DON'T WANT TO MISS A THING?

Certification Exam Passing Tips

Latest exam news and discount info

Curated and up-to-date by our experts

Yes, send me the newsletter

Prepare CISM Exam Questions & Practice Tests, Certified Information Security Manager | SPOTO

Prepare thoroughly for the Certified Information Security Manager (CISM) exam with SPOTO's comprehensive resources. Our expertly crafted exam questions and practice tests cover all essential topics, including information security governance, risk management, incident management, and regulatory compliance. Access a variety of exam preparation tools, including sample questions and mock exams, to enhance your understanding and boost your confidence. Say goodbye to unreliable sources and embrace trusted exam practice with SPOTO. Utilize our exam simulator to replicate the exam environment and refine your exam-taking strategies effectively. Whether you're in need of exam materials or online exam questions, SPOTO provides the essential resources for success. Start your exam preparation journey today with our free test and ensure you're fully prepared to pass the CISM exam.
Take other online exams

Question #1
In organizations where availability is a primary concern, the MOST critical success factor of the patch management procedure would be the:
A. testing time window prior to deployment
B. technical skills of the team responsible
C. certification of validity for deployment
D. automated deployment to all the servers
View answer
Correct Answer: A

View The Updated CISM Exam Questions

SPOTO Provides 100% Real CISM Exam Questions for You to Pass Your CISM Exam!

Question #2
Which of the following is MOST important for measuring the effectiveness of a security awareness program?
A. Reduced number of security violation reports
B. A quantitative evaluation to ensure user comprehension
C. Increased interest in focus groups on security issues
D. Increased number of security violation reports
View answer
Correct Answer: B
Question #3
Segregation of duties is a security control PRIMARILY used to:
A. establish dual check
B. establish hierarchy
C. limit malicious behavior
D. decentralize operations
View answer
Correct Answer: C
Question #4
An organization implemented a mandatory information security awareness training program a year ago. What is the BEST way to determine its effectiveness?
A. Analyze findings from previous audit reports
B. Analyze results from training completion reports
C. Analyze results of a social engineering test
D. Analyze responses from an employee survey of training satisfaction
View answer
Correct Answer: C
Question #5
What is the BEST method to confirm that all firewall rules and router configuration settings are adequate?
A. Periodic review of network configuration
B. Review intrusion detection system (IDS) logs for evidence of attacks
C. Periodically perform penetration tests
D. Daily review of server logs for evidence of hacker activity
View answer
Correct Answer: C
Question #6
An information security manager is concerned that executive management does not support information security initiatives. Which of the following is the BEST way to address this situation?
A. Report the risk and status of the information security program to the board
B. Revise the information security strategy to meet executive management’s expectations
C. Escalate noncompliance concerns to the internal audit manager
D. Demonstrate alignment of the information security function with business needs
View answer
Correct Answer: D
Question #7
Which of the following could be detected by a network intrusion detection system (IDS)?
A. Undocumented open ports
B. Unauthorized file change
C. Internally generated attacks
D. Emailed virus attachments
View answer
Correct Answer: A
Question #8
An information security manager suspects that the organization has suffered a ransomware attack. What should be done FIRST?
A. Notify senior management
B. Alert employees to the attack
C. Confirm the infection
D. Isolate the affected systems
View answer
Correct Answer: C
Question #9
Which of the following activities would BEST incorporate security into the software development life cycle (SDLC)?
A. Minimize the use of open source software
B. Include security training for the development team
C. Scan operating systems for vulnerabilities
D. Test applications before go-live
View answer
Correct Answer: D
Question #10
The PRIMARY benefit of integrating information security activities into change management processes is to:
A. ensure required controls are included in changes
B. protect the organization from unauthorized changes
C. provide greater accountability for security-related changes in the business
D. protect the business from collusion and compliance threats
View answer
Correct Answer: A
Question #11
Which of the following analyses will BEST identify the external influences to an organization’s information security?
A. Gap analysis
B. Business impact analysis
C. Threat analysis
D. Vulnerability analysis
View answer
Correct Answer: C
Question #12
An organization recently rolled out a new procurement program that does not include any security requirements. Which of the following should the information security manager do FIRST?
A. Conduct security assessments of vendors based on value of annual spend with each vendor
B. Meet with the head of procurement to discuss aligning security with the organization's operational objectives
C. Ask internal audit to conduct an assessment of the current state of third-party security controls
D. Escalate the procurement program gaps to the compliance department in case of noncompliance issues
View answer
Correct Answer: B
Question #13
An organization permits the storage and use of its critical and sensitive information on employee-owned smartphones. Which of the following is the BEST security control?
A. Requiring the backup of the organization’s data by the user
B. Establishing the authority to remote wipe
C. Monitoring how often the smartphone is used
D. Developing security awareness training
View answer
Correct Answer: D
Question #14
Which of the following would BEST assist an IS manager in gaining strategic support from executive management?
A. Annual report of security incidents within the organization
B. Research on trends in global information security breaches
C. Rating of the organization’s security, based on international standards
D. Risk analysis specific to the organization
View answer
Correct Answer: D
Question #15
An organization has established information security policies, but the information security manager has noted a large number of exception requests. Which of the following is the MOST likely reason for this situation?
A. The organization is operating in a highly regulated industry
B. The information security program is not adequately funded
C. The information security policies lack alignment with corporate goals
D. The information security policies are not communicated across the organization
View answer
Correct Answer: C
Question #16
Senior management has expressed concern that the organization’s intrusion prevention system may repeatedly disrupt business operations. Which of the following BEST indicates that the information security manager has tuned the system to address this concern?
A. Decreasing false positives
B. Decreasing false negatives
C. Increasing false positives
D. Increasing false negatives
View answer
Correct Answer: A
Question #17
Of the following, who should have PRIMARY responsibility for assessing the security risk associated with an outsourced cloud provider contract?
A. Information security manager
B. Compliance manager
C. Chief information officer
D. Service delivery manager
View answer
Correct Answer: D
Question #18
Which of the following is the MOST effective method to prevent a SQL injection in an employee portal?
A. Reconfigure the database schema
B. Enforce referential integrity on the database
C. Conduct code reviews
D. Conduct network penetration testing
View answer
Correct Answer: B
Question #19
The main mail server of a financial institution has been compromised at the superuser level; the only way to ensure the system is secure would be to:
A. change the root password of the system
B. implement multifactor authentication
C. rebuild the system from the original installation medium
D. disconnect the mail server from the network
View answer
Correct Answer: C
Question #20
The PRIMARY benefit of integrating information security risk into enterprise risk management is to:
A. ensure timely risk mitigation
B. justify the information security budget
C. obtain senior management’s commitment
D. provide a holistic view of risk
View answer
Correct Answer: D
Question #21
Senior management has endorsed a comprehensive information security policy. Which of the following should the organization do NEXT?
A. Promote awareness of the policy among employees
B. Seek policy buy-in from business stakeholders
C. Implement an authentication and authorization system
D. Identify relevant information security frameworks for adoption
View answer
Correct Answer: B
Question #22
The PRIMARY reason for defining the information security roles and responsibilities of staff throughout an organization is to:
A. reinforce the need for training
B. increase corporate accountability
C. comply with security policy
D. enforce individual accountability
View answer
Correct Answer: C
Question #23
Which of the following would be MOST effective when justifying the cost of adding security controls to an existing web application?
A. Internal audit reports
B. Application security policy
C. Vulnerability assessment results
D. A business case
View answer
Correct Answer: D
Question #24
Which of the following is a potential indicator of inappropriate Internet use by staff?
A. Increased help desk calls for password resets
B. Reduced number of pings on firewalls
C. Increased reports of slow system performance
D. Increased number of weakness from vulnerability scans
View answer
Correct Answer: C
Question #25
Which of the following is the PRIMARY objective of reporting security metrics to stakeholders?
A. To identify key controls within the organization
B. To provide support for security audit activities
C. To communicate the effectiveness of the security program
D. To demonstrate alignment to the business strategy
View answer
Correct Answer: D
Question #26
The PRIMARY reason for using metrics to evaluate information security is to:
A. identify security weaknesses
B. justify budgetary expenditures
C. enable steady improvement
D. raise awareness on security issues
View answer
Correct Answer: C
Question #27
In which of the following ways can an information security manager BEST ensure that security controls are adequate for supporting business goals and objectives?
A. Reviewing results of the annual company external audit
B. Adopting internationally accepted controls
C. Enforcing strict disciplinary procedures in case of noncompliance
D. Using the risk management process
View answer
Correct Answer: D
Question #28
Which of the following devices, when placed in a demilitarized zone (DMZ), would be considered the MOST significant exposure?
A. Proxy server
B. Mail relay server
C. Application server
D. Database server
View answer
Correct Answer: D
Question #29
A critical device is delivered with a single user and password that is required to be shared for multiple users to access the device. An information security manager has been tasked with ensuring all access to the device is authorized. Which of the following would be the MOST efficient means to accomplish this?
A. Enable access through a separate device that requires adequate authentication
B. Implement manual procedures that require password change after each use
C. Request the vendor to add multiple user IDs
D. Analyze the logs to detect unauthorized access
View answer
Correct Answer: A
Question #30
Which of the following presents the GREATEST threat to the security of an enterprise resource planning (ERP) system?
A. User ad hoc reporting is not logged
B. Network traffic is through a single switch
C. Operating system (OS) security patches have not been applied
D. Database security defaults to ERP settings
View answer
Correct Answer: C
Question #31
An organization is MOST at risk from a new worm being introduced through the intranet when:
A. desktop virus definition files are not up to date
B. system software does not undergo integrity checks
C. hosts have static IP addresses
D. executable code is run from inside the firewall
View answer
Correct Answer: A
Question #32
Ensuring that activities performed by outsourcing providers comply with information security policies can BEST be accomplished through the use of:
A. service level agreements
B. independent audits
C. explicit contract language
D. local regulations
View answer
Correct Answer: B
Question #33
Which of the following is the BEST way to increase the visibility of information security within an organization’s culture?
A. Requiring cross-functional information security training
B. Implementing user awareness campaigns for the entire company
C. Publishing an acceptable use policy
D. Establishing security policies based on industry standards
View answer
Correct Answer: A
Question #34
Which of the following would be MOST helpful in gaining support for a business case for an information security initiative?
A. Demonstrating organizational alignment
B. Emphasizing threats to the organization
C. Referencing control deficiencies
D. Presenting a solution comparison matrix
View answer
Correct Answer: A
Question #35
Which of the following would be an information security manager’s PRIMARY challenge when deploying a Bring Your Own Device (BYOD) mobile program in an enterprise?
A. End user acceptance
B. Configuration management
C. Mobile application control
D. Disparate device security
View answer
Correct Answer: C
Question #36
Which of the following is the MOST effective data loss control when connecting a personally owned mobile device to the corporate email system?
A. Email must be stored in an encrypted format on the mobile device
B. Email synchronization must be prevented when connected to a public Wi-Fi hotspot
C. A senior manager must approve each connection
D. Users must agree to allow the mobile device to be wiped if it is lost
View answer
Correct Answer: D
Question #37
After logging in to a web application, further password credentials are required at various application points. Which of the following is the PRIMARY reason for such an approach?
A. To ensure access is granted to the authorized person
B. To enforce strong two-factor authentication
C. To ensure session management variables are secure
D. To implement single sign-on
View answer
Correct Answer: A
Question #38
Which of the following is the MOST important factor when determining the frequency of information security reassessment?
A. Risk priority
B. Risk metrics
C. Audit findings
D. Mitigating controls
View answer
Correct Answer: B
Question #39
When defining responsibilities with a cloud computing vendor, which of the following should be regarded as a shared responsibility between user and provider?
A. Data ownership
B. Access log review
C. Application logging
D. Incident response
View answer
Correct Answer: A
Question #40
Calculation of the recovery time objective (RTO) is necessary to determine the:
A. time required to restore files
B. priority of restoration
C. point of synchronization
D. annual loss expectancy (ALE)
View answer
Correct Answer: B
Question #41
To help ensure that contract personnel do not obtain unauthorized access to sensitive information, an information security manager should PRIMARILY:
A. set their accounts to expire in six months or less
B. avoid granting system administration roles
C. ensure they successfully pass background checks
D. ensure their access is approved by the data owner
View answer
Correct Answer: B
Question #42
An organization’s HR department would like to outsource its employee system to a cloud-hosted solution due to features and cost savings offered. Management has identified this solution as a business need and wants to move forward. What should be the PRIMARY role of information security in this effort?
A. Explain security issues associated with the solution to management
B. Determine how to securely implement the solution
C. Ensure the service provider has the appropriate certifications
D. Ensure a security audit is performed of the service provider
View answer
Correct Answer: B
Question #43
Which of the following would BEST help to ensure compliance with an organization’s information security requirements by an IT service provider?
A. Requiring an external security audit of the IT service provider
B. Defining information security requirements with internal IT
C. Requiring regular reporting from the IT service provider
D. Defining the business recovery plan with the IT service provider
View answer
Correct Answer: A
Question #44
An information security manager reviewed the access control lists and observed that privileged access was granted to an entire department. Which of the following should the information security manager do FIRST?
A. Review the procedures for granting access
B. Establish procedures for granting emergency access
C. Meet with data owners to understand business needs
D. Redefine and implement proper access rights
View answer
Correct Answer: C
Question #45
An information security team is investigating an alleged breach of an organization’s network. Which of the following would be the BEST single source of evidence to review?
A. Intrusion detection system
B. SIEM tool
C. Antivirus software
D. File integrity monitoring software
View answer
Correct Answer: B
Question #46
An organization will be outsourcing mission-critical processes. Which of the following is MOST important to verify before signing the service level agreement (SLA)?
A. The provider has implemented the latest technologies
B. The provider’s technical staff are evaluated annually
C. The provider is widely known within the organization’s industry
D. The provider has been audited by a recognized audit firm
View answer
Correct Answer: D
Question #47
A payroll application system accepts individual user sign-on IDs and then connects to its database using a single application ID. The GREATEST weakness under this system architecture is that:
A. users can gain direct access to the application ID and circumvent data controls
B. when multiple sessions with the same application ID collide, the database locks up
C. the database becomes unavailable if the password of the application ID expires
D. an incident involving unauthorized access to data cannot be tied to a specific user
View answer
Correct Answer: D
Question #48
Which of the following tools BEST demonstrates the effectiveness of the information security program?
A. Key risk indicators (KRIs)
B. Management satisfaction surveys
C. Risk heat map
D. A security balanced scorecard
View answer
Correct Answer: D
Question #49
Which of the following is an example of a vulnerability?
A. Natural disasters
B. Defective software
C. Ransomware
D. Unauthorized users
View answer
Correct Answer: B
Question #50
Which of the following would present the GREATEST need to revise information security policies?
A. A merger with a competing company
B. An increase in reported incidents
C. Implementation of a new firewall
D. Changes in standards and procedures
View answer
Correct Answer: A
Question #51
The BEST way to report to the board on the effectiveness of the information security program is to present:
A. a dashboard illustrating key performance metrics
B. peer-group industry benchmarks
C. a summary of the most recent audit findings
D. a report of cost savings from process improvements
View answer
Correct Answer: A
Question #52
An advantage of antivirus software schemes based on change detection is that they have:
A. a chance of detecting current and future viral strains
B. a more flexible directory of viral signatures
C. to be updated less frequently than activity monitors
D. the highest probability of avoiding false alarms
View answer
Correct Answer: A
Question #53
Knowing which of the following is MOST important when the information security manager is seeking senior management commitment?
A. Security costs
B. Technical vulnerabilities
C. Security technology requirements
D. Implementation tasks
View answer
Correct Answer: C
Question #54
A validated patch to address a new vulnerability that may affect a mission-critical server has been released. What should be done immediately?
A. Add mitigating controls
B. Check the server’s security and install the patch
C. Conduct an impact analysis
D. Take the server off-line and install the patch
View answer
Correct Answer: C
Question #55
Which is MOST important when contracting an external party to perform a penetration test?
A. Provide network documentation
B. Obtain approval from IT management
C. Define the project scope
D. Increase the frequency of log reviews
View answer
Correct Answer: B
Question #56
Which of the following activities should take place FIRST when a security patch for Internet software is received from a vendor?
A. The patch should be validated using a hash algorithm
B. The patch should be applied to critical systems
C. The patch should be deployed quickly to systems that are vulnerable
D. The patch should be evaluated in a testing environment
View answer
Correct Answer: A
Question #57
During a review to approve a penetration test plan, which of the following should be an information security manager’s PRIMARY concern?
A. Penetration test team’s deviation from scope
B. Unauthorized access to administrative utilities
C. False positive alarms to operations staff
D. Impact on production systems
View answer
Correct Answer: D
Question #58
Spoofing should be prevented because it may be used to:
A. assemble information, track traffic, and identify network vulnerabilities
B. predict which way a program will branch when an option is presented
C. gain illegal entry to a secure system by faking the sender’s address
D. capture information such as password traveling through the network
View answer
Correct Answer: C
Question #59
Which of the following is the BEST way to demonstrate to senior management that organizational security practices comply with industry standards?
A. Results of an independent assessment
B. Up-to-date policy and procedures documentation
C. A report on the maturity of controls
D. Existence of an industry-accepted framework
View answer
Correct Answer: A
Question #60
Most security vulnerabilities in software exit because:
A. security features are not tested adequately
B. software has undocumented features
C. security is not properly designed
D. software is developed without adherence to standards
View answer
Correct Answer: D
Question #61
To prevent computers on the corporate network from being used as part of a distributed denial of service attack, the information security manager should use:
A. incoming traffic filtering
B. outgoing traffic filtering
C. IT security policy dissemination
D. rate limiting
View answer
Correct Answer: B
Question #62
Which of the following is the BEST approach when using sensitive customer data during the testing phase of a systems development project?
A. Establish the test environment on a separate network
B. Sanitize customer data
C. Monitor the test environment for data loss
D. Implement equivalent controls to those on the source system
View answer
Correct Answer: B
Question #63
Once a suite of security controls has been successfully implemented for an organization’s business units, it is MOST important for the information security manager to:
A. ensure the controls are regularly tested for ongoing effectiveness
B. hand over the controls to the relevant business owners
C. prepare to adapt the controls for future system upgrades
D. perform testing to compare control performance against industry levels
View answer
Correct Answer: A
Question #64
Which of the following is the FIRST task when determining an organization’s information security profile?
A. Build an asset inventory
B. List administrative privileges
C. Establish security standards
D. Complete a threat assessment
View answer
Correct Answer: C
Question #65
A risk analysis for a new system is being performed. For which of the following is business knowledge MORE important than IT knowledge?
A. Vulnerability analysis
B. Balanced scorecard
C. Cost-benefit analysis
D. Impact analysis
View answer
Correct Answer: B
Question #66
Due to budget constraints, an internal IT application does not include the necessary controls to meet a client service level agreement (SLA). Which of the following is the information security manager’s BEST course of action?
A. Inform the legal department of the deficiency
B. Analyze and report the issue to senior management
C. Require the application owner to implement the controls
D. Assess and present the risks to the application owner
View answer
Correct Answer: D
Question #67
In a resource-restricted security program, which of the following approaches will provide the BEST use of the limited resources?
A. Cross-training
B. Risk avoidance
C. Risk prioritization
D. Threat management
View answer
Correct Answer: C
Question #68
The MAIN reason for internal certification of web-based business applications is to ensure:
A. compliance with industry standards
B. changes to the organizational policy framework are identified
C. up-to-date web technology is being used
D. compliance with organizational policies
View answer
Correct Answer: D
Question #69
When recommending a preventive control against cross-site scripting in web applications, an information security manager is MOST likely to suggest:
A. using https in place of http
B. coding standards and code review
C. consolidating multiple sites into a single portal
D. hardening of the web server’s operating system
View answer
Correct Answer: B
Question #70
Which of the following would be MOST important to include in a bring your own device (BYOD) policy with regard to lost or stolen devices? The need for employees to:
A. initiate the company’s incident reporting process
B. seek advice from the mobile service provider
C. notify local law enforcement
D. request a remote wipe of the device
View answer
Correct Answer: D
Question #71
An organization is considering a self-service solution for the deployment of virtualized development servers. Which of the following should be the information security manager’s PRIMARY concern?
A. Ability to maintain server security baseline
B. Ability to remain current with patches
C. Generation of excessive security event logs
D. Segregation of servers from the production environment
View answer
Correct Answer: D
Question #72
Which of the following should be the MOST important consideration when implementing an information security framework?
A. Compliance requirements
B. Audit findings
C. Risk appetite
D. Technical capabilities
View answer
Correct Answer: A
Question #73
Which of the following BEST reduces the likelihood of leakage of private information via email?
A. Email encryption
B. User awareness training
C. Strong user authentication protocols
D. Prohibition on the personal use of email
View answer
Correct Answer: D
Question #74
During an annual security review of an organization’s servers, it was found that the customer service team’s file server, which contains sensitive customer data, is accessible to all user IDs in the organization. Which of the following should the information security manager do FIRST?
A. Report the situation to the data owner
B. Remove access privileges to the folder containing the data
C. Isolate the server from the network
D. Train the customer service team on properly controlling file permissions
View answer
Correct Answer: A
Question #75
An internal control audit has revealed a control deficiency related to a legacy system where the compensating controls no longer appear to be effective. Which of the following would BEST help the information security manager determine the security requirements to resolve the control deficiency?
A. Risk assessment
B. Gap analysis
C. Cost-benefit analysis
D. Business case
View answer
Correct Answer: B
Question #76
Which of the following is the MOST important factor in an organization’s selection of a key risk indicator (KRI)?
A. Return on investment
B. Organizational culture
C. Compliance requirements
D. Criticality of information
View answer
Correct Answer: D
Question #77
Which of the following is the PRIMARY objective of a business impact analysis (BIA)?
A. Analyze vulnerabilities
B. Determine recovery priorities
C. Confirm control effectiveness
D. Define the recovery point objective (RPO)
View answer
Correct Answer: D

View The Updated ISACA Exam Questions

SPOTO Provides 100% Real ISACA Exam Questions for You to Pass Your ISACA Exam!

View Answers after Submission

Please submit your email and WhatsApp to get the answers of questions.

Note: Please make sure your email ID and Whatsapp are valid so that you can get the correct exam results.

Email:
Whatsapp/phone number: