DON'T WANT TO MISS A THING?

Certification Exam Passing Tips

Latest exam news and discount info

Curated and up-to-date by our experts

Yes, send me the newsletter

CISM Exam Essentials: Exam Questions & Practice Tests, Certified Information Security Manager | SPOTO

Get ready for success in the Certified Information Security Manager (CISM) exam with SPOTO's CISM Exam Essentials: Exam Questions & Practice Tests. As a CISM, you showcase advanced expertise in developing and managing enterprise information security programs. Access our comprehensive practice tests, including free test options, to delve into exam dumps, sample questions, and exam materials, reinforcing your understanding of key concepts. Engage in realistic mock exams to simulate the exam environment and refine your exam practice. Utilize our detailed exam answers and exam simulator to enhance your preparation. With SPOTO's exam preparation resources, including online exam questions, you'll be well-prepared to ace the CISM exam and advance your career in information security.

Take other online exams

Question #1
Which two components PRIMARILY must be assessed in an effective risk analysis?
A. Visibility and duration
B. Likelihood and impact
C. Probability and frequency
D. Financial impact and duration
View answer
Correct Answer: B

View The Updated CISM Exam Questions

SPOTO Provides 100% Real CISM Exam Questions for You to Pass Your CISM Exam!

Question #2
A risk assessment should be conducted:
A. once a year for each business process and subproces
B. every three to six months for critical business processe
C. by external parties to maintain objectivit
D. annually or whenever there is a significant chang
View answer
Correct Answer: B
Question #3
Retention of business records should PRIMARILY be based on:
A. business strategy and directio
B. regulatory and legal requirement
C. storage capacity and longevit
D. business ease and value analysi
View answer
Correct Answer: D
Question #4
An internal review of a web-based application system finds the ability to gain access to all employees' accounts by changing the employee's ID on the URL used for accessing the account. The vulnerability identified is:
A. broken authenticatio
B. unvalidated inpu
C. cross-site scriptin
D. structured query language (SQL) injectio
View answer
Correct Answer: B
Question #5
Which of the following is the MOST essential task for a chief information security officer (CISO) to perform?
A. Update platform-level security settings
B. Conduct disaster recovery test exercises
C. Approve access to critical financial systems
D. Develop an information security strategy paper
View answer
Correct Answer: C
Question #6
Which of the following BEST describes an information security manager's role in a multidisciplinary team that will address a new regulatory requirement regarding operational risk?
A. Ensure that all IT risks are identified
B. Evaluate the impact of information security risks
C. Demonstrate that IT mitigating controls are in place
D. Suggest new IT controls to mitigate operational risk
View answer
Correct Answer: B
Question #7
The MOST useful way to describe the objectives in the information security strategy is through:
A. attributes and characteristics of the 'desired state
B. overall control objectives of the security progra
C. mapping the IT systems to key business processe
D. calculation of annual loss expectation
View answer
Correct Answer: C
Question #8
The purpose of a corrective control is to:
A. reduce adverse event
B. indicate compromis
C. mitigate impac
D. ensure complianc
View answer
Correct Answer: C
Question #9
The BEST reason for an organization to have two discrete firewalls connected directly to the Internet and to the same DMZ would be to:
A. provide in-depth defens
B. separate test and productio
C. permit traffic load balancin
D. prevent a denial-of-service attac
View answer
Correct Answer: C
Question #10
It is important to classify and determine relative sensitivity of assets to ensure that:
A. cost of protection is in proportion to sensitivit
B. highly sensitive assets are protecte
C. cost of controls is minimize
D. countermeasures are proportional to ris
View answer
Correct Answer: B
Question #11
Which of the following is the MOST effective way to treat a risk such as a natural disaster that has a low probability and a high impact level?
A. Implement countermeasure
B. Eliminate the ris
C. Transfer the ris
D. Accept the ris
View answer
Correct Answer: B
Question #12
Which of the following BEST ensures that modifications made to in-house developed business applications do not introduce new security exposures?
A. Stress testing
B. Patch management
C. Change management
D. Security baselines
View answer
Correct Answer: C
Question #13
After assessing and mitigating the risks of a web application, who should decide on the acceptance of residual application risks?
A. Information security officer
B. Chief information officer (CIO)
C. Business owner
D. Chief executive officer (CF
View answer
Correct Answer: A
Question #14
When designing an information security quarterly report to management, the MOST important element to be considered should be the:
A. information security metric
B. knowledge required to analyze each issu
C. linkage to business area objective
D. baseline against which metrics are evaluate
View answer
Correct Answer: A
Question #15
In performing a risk assessment on the impact of losing a server, the value of the server should be calculated using the:
A. original cost to acquir
B. cost of the software store
C. annualized loss expectancy (ALE)
D. cost to obtain a replacemen
View answer
Correct Answer: C
Question #16
Developing a successful business case for the acquisition of information security software products can BEST be assisted by:
A. assessing the frequency of incident
B. quantifying the cost of control failure
C. calculating return on investment (ROD projection
D. comparing spending against similar organization
View answer
Correct Answer: D
Question #17
Which of the following is generally used to ensure that information transmitted over the Internet is authentic and actually transmitted by the named sender?
A. Biometric authentication
B. Embedded steganographic
C. Two-factor authentication
D. Embedded digital signature
View answer
Correct Answer: D
Question #18
The PRIMARY goal of a corporate risk management program is to ensure that an organization's:
A. IT assets in key business functions are protecte
B. business risks are addressed by preventive control
C. stated objectives are achievabl
D. IT facilities and systems are always availabl
View answer
Correct Answer: D
Question #19
Relationships among security technologies are BEST defined through which of the following?
A. Security metrics
B. Network topology
C. Security architecture
D. Process improvement models
View answer
Correct Answer: A
Question #20
Security technologies should be selected PRIMARILY on the basis of their:
A. ability to mitigate business risk
B. evaluations in trade publication
C. use of new and emerging technologie
D. benefits in comparison to their cost
View answer
Correct Answer: B
Question #21
Which of the following would be the BEST option to improve accountability for a system administrator who has security functions?
A. Include security responsibilities in the job description
B. Require the administrator to obtain security certification
C. Train the system administrator on penetration testing and vulnerability assessment
D. Train the system administrator on risk assessment
View answer
Correct Answer: B
Question #22
When an information security manager is developing a strategic plan for information security, the timeline for the plan should be:
A. aligned with the IT strategic pla
B. based on the current rate of technological chang
C. three-to-five years for both hardware and softwar
D. aligned with the business strateg
View answer
Correct Answer: D
Question #23
When contracting with an outsourcer to provide security administration, the MOST important contractual element is the:
A. right-to-terminate claus
B. limitations of liabilit
C. service level agreement (SLA)
D. financial penalties claus
View answer
Correct Answer: A
Question #24
An information security manager mapping a job description to types of data access is MOST likely to adhere to which of the following information security principles?
A. Ethics
B. Proportionality
C. Integration
D. Accountability
View answer
Correct Answer: A
Question #25
The PRIMARY goal in developing an information security strategy is to:
A. establish security metrics and performance monitorin
B. educate business process owners regarding their dutie
C. ensure that legal and regulatory requirements are met
D. support the business objectives of the organizatio
View answer
Correct Answer: B
Question #26
In order to highlight to management the importance of integrating information security in the business processes, a newly hired information security officer should FIRST:
A. prepare a security budge
B. conduct a risk assessmen
C. develop an information security polic
D. obtain benchmarking informatio
View answer
Correct Answer: B
Question #27
Which of the following factors is a PRIMARY driver for information security governance that does not require any further justification?
A. Alignment with industry best practices
B. Business continuity investment
C. Business benefits
D. Regulatory compliance
View answer
Correct Answer: D
Question #28
Previously accepted risk should be:
A. re-assessed periodically since the risk can be escalated to an unacceptable level due to revised condition
B. accepted permanently since management has already spent resources (time and labor) to conclude that the risk level is acceptabl
C. avoided next time since risk avoidance provides the best protection to the compan
D. removed from the risk log once it is accepte
View answer
Correct Answer: D
Question #29
An information security manager must understand the relationship between information security and business operations in order to:
A. support organizational objective
B. determine likely areas of noncomplianc
C. assess the possible impacts of compromis
D. understand the threats to the busines
View answer
Correct Answer: D
Question #30
An IS manager has decided to implement a security system to monitor access to the Internet and prevent access to numerous sites. Immediately upon installation, employees Hood the IT helpdesk with complaints of being unable to perform business functions on Internet sites. This is an example of:
A. conflicting security controls with organizational need
B. strong protection of information resource
C. implementing appropriate controls to reduce ris
D. proving information security's protective abilitie
View answer
Correct Answer: C
Question #31
Senior management commitment and support for information security can BEST be obtained through presentations that:
A. use illustrative examples of successful attack
B. explain the technical risks to the organizatio
C. evaluate the organization against best security practice
D. tie security risks to key business objective
View answer
Correct Answer: C
Question #32
An information security manager uses security metrics to measure the:
A. performance of the information security progra
B. performance of the security baselin
C. effectiveness of the security risk analysi
D. effectiveness of the incident response tea
View answer
Correct Answer: C
Question #33
The valuation of IT assets should be performed by:
A. an IT security manage
B. an independent security consultan
C. the chief financial officer (CFO)
D. the information owne
View answer
Correct Answer: C
Question #34
While implementing information security governance an organization should FIRST:
A. adopt security standard
B. determine security baseline
C. define the security strateg
D. establish security policie
View answer
Correct Answer: B
Question #35
A security risk assessment exercise should be repeated at regular intervals because:
A. business threats are constantly changin
B. omissions in earlier assessments can be addresse
C. repetitive assessments allow various methodologie
D. they help raise awareness on security in the busines
View answer
Correct Answer: B

View The Updated ISACA Exam Questions

SPOTO Provides 100% Real ISACA Exam Questions for You to Pass Your ISACA Exam!

View Answers after Submission

Please submit your email and WhatsApp to get the answers of questions.

Note: Please make sure your email ID and Whatsapp are valid so that you can get the correct exam results.

Email:
Whatsapp/phone number: