answer
Correct Answer: A
Question #4
Which of the following is MOST important to consider when prioritizing threats during the risk assessment process?
A. The criticality of threatened systems
B. The severity of exploited vulnerabilities
C. The potential impact on operations
D. The capability of threat actors
View answer
Correct Answer: A
Question #5
Which of the following should be the PRIMARY consideration for an information security manager when designing security controls for a newly acquired business application?
A. Known vulnerabilities in the application
B. The IT security architecture framework
C. Cost-benefit analysis of current controls
D. Business processes supported by the application
View answer
Correct Answer: C
Question #6
A PRIMARY purpose of creating security policies is to:
A. implement management’s governance strategy
B. establish the way security tasks should be executed
C. communicate management’s security expectations
D. define allowable security boundaries
View answer
Correct Answer: B
Question #7
Which of the following is the BEST indicator of a successful external intrusion into computer systems?
A. Unexpected use of protocols within the DMZ
B. Unexpected increase of malformed URLs
C. Decrease in the number of login failures
D. Spikes in the number of login failures
View answer
Correct Answer: A
Question #8
In assessing the degree to which an organization may be affected by new privacy legislation, information security management should FIRST:
A. develop an operational plan for achieving compliance with the legislation
B. identify systems and processes that contain privacy components
C. restrict the collection of personal information until compliant
D. identify privacy legislation in other countries that may contain similar requirements
View answer
Correct Answer: B
Question #9
Which of the following should be PRIMARILY included in a security training program for business process owners?
A. Impact of security risks
B. Application vulnerabilities
C. Application recovery time
D. List of security incidents reported
View answer
Correct Answer: A
Question #10
Which of the following guarantees that data in a file have not changed?
A. Inspecting the modified date of the file
B. Encrypting the file with symmetric encryption
C. Using stringent access control to prevent unauthorized access
D. Creating a hash of the file, then comparing the file hashes
View answer
Correct Answer: D
Question #11
Implementing a strong password policy is part of an organization’s information security strategy for the year. A business unit believes the strategy may adversely affect a client’s adoption of a recently developed mobile application and has decided not to implement the policy. Which of the following is the information security manager’s BEST course of action?
A. Analyze the risk and impact of not implementing the policy
B. Develop and implement a password policy for the mobile application
C. Escalate non-implementation of the policy to senior management
D. Benchmark with similar mobile applications to identify gaps
View answer
Correct Answer: C
Question #12
An organization has decided to implement additional security controls to treat the risks of a new process. This is an example of:
A. eliminating the risk
B. transferring the risk
C. mitigating the risk
View answer
Correct Answer: C
Question #13
Which of the following is the MOST effective approach for integrating security into application development?
A. Defining security requirements
B. Performing vulnerability scans
C. Including security in user acceptance testing sign-off
D. Developing security models in parallel
View answer
Correct Answer: A
Question #14
Which of the following is the MOST effective method of preventing deliberate internal security breaches?
A. Screening prospective employees
B. Well-designed firewall system
C. Well-designed intrusion detection system (IDS)
D. Biometric security access control
View answer
Correct Answer: B
Question #15
Which of the following is the PRIMARY prerequisite to implementing data classification within an organization?
A. Defining job roles
B. Performing a risk assessment
C. Identifying data owners
D. Establishing data retention policies
View answer
Correct Answer: C
Question #16
Which of the following would provide senior management with the BEST information to better understand the organization’s information security risk profile?
A. Scenarios that impact business operations
B. Scenarios that disrupt client services
C. Scenarios that impact business goals
D. Scenarios that have a monetary impact
View answer
Correct Answer: C
Question #17
Risk assessment should be conducted on a continuing basis because:
A. controls change on a continuing basis
B. the number of hacking incidents is increasing
C. management should be updated about changes in risk
D. factors that affect information security change
View answer
Correct Answer: A
Question #18
Which of the following is the MOST important action when using a web application that has recognized vulnerabilities?
A. Deploy an application firewall
B. Deploy host-based intrusion detection
C. Install anti-spyware software
D. Monitor application level logs
View answer
Correct Answer: A
Question #19
The MAIN advantage of implementing automated password synchronization is that it:
A. reduces overall administrative workload
B. increases security between multi-tier systems
C. allows passwords to be changed less frequently
D. reduces the need for two-factor authentication
View answer
Correct Answer: A
Question #20
An inexperienced information security manager is relying on its internal audit department to design and implement key security controls. Which of the following is the GREATEST risk?
A. Inadequate implementation of controls
B. Conflict of interest
C. Violation of the audit charter
D. Inadequate audit skills
View answer
Correct Answer: B
Question #21
A PRIMARY advantage of involving business management in evaluating and managing information security risks is that they:
A. better understand organizational risks
B. can balance technical and business risks
C. are more objective than security management
D. better understand the security architecture
View answer
Correct Answer: B
Question #22
Deciding the level of protection a particular asset should be given in BEST determined by:
A. a threat assessment
B. a vulnerability assessment
C. a risk analysis
D. the corporate risk appetite
View answer
Correct Answer: C
Question #23
Which of the following is the BEST course of action for the information security manager when residual risk is above the acceptable level of risk?
A. Perform a cost-benefit analysis
B. Recommend additional controls
C. Carry out a risk assessment
D. Defer to business management
View answer
Correct Answer: B
Question #24
Which of the following is MOST important to consider when developing a disaster recovery plan?
A. Business continuity plan (BCP)
B. Business impact analysis (BIA)
C. Cost-benefit analysis
D. Feasibility assessment
View answer
Correct Answer: B
Question #25
Which of the following BEST validates that security controls are implemented in a new business process?
A. Assess the process according to information security policy
B. Benchmark the process against industry practices
C. Verify the use of a recognized control framework
D. Review the process for conformance with information security best practices
View answer
Correct Answer: A
Question #26
An organization has adopted a practice of regular staff rotation to minimize the risk of fraud and encourage cross training. Which type of authorization policy would BEST address this practice?
A. Multilevel
B. Role-based
C. Discretionary
D. Attribute-based
View answer
Correct Answer: B
Question #27
A CEO requests access to corporate documents from a mobile device that does not comply with organizational policy. The information security manager should FIRST:
A. evaluate a third-party solution
B. deploy additional security controls
C. evaluate the business risk
D. initiate an exception approval process
View answer
Correct Answer: C
Question #28
Which of the following contributes MOST to the effective implementation of an information security strategy?
A. Reporting of security metrics
B. Regular security awareness training
C. Endorsement by senior management
D. Implementation of security standards
View answer
Correct Answer: C
Question #29
An organization with a strict need-to-know information access policy is about to launch a knowledge management intranet. Which of the following is the MOST important activity to ensure compliance with existing security policies?
A. Develop a control procedure to check content before it is published
B. Change organization policy to allow wider use of the new web site
C. Ensure that access to the web site is limited to senior managers and the board
D. Password-protect documents that contain confidential information
View answer
Correct Answer: A
Question #30
The contribution of recovery point objective (RPO) to disaster recovery is to:
A. define backup strategy
B. eliminate single points of failure
C. reduce mean time between failures (MTBF)
D. minimize outage period
View answer
Correct Answer: D
Question #31
After assessing and mitigating the risks of a web application, who should decide on the acceptance of residual application risks?
A. Information security officer
B. Chief information officer (CIO)
C. Business owner
D. Chief executive officer (CFO)
View answer
Correct Answer: C
Question #32
Which of the following is the MOST important reason for an information security review of contracts? To help ensure that:
A. the parties to the agreement can perform
B. confidential data are not included in the agreement
C. appropriate controls are included
D. the right to audit is a requirement
View answer
Correct Answer: C
Question #33
Which of the following provides the GREATEST assurance that information security is addressed in change management?
A. Performing a security audit on changes
B. Providing security training for change advisory board
C. Requiring senior management sign-off on change management
D. Reviewing changes from a security perspective
View answer
Correct Answer: D
Question #34
An organization’s outsourced firewall was poorly configured and allowed unauthorized access that resulted in downtime of 48 hours. Which of the following should be the information security manager’s NEXT course of action?
A. Reconfigure the firewall in accordance with best practices
B. Obtain supporting evidence that the problem has been corrected
C. Revisit the contract and improve accountability of the service provider
D. Seek damages from the service provider
View answer
Correct Answer: B
Question #35
Conflicting objectives are MOST likely to compromise the effectiveness of the information security process when information security management is:
A. reporting to the network infrastructure manager
B. outside of information technology
C. partially staffed by external security consultants
D. combined with the change management function
View answer
Correct Answer: D
Question #36
Risk management is MOST cost-effective:
A. when performed on a continuous basis
B. while developing the business case for the security program
C. at the beginning of security program development
D. when integrated into other corporate assurance functions
View answer
Correct Answer: D
Question #37
Which of the following is the GREATEST risk of single sign-on?
A. It is a single point of failure for an enterprise access control process
B. Password carelessness by one user may render the entire infrastructure vulnerable
C. Integration of single sign-on with the rest of the infrastructure is complicated
D. One administrator maintains the single sign-on solutions without segregation of duty
View answer
Correct Answer: A
Question #38
Vulnerability scanning has detected a critical risk in a vital business application. Which of the following should the information security manager do FIRST?
A. Report the business risk to senior management
B. Confirm the risk with the business owner
C. Update the risk register
D. Create an emergency change request
View answer
Correct Answer: B
Question #39
Information security awareness programs are MOST effective when they are:
A. customized for each target audience
B. sponsored by senior management
C. reinforced by computer-based training
D. conducted at employee orientation
View answer
Correct Answer: A
Question #40
Which of the following is the BEST method for determining whether new risks exist in legacy applications?
A. Regularly scheduled risk assessments
B. Automated vulnerability scans
C. Third-party penetration testing
D. Frequent updates to the risk register
View answer
Correct Answer: A
Question #41
When configuring a biometric access control system that protects a high-security data center, the system's sensitivity level should be set:
A. to a higher false reject rate (FRR)
B. to a lower crossover error rate
C. to a higher false acceptance rate (FAR)
D. exactly to the crossover error rate
View answer
Correct Answer: A
Question #42
Which of the following is the PRIMARY goal of a risk management program?
A. Implement preventive controls against threats
B. Manage the business impact of inherent risks
C. Manage compliance with organizational policies
D. Reduce the organization’s risk appetite
View answer
Correct Answer: B
Question #43
Which of the following is the PRIMARY reason for executive management to be involved in establishing an enterprise’s security management framework?
A. To determine the desired state of enterprise security
B. To establish the minimum level of controls needed
C. To satisfy auditors’ recommendations for enterprise security
D. To ensure industry best practices for enterprise security are followed
View answer
Correct Answer: A
Question #44
An organization is in the process of adopting a hybrid data infrastructure, transferring all non-core applications to cloud service providers and maintaining all core business functions in-house. The information security manager has determined a defense in depth strategy should be used. Which of the following BEST describes this strategy?
A. Multi-factor login requirements for cloud service applications, timeouts, and complex passwords
B. Deployment of nested firewalls within the infrastructure
C. Separate security controls for applications, platforms, programs, and endpoints
D. Strict enforcement of role-based access control (RBAC)
View answer
Correct Answer: C
Question #45
Which of the following would provide the MOST effective security outcome in an organization’s contract management process?
A. Extending security assessment to include random penetration testing
B. Extending security assessment to cover asset disposal on contract termination
C. Performing vendor security benchmark analyses at the request-for-proposal stage
D. Ensuring security requirements are defined at the request-for-proposal stage
View answer
Correct Answer: C
Question #46
When preventative controls to appropriately mitigate risk are not feasible, which of the following is the MOST important action for the information security manager to perform?
A. Assess vulnerabilities
B. Manage the impact
C. Evaluate potential threats
D. Identify unacceptable risk levels
View answer
Correct Answer: D
Question #47
Which of the following BEST describes a buffer overflow?
A. A program contains a hidden and unintended function that presents a security risk
B. A type of covert channel that captures data
C. Malicious code designed to interfere with normal operations
D. A function is carried out with more data than the function can handle
View answer
Correct Answer: D
Question #48
Which of the following trends would be of GREATEST concern when reviewing the performance of an organization’s intrusion detection systems (IDS)?
A. Decrease in false negatives
B. Increase in false positives
C. Decrease in false positives
D. Increase in false negatives
View answer
Correct Answer: D
Question #49
What is the role of the information security manager in finalizing contract negotiations with service providers?
A. To update security standards for the outsourced process
B. To ensure that clauses for periodic audits are included
C. To obtain a security standard certification from the provider
D. To perform a risk analysis on the outsourcing process
View answer
Correct Answer: A
Question #50
Which of the following should an information security manager establish FIRST to ensure security-related activities are adequately monitored?
A. Internal reporting channels
B. Accountability for security functions
C. Scheduled security assessments
D. Regular reviews of computer system logs
View answer
Correct Answer: A
Question #51
When management changes the enterprise business strategy, which of the following processes should be used to evaluate the existing information security controls as well as to select new information security controls?
A. Risk management
B. Change management
C. Access control management
D. Configuration management
View answer
Correct Answer: A
Question #52
Which of the following is MOST important for an information security manager to ensure when evaluating change requests?
A. Requests are approved by process owners
B. Requests add value to the business
C. Residual risk is within risk tolerance
D. Contingency plans have been created
View answer
Correct Answer: D
Question #53
When developing a disaster recovery plan, which of the following would be MOST helpful in prioritizing the order in which systems should be recovered?
A. Performing a business impact analysis (BIA)
B. Measuring the volume of data in each system
C. Reviewing the information security policy
D. Reviewing the business strategy
View answer
Correct Answer: A
Question #54
The objective of risk management is to reduce risk to the minimum level that is:
A. compliant with security policies
B. practical given industry and regulatory environments
C. achievable from technical and financial perspectives
D. acceptable given the preference of the organization
View answer
Correct Answer: A
Question #55
Which is the BEST way for an organization to monitor security risk?
A. Analyzing key performance indicators (KPIs)
B. Using external risk intelligence services
C. Using a dashboard to assess vulnerabilities
D. Analyzing key risk indicators (KRIs)
View answer
Correct Answer: D
Question #56
Which of the following BEST protects against web-based cross-domain attacks?
A. Database hardening
B. Application controls
C. Network addressing scheme
D. Encryption controls
View answer
Correct Answer: B
Question #57
When supporting an organization’s privacy officer, which of the following is the information security manager’s PRIMARY role regarding primacy requirements?
A. Monitoring the transfer of private data
B. Conducting privacy awareness programs
C. Ensuring appropriate controls are in place
D. Determining data classification
View answer
Correct Answer: C
Question #58
Which of the following if the MOST significant advantage of developing a well-defined information security strategy?
A. Support for buy-in from organizational employees
B. Allocation of resources to highest priorities
C. Prevention of deviations from risk tolerance thresholds
D. Increased maturity of incident response processes
View answer
Correct Answer: C
Question #59
The PRIMARY advantage of involving end users in continuity planning is that they:
A. are more objective than information security management
B. can balance the technical and business risks
C. have a better understanding of specific business needs
D. can see the overall impact to the business
View answer
Correct Answer: B
Question #60
When developing a new application, which of the following is the BEST approach to ensure compliance with security requirements?
A. Provide security training for developers
B. Prepare detailed acceptance criteria
C. Adhere to change management processes
D. Perform a security gap analysis
View answer
Correct Answer: B
Question #61
Which of the following is the GREATEST benefit of integrating information security program requirements into vendor management?
A. The ability to reduce risk in the supply chain
B. The ability to meet industry compliance requirements
C. The ability to define service level agreements (SLAs)
D. The ability to improve vendor performance
View answer
Correct Answer: A
Question #62
Which of the following is the MOST important function of information security?
A. Managing risk to the organization
B. Reducing the financial impact of security breaches
C. Identifying system vulnerabilities
D. Preventing security incidents
View answer
Correct Answer: A
Question #63
Threat and vulnerability assessments are important PRIMARILY because they are:
A. needed to estimate risk
B. the basis for setting control objectives
C. elements of the organization’s security posture
D. used to establish security investments
View answer
Correct Answer: A

View The Updated ISACA Exam Questions

SPOTO Provides 100% Real ISACA Exam Questions for You to Pass Your ISACA Exam!

View Answers after Submission

Please submit your email and WhatsApp to get the answers of questions.

Note: Please make sure your email ID and Whatsapp are valid so that you can get the correct exam results.

Email:
Whatsapp/phone number: