DON'T WANT TO MISS A THING?

Certification Exam Passing Tips

Latest exam news and discount info

Curated and up-to-date by our experts

Yes, send me the newsletter

Master CISM Exams with Exam Questions & Study Materials, Certified Information Security Manager | SPOTO

Master the ISACA CISM exams with our comprehensive collection of exam questions and study materials. Our meticulously designed practice tests cover all key topics including information security governance, risk management, incident management, and regulatory compliance. Access our extensive exam preparation resources, including sample questions and mock exams, to reinforce your knowledge and skills. With SPOTO, you can trust the accuracy of our exam materials and answers, ensuring reliable preparation for the exam. Utilize our exam simulator to simulate the exam environment and enhance your exam practice effectively. Whether you're seeking online exam questions or exam dumps, SPOTO provides the essential tools for success. Start your preparation journey today with our free test, and elevate your exam readiness to achieve certification as a Certified Information Security Manager.
Take other online exams

Question #1
Investments in information security technologies should be based on:
A. vulnerability assessments
B. value analysis
C. business climate
D. audit recommendations
View answer
Correct Answer: B

View The Updated CISM Exam Questions

SPOTO Provides 100% Real CISM Exam Questions for You to Pass Your CISM Exam!

Question #2
There is reason to believe that a recently modified web application has allowed unauthorized access. Which is the BEST way to identify an application backdoor?
A. Black box pen test
B. Security audit C
D. Vulnerability scan
View answer
Correct Answer: C
Question #3
Which of the following are seldom changed in response to technological changes?
A. Standards
B. Procedures
C. Policies
D. Guidelines
View answer
Correct Answer: C
Question #4
The effectiveness of an information security governance framework will BEST be enhanced if:
A. IS auditors are empowered to evaluate governance activities
B. risk management is built into operational and strategic activities
C. a culture of legal and regulatory compliance is promoted by management
D. consultants review the information security governance framework
View answer
Correct Answer: D
Question #5
The PRIMARY goal of a corporate risk management program is to ensure that an organization's:
A. IT assets in key business functions are protected
B. business risks are addressed by preventive controls
C. stated objectives are achievable
D. IT facilities and systems are always available
View answer
Correct Answer: C
Question #6
An organization has been experiencing a number of network-based security attacks that all appear to originate internally. The BEST course of action is to:
A. require the use of strong passwords
B. assign static IP addresses
C. implement centralized logging software
D. install an intrusion detection system (IDS)
View answer
Correct Answer: A
Question #7
Which of the following situations must be corrected FIRST to ensure successful information security governance within an organization?
A. The information security department has difficulty filling vacancies
B. The chief information officer (CIO) approves security policy changes
C. The information security oversight committee only meets quarterly
D. The data center manager has final signoff on all security projects
View answer
Correct Answer: D
Question #8
An organization has verified that its customer information was recently exposed. Which of the following is the FIRST step a security manager should take in this situation?
A. Inform senior management
B. Determine the extent of the compromise
C. Report the incident to the authorities
D. Communicate with the affected customers
View answer
Correct Answer: A
Question #9
A risk management program would be expected to:
A. remove all inherent risk
B. maintain residual risk at an acceptable level
C. implement preventive controls for every threat
D. reduce control risk to zero
View answer
Correct Answer: B
Question #10
An organization plans to outsource its customer relationship management (CRM) to a third-party service provider. Which of the following should the organization do FIRST?
A. Request that the third-party provider perform background checks on their employees
B. Perform an internal risk assessment to determine needed controls
C. Audit the third-party provider to evaluate their security controls
D. Perform a security assessment to detect security vulnerabilities
View answer
Correct Answer: A
Question #11
The FIRST step in developing an information security management program is to:
A. identify business risks that affect the organization
B. clarify organizational purpose for creating the program
C. assign responsibility for the program
D. assess adequacy of controls to mitigate business risks
View answer
Correct Answer: B
Question #12
Which of the following would raise security awareness among an organization's employees?
A. Distributing industry statistics about security incidents
B. Monitoring the magnitude of incidents
C. Encouraging employees to behave in a more conscious manner
D. Continually reinforcing the security policy
View answer
Correct Answer: B
Question #13
An outcome of effective security governance is:
A. business dependency assessment
B. strategic alignment
C. risk assessment
D. planning
View answer
Correct Answer: B
Question #14
Risk assessment should be built into which of the following systems development phases to ensure that risks are addressed in a development project?
A. Programming
B. Specification
C. User testing
D. Feasibility
View answer
Correct Answer: D
Question #15
The root cause of a successful cross site request forgery (XSRF) attack against an application is that the vulnerable application:
A. uses multiple redirects for completing a data commit transaction
B. has implemented cookies as the sole authentication mechanism
C. has been installed with a non-1egitimate license key
D. is hosted on a server along with other applications
View answer
Correct Answer: D
Question #16
The PRIMARY objective of a risk management program is to:
A. minimize inherent risk
B. eliminate business risk
C. implement effective controls
D. minimize residual risk
View answer
Correct Answer: D
Question #17
Simple Network Management Protocol v2 (SNMP v2) is used frequently to monitor networks. Which of the following vulnerabilities does il always introduce?
A. Remote buffer overflow
B. Cross site scripting
C. Clear text authentication
D. Man-in-the-middle attack
View answer
Correct Answer: A
Question #18
When performing an information risk analysis, an information security manager should FIRST:
A. establish the ownership of assets
B. evaluate the risks to the assets
C. take an asset inventory
D. categorize the assets
View answer
Correct Answer: C
Question #19
Which of the following recovery strategies has the GREATEST chance of failure?
A. Hot site
B. Redundant site Real 297 Isaca CISM Exam
C. Reciprocal arrangement
D. Cold site
View answer
Correct Answer: B
Question #20
Detailed business continuity plans should be based PRIMARILY on:
A. consideration of different alternatives
C. strategies that cover all applications
D. strategies validated by senior management
View answer
Correct Answer: D
Question #21
An IS manager has decided to implement a security system to monitor access to the Internet and prevent access to numerous sites. Immediately upon installation, employees Hood the IT helpdesk with complaints of being unable to perform business functions on Internet sites. This is an example of:
A. conflicting security controls with organizational needs
B. strong protection of information resources
C. implementing appropriate controls to reduce risk
D. proving information security's protective abilities
View answer
Correct Answer: A
Question #22
A new version of an information security regulation is published that requires an organization’s compliance. The information security manager should FIRST:
A. perform an audit based on the new version of the regulation
B. conduct a risk assessment to determine the risk of noncompliance
C. conduct benchmarking against similar organizations
D. perform a gap analysis against the new regulation
View answer
Correct Answer: D
Question #23
Which of the following is MOST important when establishing a successful information security governance framework?
A. Selecting information security steering committee members
B. Developing an information security strategy
C. Determining balanced scorecard metrics for information security
D. Identifying information security risk scenarios
View answer
Correct Answer: B
Question #24
Which of the following requirements would have the lowest level of priority in information security?
A. Technical
B. Regulatory
C. Privacy
D. Business
View answer
Correct Answer: A
Question #25
Which of the following is MOST important to consider when handling digital evidence during the forensics investigation of a cybercrime?
A. Business strategies
B. Industry best practices
C. Global standardsD
View answer
Correct Answer: D
Question #26
Which of the following is the MOST important information to include in an information security standard?
A. Creation date
B. Author name
C. Initial draft approval date
D. Last review date
View answer
Correct Answer: D
Question #27
Which of the following actions should be taken when an information security manager discovers that a hacker is foot printing the network perimeter?
A. Reboot the border router connected to the firewall
B. Check IDS logs and monitor for any active attacks
C. Update IDS software to the latest available version
D. Enable server trace logging on the DMZ segment
View answer
Correct Answer: B
Question #28
B. At what stage of the applications development process should the security department initially become involved? When requested At testing
C. At programming
D. At detail requirements
View answer
Correct Answer: D
Question #29
An information security manager’s PRIMARY objective for presenting key risks to the board of directors is to:
A. meet information security compliance requirements
B. ensure appropriate information security governance
C. quantity reputational risks
D. re-evaluate the risk appetite
View answer
Correct Answer: B
Question #30
The BEST way to encourage good security practices is to:
A. schedule periodic compliance audits
B. discipline those who fail to comply with the security policy
C. recognize appropriate security behavior by individuals
D. publish the information security policy
View answer
Correct Answer: C
Question #31
Which of the following should be the PRIMARY consideration when developing a security governance framework for an enterprise?
A. Understanding of the current business strategy
B. Assessment of the current security architecture
C. Results of a business impact analysis (BIA)
D. Benchmarking against industry best practice
View answer
Correct Answer: A
Question #32
After implementing an information security governance framework, which of the following would provide the BEST information to develop an information security project plan?
A. Risk heat map
B. Recent audit results
C. Balanced scorecard
D. Gap analysis
View answer
Correct Answer: C
Question #33
An organization's information security processes are currently defined as ad hoc. In seeking to improve their performance level, the next step for the organization should be to:
A. ensure that security processes are consistent across the organization
D. implement monitoring of key performance indicators for security processes
View answer
Correct Answer: A
Question #34
In addition to backup data, which of the following is the MOST important to store offsite in the event of a disaster?
A. Copies of critical contracts and service level agreements (SLAs)
B. Copies of the business continuity plan
C. Key software escrow agreements for the purchased systems
D. List of emergency numbers of service providers
View answer
Correct Answer: A
Question #35
Which of the following is the MOST critical activity to ensure the ongoing security of outsourced IT services?
A. Provide security awareness training to the third-party provider's employees
B. Conduct regular security reviews of the third-party provider
C. Include security requirements in the service contract
D. Request that the third-party provider comply with the organization's information security policy
View answer
Correct Answer: C
Question #36
When developing an information security governance framework, which of the following would be the MAIN impact when lacking senior management involvement?
A. Accountability for risk treatment is not clearly defined
B. Information security responsibilities are not communicated effectively
C. Resource requirements are not adequately considered
D. Information security plans do not support business requirements
View answer
Correct Answer: C
Question #37
A risk assessment and business impact analysis (BIA) have been completed for a major proposed purchase and new process for an organization. There is disagreement between the information security manager and the business department manager who will own the process regarding the results and the assigned risk. Which of the following would be the BEST approach of the information security manager?
A. Acceptance of the business manager's decision on the risk to the corporation
B. Acceptance of the information security manager's decision on the risk to the corporation
C. Review of the assessment with executive management for final input
D. A new risk assessment and BIA are needed to resolve the disagreement
View answer
Correct Answer: C
Question #38
The PRIORITY action to be taken when a server is infected with a virus is to:
A. isolate the infected server(s) from the network
B. identify all potential damage caused by the infection
C. ensure that the virus database files are current
D. establish security weaknesses in the firewall
View answer
Correct Answer: B
Question #39
Which of the following are the MOST important criteria when selecting virus protection software?
A. Product market share and annualized cost
B. Ability to interface with intrusion detection system (IDS) software and firewalls
C. Alert notifications and impact assessments for new viruses
D. Ease of maintenance and frequency of updates
View answer
Correct Answer: A
Question #40
Which of the following BEST ensures that security risks will be reevaluated when modifications in application developments are made?
A. A problem management process
B. Background screening Real 251 Isaca CISM Exam
C. A change control process
D. Business impact analysis (BIA)
View answer
Correct Answer: C
Question #41
A computer incident response team (CIRT) manual should PRIMARILY contain which of the following documents?
A. Risk assessment results
B. Severity criteria
C. Emergency call tree directory Real 272 Isaca CISM Exam
D. Table of critical backup files
View answer
Correct Answer: C
Question #42
Which of the following is the PRIMARY advantage of having an established information security governance framework in place when an organization is adopting emerging technologies?
A. An emerging technologies strategy is in place
B. An effective security risk management process is established
C. End user acceptance of emerging technologies is established
D. A cost-benefit analysis process is easier to perform
View answer
Correct Answer: B
Question #43
C. The MAIN reason for having the Information Security Steering Committee review a new security controls implementation plan is to ensure that:
A. the plan aligns with the organization's business plan
D. the impact of the plan on the business units is reduced
View answer
Correct Answer: A
Question #44
Which of the following would be MOST important to consider when implementing security settings for a new system?
A. Results from internal and external audits
B. Government regulations and related penalties
C. Business objectives and related IT risk
D. Industry best practices applicable to the business
View answer
Correct Answer: C
Question #45
Which of the following disaster recovery testing techniques is the MOST cost-effective way to determine the effectiveness of the plan?
A. Preparedness tests
B. Paper tests Real 298 Isaca CISM Exam C
D. Actual service disruption
View answer
Correct Answer: A
Question #46
Which of the following is the BEST reason to perform a business impact analysis (BIA)?
A. To help determine the current state of risk To budget appropriately for needed controls
C. To satisfy regulatory requirements
D. To analyze the effect on the business
View answer
Correct Answer: A
Question #47
Which of the following is the BEST way to integrate information security into corporate governance?
A. Engage external security consultants in security initiatives
B. Conduct comprehensive information security management training for key stakeholders
C. Ensure information security processes are part of the existing management processes
D. Require periodic security risk assessments be performed
View answer
Correct Answer: C
Question #48
At the conclusion of a disaster recovery test, which of the following should ALWAYS be performed prior to leaving the vendor's hot site facility?
A. Erase data and software from devices
B. Conduct a meeting to evaluate the test C
D. Evaluate the results from all test scripts
View answer
Correct Answer: D
Question #49
An organization has implemented an enterprise resource planning (ERP) system used by 500 employees from various departments. Which of the following access control approaches is MOST appropriate?
A. Rule-based
B. Mandatory Real 243 Isaca CISM Exam
C. Discretionary
D. Role-based
View answer
Correct Answer: D
Question #50
What is the MOST important factor in the successful implementation of an enterprise wide information security program? C.
A. Realistic budget estimates Security awareness Support of senior management
D. Recalculation of the work factor
View answer
Correct Answer: C
Question #51
When trying to integrate information security across an organization, the MOST important goal for a governing body should be to ensure:
A. the resources used for information security projects are kept to a minimum
B. information security is treated as a business critical issue
C. funding is approved for requested information security projects
D. periodic information security audits are conducted
View answer
Correct Answer: B
Question #52
In which of the following system development life cycle (SDLC) phases are access control and encryption algorithms chosen?
A. Procedural design Real 252 Isaca CISM Exam
B. Architectural design
C. System design specifications
D. Software development
View answer
Correct Answer: A
Question #53
Which of the following is the BEST approach for an information security manager when developing new information security policies?
A. Create a stakeholder map
B. Reference an industry standard
C. Establish an information security governance committee
D. Download a policy template
View answer
Correct Answer: C
Question #54
Which of the following BEST demonstrates that an organization supports information security governance?
A. Employees attend annual organization-wide security training
B. Information security policies are readily available to employees
C. The incident response plan is documented and tested regularly
D. Information security steering committee meetings are held regularly
View answer
Correct Answer: D
Question #55
An information security manager believes that a network file server was compromised by a hacker. Which of the following should be the FIRST action taken? A. Unsure that critical data on the server are backed up. Real 294 Isaca CISM Exam
B. Shut down the compromised server
C. Initiate the incident response process
D. Shut down the network
View answer
Correct Answer: A
Question #56
Which of the following would BEST help an information security manager prioritize remediation activities to meet regulatory requirements?
A. A capability maturity model matrix
B. Annual loss expectancy (ALE) of noncompliance
C. Cost of associated controls
D. Alignment with the IT strategy
View answer
Correct Answer: D
Question #57
Which of the following is the MOST important consideration for an organization interacting with the media during a disaster?
A. Communicating specially drafted messages by an authorized person
B. Refusing to comment until recovery
C. Referring the media to the authorities
D. Reporting the losses and recovery strategy to the media
View answer
Correct Answer: B

View The Updated ISACA Exam Questions

SPOTO Provides 100% Real ISACA Exam Questions for You to Pass Your ISACA Exam!

View Answers after Submission

Please submit your email and WhatsApp to get the answers of questions.

Note: Please make sure your email ID and Whatsapp are valid so that you can get the correct exam results.

Email:
Whatsapp/phone number: