DON'T WANT TO MISS A THING?

Certification Exam Passing Tips

Latest exam news and discount info

Curated and up-to-date by our experts

Yes, send me the newsletter

Pass Your CISM Certification Questions & Practice Tests, Certified Information Security Manager | SPOTO

Achieve success in your CISM certification journey with SPOTO's comprehensive collection of practice tests and exam preparation resources. Our expertly crafted materials cover all essential topics, including information security governance, risk management, incident management, and regulatory compliance. Access a wide range of exam preparation tools, including sample questions and mock exams, to strengthen your knowledge and skills. Say farewell to unreliable sources and embrace trusted exam practice with SPOTO. Utilize our exam simulator to simulate the exam environment and refine your exam-taking strategies effectively. Whether you're seeking exam materials or online exam questions, SPOTO provides the essential resources for success. Kickstart your preparation today with our free test and ensure you're fully equipped to pass the Certified Information Security Manager exam.
Take other online exams

Question #1
An information security manager has developed a strategy to address new information security risks resulting from recent changes in the business. Which of the following would be MOST important to include when presenting the strategy to senior management?
A. The costs associated with business process changes
B. Results of benchmarking against industry peers
C. The impact of organizational changes on the security risk profile
D. Security controls needed for risk mitigation
View answer
Correct Answer: C
Question #2
The security responsibility of data custodians in an organization will include:
A. assuming overall protection of information assets
B. determining data classification levels
C. implementing security controls in products they install
D. ensuring security measures are consistent with policy
View answer
Correct Answer: D
Question #3
Which of the following will BEST protect an organization from internal security attacks?
A. Static IP addressing
B. Internal address translation
C. Prospective employee background checks
D. Employee awareness certification program
View answer
Correct Answer: C
Question #4
The valuation of IT assets should be performed by:
A. an IT security manager
B. an independent security consultant
C. the chief financial officer (CFO)
D. the information owner
View answer
Correct Answer: D
Question #5
The BEST reason for an organization to have two discrete firewalls connected directly to the Internet and to the same DMZ would be to:
A. provide in-depth defense
B. separate test and production
C. permit traffic load balancing
D. prevent a denial-of-service attack
View answer
Correct Answer: C
Question #6
To integrate security into system development life cycle (SDLC) processes, an organization MUST ensure that security:
A. is represented on the configuration control board
B. performance metrics have been met
C. roles and responsibilities have been defined
D. is a prerequisite for completion of major phases
View answer
Correct Answer: D
Question #7
An information security manager is preparing a presentation to obtain support for a security initiative. Which of the following would be the BEST way to obtain management’s commitment for the initiative?
A. Include historical data of reported incidents
B. Provide the estimated return on investment
C. Provide an analysis of current risk exposures
D. Include industry benchmarking comparisons
View answer
Correct Answer: A
Question #8
Which of the following vulnerabilities presents the GREATEST risk of external hackers gaining access to the corporate network?
A. Internal hosts running unnecessary services
B. Inadequate logging
C. Excessive administrative rights to an internal database
D. Missing patches on a workstation
View answer
Correct Answer: D
Question #9
A security manager meeting the requirements for the international flow of personal data will need to ensure:
A. a data processing agreement
B. a data protection registration
C. the agreement of the data subjects
D. subject access procedures
View answer
Correct Answer: C
Question #10
Over the last year, an information security manager has performed risk assessments on multiple third-party vendors. Which of the following criteria would be MOST helpful in determining the associated level of risk applied to each vendor?
A. Corresponding breaches associated with each vendor
B. Compensating controls in place to protect information security
C. Compliance requirements associated with the regulation
D. Criticality of the service to the organization
View answer
Correct Answer: B
Question #11
A successful information security management program should use which of the following to determine the amount of resources devoted to mitigating exposures?
A. Risk analysis results
B. Audit report findings
C. Penetration test results
D. Amount of IT budget available
View answer
Correct Answer: A
Question #12
Which of the following would provide the MOST essential input for the development of an information security strategy?
A. Measurement of security performance against IT goals
B. Results of an information security gap analysis
C. Availability of capable information security resources
D. Results of a technology risk assessment
View answer
Correct Answer: B
Question #13
Which of the following BEST enables a more efficient incident reporting process?
A. Training executive management for communication with external entities
B. Educating the incident response team on escalation procedures
C. Educating IT teams on compliance requirements
D. Training end users to identify abnormal events
View answer
Correct Answer: D
Question #14
An information security manager has discovered an external break-in to the corporate network. Which of the following actions should be taken FIRST?
A. Switch on trace logging
B. Copy event logs to a different server
C. Isolate the affected portion of the network
D. Shut down the network
View answer
Correct Answer: C
Question #15
An intrusion detection system should be placed:
A. outside the firewall
B. on the firewall server
C. on a screened subnet
D. on the external router
View answer
Correct Answer: C
Question #16
Which of the following is MOST helpful in protecting against hacking attempts on the production network?
A. Intrusion prevention systems (IPSs)
B. Network penetration testing
C. Security information and event management (SIEM) tools
D. Decentralized honeypot networks
View answer
Correct Answer: A
Question #17
Which of the following should an information security manager perform FIRST when an organization’s residual risk has increased?
A. Implement security measures to reduce the risk
B. Communicate the information to senior management
C. Transfer the risk to third parties
D. Assess the business impact
View answer
Correct Answer: A
Question #18
When facilitating the alignment of corporate governance and information security governance, which of the following is the MOST important role of an organization's security steering committee?
A. Obtaining support for the integration from business owners
B. Defining metrics to demonstrate alignment
C. Obtaining approval for the information security budget
D. Evaluating and reporting the degree of integration
View answer
Correct Answer: A
Question #19
The MOST important reason to maintain metrics for incident response activities is to:
A. ensure that evidence collection and preservation are standardized
B. prevent incidents from reoccurring
C. support continual process improvement
D. analyze security incident trends
View answer
Correct Answer: C
Question #20
Which of the following would MOST effectively ensure that information security is implemented in a new system?
A. Security baselines
B. Security scanning
C. Secure code reviews
D. Penetration testing
View answer
Correct Answer: D
Question #21
Who is ultimately responsible for the organization's information?
A. Data custodian
B. Chief information security officer (CISO)
C. Board of directors
D. Chief information officer (CIO)
View answer
Correct Answer: C
Question #22
Which of the following is the BEST reason to initiate a reassessment of current risk?
A. Follow-up to an audit report
B. A recent security incident
C. Certification requirements
D. Changes to security personnel
View answer
Correct Answer: B
Question #23
An information security manager has completed a risk assessment and has determined the residual risk. Which of the following should be the NEXT step?
A. Conduct an evaluation of controls
B. Determine if the risk is within the risk appetite
C. Implement countermeasures to mitigate risk
D. Classify all identified risks
View answer
Correct Answer: B
Question #24
Which of the following would be of GREATEST assistance in determining whether to accept residual risk of a critical security system?
A. Maximum tolerable outage (MTO)
B. Cost-benefit analysis of mitigating controls
C. Annual loss expectancy (ALE)
D. Approved annual budget
View answer
Correct Answer: B
Question #25
Which of the following techniques is MOST useful when an incident response team needs to respond to external attacks on multiple corporate network devices?
A. Penetration testing of network devices
B. Vulnerability assessment of network devices
C. Endpoint baseline configuration analysis
D. Security event correlation analysis
View answer
Correct Answer: D
Question #26
Which of the following is an organization’s BEST approach for media communications when experiencing a disaster?
A. Defer public comment until partial recovery has been achieved
B. Report high-level details of the losses and recovery strategy to the media
C. Authorize a qualified representative to convey specially drafted messages
D. Hold a press conference and advise the media to refer to legal authorities
View answer
Correct Answer: C
Question #27
To effectively manage an organization’s information security risk, it is MOST important to:
A. periodically identify and correct new systems vulnerabilities
B. assign risk management responsibility to end users
C. benchmark risk scenarios against peer organizations
D. establish and communicate risk tolerance
View answer
Correct Answer: A
Question #28
An organization performed a risk analysis and found a large number of assets with low-impact vulnerabilities. The NEXT action of the information security manager should be to:
A. determine appropriate countermeasures
B. transfer the risk to a third party
C. report to management
D. quantify the aggregated risk
View answer
Correct Answer: D
Question #29
Investment in security technology and processes should be based on:
A. clear alignment with the goals and objectives of the organization
B. success cases that have been experienced in previous projects
C. best business practices
D. safeguards that are inherent in existing technology
View answer
Correct Answer: A
Question #30
Which of the following provides the BEST opportunity to evaluate the capabilities of incident response team members?
A. Disaster recovery exercise
B. Black box penetration test
C. Breach simulation exercise
D. Tabletop test
View answer
Correct Answer: D
Question #31
The MOST effective way to determine the resources required by internal incident response teams is to:
A. test response capabilities with event scenarios
B. determine the scope and charter of incident response
C. request guidance from incident management consultants
D. benchmark against other incident management programs
View answer
Correct Answer: A
Question #32
What will have the HIGHEST impact on standard information security governance models?
A. Number of employees
B. Distance between physical locations
C. Complexity of organizational structure
D. Organizational budget
View answer
Correct Answer: C
Question #33
A risk assessment and business impact analysis (BIA) have been completed for a major proposed purchase and new process for an organization. There is disagreement between the information security manager and the business department manager who will own the process regarding the results and the assigned risk. Which of the following would be the BEST approach of the information security manager?
A. Acceptance of the business manager's decision on the risk to the corporation
B. Acceptance of the information security manager's decision on the risk to the corporation
C. Review of the assessment with executive management for final input
D. A new risk assessment and BIA are needed to resolve the disagreement
View answer
Correct Answer: C
Question #34
Which of the following is the MOST effective way to communicate information security risk to senior management?
A. Business impact analysis
B. Balanced scorecard
C. Key performance indicators (KPIs)
D. Heat map
View answer
Correct Answer: D
Question #35
The MOST important element in achieving executive commitment to an information security governance program is:
A. identified business drivers
B. a process improvement model
C. established security strategies
D. a defined security framework
View answer
Correct Answer: C
Question #36
Which of the following is MOST important for an information security manager to verify when selecting a third-party forensics provider?
A. Technical capabilities of the provider
B. Existence of the provider’s incident response plan
C. Results of the provider’s business continuity tests
D. Existence of a right-to-audit clause
View answer
Correct Answer: A
Question #37
Which of the following BEST illustrates residual risk within an organization?
A. Risk management framework
B. Risk register
C. Business impact analysis
D. Heat map
View answer
Correct Answer: A
Question #38
The PRIMARY objective of periodically testing an incident response plan should be to:
A. highlight the importance of incident response and recovery
B. harden the technical infrastructure
C. improve internal processes and procedures
D. improve employee awareness of the incident response process
View answer
Correct Answer: C
Question #39
Senior management has allocated funding to each of the organization’s divisions to address information security vulnerabilities. The funding is based on each division’s technology budget from the previous fiscal year. Which of the following should be of GREATEST concern to the information security manager?
A. Areas of highest risk may not be adequately prioritized for treatment
B. Redundant controls may be implemented across divisions
C. Information security governance could be decentralized by division
D. Return on investment may be inconsistently reported to senior management
View answer
Correct Answer: A
Question #40
It is MOST important for an information security manager to ensure that security risk assessments are performed:
A. consistently throughout the enterprise
B. during a root cause analysis
C. as part of the security business case
D. in response to the threat landscape
View answer
Correct Answer: D
Question #41
Which of the following would be MOST helpful when justifying the funding required for a compensating control?
A. Business case
B. Risk analysis
C. Business impact analysis
D. Threat assessment
View answer
Correct Answer: C
Question #42
Which of the following is the BEST method for ensuring that security procedures and guidelines are known and understood?
A. Periodic focus group meetings
B. Periodic compliance reviews
C. Computer-based certification training (CBT)
D. Employee's signed acknowledgement
View answer
Correct Answer: A
Question #43
Which of the following is MOST important to help ensure an intrusion prevention system (IPS) can view all traffic in a demilitarized zone (DMZ)?
A. All internal traffic is routed to the IPS
B. Connected devices can contact the IPS
C. The IPS is placed outside of the firewall
D. Traffic is decrypted before processing by the IPS
View answer
Correct Answer: D
Question #44
Which of the following is the PRIMARY goal of an incident response team during a security incident?
A. Ensure the attackers are detected and stopped
B. Minimize disruption to business-critical operations
C. Maintain a documented chain of evidence
D. Shut down the affected systems to limit the business impact
View answer
Correct Answer: B
Question #45
Which of the following is the BEST way to determine if an information security program aligns with corporate governance?
A. Evaluate funding for security initiatives
B. Survey end users about corporate governance
C. Review information security policies
D. Review the balanced scorecard
View answer
Correct Answer: C
Question #46
Internal audit has reported a number of information security issues which are not in compliance with regulatory requirements. What should the information security manager do FIRST?
A. Create a security exception
B. Perform a vulnerability assessment
C. Perform a gap analysis to determine needed resources
D. Assess the risk to business operations
View answer
Correct Answer: C
Question #47
An online trading company discovers that a network attack has penetrated the firewall. What should be the information security manager’s FIRST response?
A. Notify the regulatory agency of the incident
B. Evaluate the impact to the business
C. Implement mitigating controls
D. Examine firewall logs to identify the attacker
View answer
Correct Answer: C
Question #48
Which of the following is a PRIMARY security responsibility of an information owner?
A. Deciding what level of classification the information requires
B. Testing information classification controls
C. Maintaining the integrity of data in the information system
D. Determining the controls associated with information classification
View answer
Correct Answer: C
Question #49
What is the PRIMARY goal of an incident management program?
A. Minimize impact to the organization
B. Contain the incident
C. Identify root cause
D. Communicate to external entities
View answer
Correct Answer: A
Question #50
Which of the following is the FIRST step to perform before outsourcing critical information processing to a third party?
A. Require background checks for third-party employees
B. Perform a risk assessment
C. Ensure that risks are formally accepted by third party
D. Negotiate a service level agreement
View answer
Correct Answer: B
Question #51
When outsourcing information security administration, it is MOST important for an organization to include:
A. nondisclosure agreements (NDAs)
B. contingency plans
C. insurance requirements
D. service level agreements (SLAs)
View answer
Correct Answer: A
Question #52
D. Which of the following would BEST address the risk of data leakage?A
View answer
Correct Answer: C
Question #53
The BEST way to minimize errors in the response to an incident is to:
A. follow standard operating procedures
B. analyze the situation during the incident
C. implement vendor recommendations
D. reference system administration manuals
View answer
Correct Answer: A
Question #54
The PRIMARY reason for implementing scenario-based training for incident response is to:
A. help incident response team members understand their assigned roles
B. verify threats and vulnerabilities faced by the incident response team
C. ensure staff knows where to report in the event evacuation is required
D. assess the timeliness of the incident team response and remediation
View answer
Correct Answer: D
Question #55
Security governance is MOST associated with which of the following IT infrastructure components?
A. Network
B. Application
C. Platform
D. Process
View answer
Correct Answer: D
Question #56
Which of the following factors is a PRIMARY driver for information security governance that does not require any further justification?
A. Alignment with industry best practices
B. Business continuity investment
C. Business benefits
D. Regulatory compliance
View answer
Correct Answer: D
Question #57
When responding to an incident, which of the following is required to ensure evidence remains legally admissible in court?
A. Law enforcement oversight
B. Chain of custody
C. A documented incident response plan
D. Certified forensics examiners
View answer
Correct Answer: B
Question #58
Which of the following would BEST help to ensure the alignment between information security and business functions?
A. Establishing an information security governance committee
B. Developing information security policies
C. Providing funding for information security efforts
D. Establishing a security awareness program
View answer
Correct Answer: A
Question #59
Which of the following tools is MOST appropriate for determining how long a security project will take to implement?
A. Gantt chart
B. Waterfall chart
C. Critical path
D. Rapid Application Development (RAD)
View answer
Correct Answer: B
Question #60
During which phase of development is it MOST appropriate to begin assessing the risk of a new application system?
A. Feasibility
B. Design
C. Development
D. Testing
View answer
Correct Answer: A
Question #61
Which of the following is the BEST metric for evaluating the effectiveness of security awareness twining? The number of:
A. password resets
B. reported incidents
C. incidents resolved
D. access rule violations
View answer
Correct Answer: C
Question #62
Risk assessment should be conducted on a continuing basis because:
A. controls change on a continuing basis
B. the number of hacking incidents is increasing
C. management should be updated about changes in risk
D. factors that affect information security change
View answer
Correct Answer: C
Question #63
An information security manager is reviewing the organization’s incident response policy affected by a proposed public cloud integration. Which of the following will be the MOST difficult to resolve with the cloud service provider?
A. Accessing information security event data
B. Regular testing of incident response plan
C. Obtaining physical hardware for forensic analysis
D. Defining incidents and notification criteria
View answer
Correct Answer: C
Question #64
When an organization is setting up a relationship with a third-party IT service provider, which of the following is one of the MOST important topics to include in the contract from a security standpoint?
A. Compliance with international security standards
B. Use of a two-factor authentication system
C. Existence of an alternate hot site in case of business disruption
D. Compliance with the organization's information security requirements
View answer
Correct Answer: D
Question #65
Which of the following is the MAIN objective of classifying a security incident as soon as it is discovered?
A. Engaging appropriate resources
B. Enabling appropriate incident investigation
C. Downgrading the impact of the incident
D. Preserving relevant evidence
View answer
Correct Answer: A
Question #66
Senior management wants to provide mobile devices to its sales force. Which of the following should the information security manager do FIRST to support this objective?
A. Assess risks introduced by the technology
B. Develop an acceptable use policy
C. Conduct a vulnerability assessment on the devices
D. Research mobile device management (MDM) solutions
View answer
Correct Answer: A

View Answers after Submission

Please submit your email and WhatsApp to get the answers of questions.

Note: Please make sure your email ID and Whatsapp are valid so that you can get the correct exam results.

Email:
Whatsapp/phone number: