DON'T WANT TO MISS A THING?

Certification Exam Passing Tips

Latest exam news and discount info

Curated and up-to-date by our experts

Yes, send me the newsletter

Success Secrets: CISM Exam Questions & Mock Tests, Certified Information Security Manager | SPOTO

Unlock the success secrets to mastering the Certified Information Security Manager (CISM) exam with SPOTO's comprehensive resources. Our meticulously crafted exam questions and mock tests cover all crucial topics, including information security governance, risk management, incident management, and regulatory compliance. Access a variety of exam preparation tools, including sample questions and exam materials, to enhance your understanding and sharpen your skills. Say goodbye to uncertainty and embrace trusted exam practice with SPOTO. Utilize our exam simulator to replicate the exam environment and perfect your exam-taking strategies effectively. Whether you're in need of exam dumps or online exam questions, SPOTO provides the essential resources for success. Start your exam preparation journey today with our free test and ensure you're fully prepared to excel in the CISM exam.
Take other online exams

Question #1
The impact of losing frame relay network connectivity for 18-24 hours should be calculated using the:
A. hourly billing rate charged by the carrier
B. value of the data transmitted over the network
C. aggregate compensation of all affected business users
D. financial losses incurred by affected business units
View answer
Correct Answer: D
Question #2
When building a corporate-wide business continuity plan, it is discovered there are two separate lines of business systems that could be impacted by the same threat. Which of the following is the BEST method to determine the priority of system recovery in the event of a disaster?
A. Evaluating the cost associated with each system’s outage
B. Reviewing the business plans of each department
C. Comparing the recovery point objectives (RPOs)
D. Reviewing each system’s key performance indicators (KPIs)
View answer
Correct Answer: A
Question #3
The likelihood of a successful attack is a function of:
A. incentive and capability of the intruder
B. opportunity and asset value
C. threat and vulnerability levels
D. value and desirability to the intruder
View answer
Correct Answer: A
Question #4
Which of the following would be MOST useful in developing a series of recovery time objectives (RTOs)?
A. Gap analysis
B. Regression analysis
C. Risk analysis
D. Business impact analysis
View answer
Correct Answer: D
Question #5
Which of the following is the MOST important factor to ensure information security is meeting the organization’s objectives?
A. Internal audit’s involvement in the security process
B. Implementation of a control self-assessment process
C. Establishment of acceptable risk thresholds
D. Implementation of a security awareness program
View answer
Correct Answer: C
Question #6
The MOST likely reason to use qualitative security risk assessments instead of quantitative methods is when:
A. an organization provides services instead of hard goods
B. a security program requires independent expression of risks
C. available data is too subjective
D. a mature security program is in place
View answer
Correct Answer: A
Question #7
Which of the following is the BEST strategy to implement an effective operational security posture?
A. Threat management
B. Defense in depth
C. Increased security awareness
D. Vulnerability management
View answer
Correct Answer: B
Question #8
Information security policies should be designed PRIMARILY on the basis of:
A. business demands
B. inherent risks
C. international standards
D. business risks
View answer
Correct Answer: D
Question #9
Which of the following is MOST critical to the successful implementation of information security within an organizational?
A. The information security manager is responsible for setting information security policy
B. Strong risk management skills exist within the information security group
C. Budget is allocated for information security tools
D. Security is effectively marketed to all managers and employees
View answer
Correct Answer: D
Question #10
Which of the following is the BEST course of action for an information security manager to align security and business goals?
A. Defining key performance indicators (KPIs)
B. Actively engaging with stakeholders
C. Reviewing the business strategy
D. Conducting a business impact analysis (BIA)
View answer
Correct Answer: D
Question #11
A risk analysis should:
A. include a benchmark of similar companies in its scope
B. assume an equal degree of protection for all assets
C. address the potential size and likelihood of loss
D. give more weight to the likelihood vs
View answer
Correct Answer: C
Question #12
Which of the following is the BEST control to minimize the risk associated with loss of information as a result of ransomware exploiting a zero-day vulnerability?
A. A security operation center
B. A patch management process
C. A public key infrastructure
D. A data recovery process
View answer
Correct Answer: D
Question #13
Which of the following MUST be established before implementing a data loss prevention (DLP) system?
A. Privacy impact assessment
B. A data backup policy
C. Data classification
D. A data recovery policy
View answer
Correct Answer: C
Question #14
Shortly after installation, an intrusion detection system (IDS) reports a violation. Which of the following is the MOST likely explanation?
A. The violation is a false positive
B. A routine IDS log file upload has occurred
C. A routine IDS signature file download has occurred
D. An intrusion has occurred
View answer
Correct Answer: A
Question #15
The MAIN reason for deploying a public key infrastructure (PKI) when implementing an information security program is to:
A. ensure the confidentiality of sensitive material
B. provide a high assurance of identity
C. allow deployment of the active directory
D. implement secure sockets layer (SSL) encryption
View answer
Correct Answer: B
Question #16
A software vendor has announced a zero-day vulnerability that exposes an organization’s critical business systems, following should be the information security manager’s PRIMARY concern?
A. Business tolerance of downtime
B. Adequacy of the incident response plan
C. Availability of resources to implement controls
D. Ability to test patches prior to deployment
View answer
Correct Answer: C
Question #17
Who can BEST approve plans to implement an information security governance framework?
A. Internal auditor
B. Information security management
C. Steering committee
D. Infrastructure management
View answer
Correct Answer: C
Question #18
To ensure adequate disaster-preparedness among IT infrastructure personnel, it is MOST important to:
A. have the most experienced personnel participate in recovery tests
B. include end-user personnel in each recovery test
C. assign personnel-specific duties in the recovery plan
D. periodically rotate recovery-test participants
View answer
Correct Answer: D
Question #19
A risk was identified during a risk assessment. The business process owner has chosen to accept the risk because the cost of remediation is greater than the projected cost of a worst-case scenario. What should be the information security manager's NEXT course of action?
A. Determine a lower-cost approach to remediation
B. Document and schedule a date to revisit the issue
C. Shut down the business application
D. Document and escalate to senior management
View answer
Correct Answer: D
Question #20
What is the PRIMARY benefit to executive management when audit, risk, and security functions are aligned?
A. Reduced number of assurance reports
B. More effective decision making
C. More timely risk reporting
D. More efficient incident handling
View answer
Correct Answer: B
Question #21
Which of the following is the BEST way to address any gaps identified during an outsourced provider selection and contract negotiation process?
A. Make the provider accountable for security and compliance
B. Perform continuous gap assessments
C. Include audit rights in the service level agreement (SLA)
D. Implement compensating controls
View answer
Correct Answer: D
Question #22
Which of the following processes can be used to remediate identified technical vulnerabilities?
A. Running baseline configurations
B. Conducting a risk assessment
C. Performing a business impact analysis (BIA)
D. Running automated scanners
View answer
Correct Answer: B
Question #23
Which of the following is an important criterion for developing effective key risk indicators (KRIs) to monitor information security risk?
A. The indicator should possess a high correlation with a specific risk and be measured on a regular basis
B. The indicator should focus on IT and accurately represent risk variances
C. The indicator should align with key performance indicators and measure root causes of process performance issues
D. The indicator should provide a retrospective view of risk impacts and be measured annually
View answer
Correct Answer: A
Question #24
Which of the following is the PRIMARY goal of business continuity management?
A. Establish incident response procedures
B. Assess the impact to business processes
C. Increase survivability of the organization
D. Implement controls to prevent disaster
View answer
Correct Answer: C
Question #25
An awareness program is implemented to mitigate the risk of infections introduced through the use of social media. Which of the following will BEST determine the effectiveness of the awareness program?
A. A post-awareness program survey
B. A quiz based on the awareness program materials
C. A simulated social engineering attack
D. Employee attendance rate at the awareness program
View answer
Correct Answer: C
Question #26
Which of the following would the BEST demonstrate the added value of an information security program?
A. Security baselines
B. A SWOT analysis
C. A gap analysis
D. A balanced scorecard
View answer
Correct Answer: B
Question #27
The PRIMARY objective of a risk response strategy should be:
A. threat reduction
B. regulatory compliance
C. senior management buy-in
D. appropriate control selection
View answer
Correct Answer: A
Question #28
An organization has an approved bring your own device (BYOD) program. Which of the following is the MOST effective method to enforce application control on personal devices?
A. Establish a mobile device acceptable use policy
B. Implement a mobile device management solution
C. Educate users regarding the use of approved applications
D. Implement a web application firewall
View answer
Correct Answer: B
Question #29
When scoping a risk assessment, assets need to be classified by:
A. likelihood and impact
B. sensitivity and criticality
C. threats and opportunities
D. redundancy and recoverability
View answer
Correct Answer: B
Question #30
Which of the following is MOST important for an information security manager to consider when identifying information security resource requirements?
A. Information security incidents
B. Information security strategy
C. Current resourcing levels
D. Availability of potential resources
View answer
Correct Answer: B
Question #31
A. Which of the following should be the PRIMARY goal of an information security manager when designing information security policies? Reducing organizational security risk
B. Improving the protection of information
C. Minimizing the cost of security controls
D. Achieving organizational objectives
View answer
Correct Answer: D
Question #32
To implement a security framework, an information security manager must FIRST develop:
A. security standards
B. security procedures
C. a security policy
D. security guidelines
View answer
Correct Answer: D
Question #33
Which of the following would provide the BEST justification for a new information security investment?
A. Results of a comprehensive threat analysis
B. Projected reduction in risk
C. Senior management involvement in project prioritization
D. Defined key performance indicators (KPIs)
View answer
Correct Answer: A
Question #34
Which of the following would be MOST useful in a report to senior management for evaluating changes in the organization’s information security risk position?
A. Risk register
B. Trend analysis
C. Industry benchmarks
D. Management action plan
View answer
Correct Answer: A
Question #35
Which of the following risks would BEST be assessed using quantitative risk assessment techniques?
A. Customer data stolen
B. An electrical power outage
C. A web site defaced by hackers
D. Loss of the software development team
View answer
Correct Answer: B
Question #36
An organization’s senior management is encouraging employees to use social media for promotional purposes. Which of the following should be the information security manager’s FIRST step to support this strategy?
A. Incorporate social media into the security awareness program
B. Develop a guideline on the acceptable use of social media
C. Develop a business case for a data loss prevention (DLP) solution
D. Employ the use of a web content filtering solution
View answer
Correct Answer: B
Question #37
An organization has announced new initiatives to establish a big data platform and develop mobile apps. What is the FIRST step when defining new human resource requirements?
A. Request additional funding for recruiting and training
B. Analyze the skills necessary to support the new initiatives
C. Benchmark to an industry peer
D. Determine the security technology requirements for the initiatives
View answer
Correct Answer: B
Question #38
Which of the following is the MOST effective method of determining security priorities?
A. Impact analysis
B. Threat assessment
C. Vulnerability assessment
D. Gap analysis
View answer
Correct Answer: A
Question #39
Which metric is the BEST indicator that an update to an organization’s information security awareness strategy is effective?
A. A decrease in the number of incidents reported by staff
B. A decrease in the number of email viruses detected
C. An increase in the number of email viruses detected
D. An increase in the number of incidents reported by staff
View answer
Correct Answer: A
Question #40
Which of the following would be MOST effective in preventing malware from being launched through an email attachment?
A. Up-to-date security policies
B. Placing the e-mail server on a screened subnet
C. Security awareness training
D. A network intrusion detection system (NIDS)
View answer
Correct Answer: C
Question #41
Of the following, whose input is of GREATEST importance in the development of an information security strategy?
A. End users
B. Corporate auditors
C. Process owners
D. Security architects
View answer
Correct Answer: D
Question #42
In an organization implementing a data classification program, ultimate responsibility for the data on the database server lies with the:
A. information security manager
B. business unit manager
C. database administrator (DBA)
D. information technology manager:
View answer
Correct Answer: A
Question #43
Which of the following is MOST important to consider when defining control objectives?
A. The current level of residual risk
B. The organization’s strategic objectives
C. Control recommendations from a recent audit
D. The organization’s risk appetite
View answer
Correct Answer: B
Question #44
When preparing a business case for the implementation of a security information and event management (SIEM) system, which of the following should be a PRIMARY driver in the feasibility study?
A. Cost of software
B. Cost-benefit analysis
C. Implementation timeframe
D. Industry benchmarks
View answer
Correct Answer: B
Question #45
Which of the following is the BEST method to determine whether an information security program meets an organization’s business objectives? Implement performance measures.
B. Review against international security standards
C. Perform a business impact analysis (BIA)
D. Conduct an annual enterprise-wide security evaluation
View answer
Correct Answer: A
Question #46
After assessing risk, the decision to treat the risk should be based PRIMARILY on:
A. availability of financial resources
B. whether the level of risk exceeds risk appetite
C. whether the level of risk exceeds inherent risk
D. the criticality of the risk
View answer
Correct Answer: B
Question #47
Which of the following should be the PRIMARY basis for determining risk appetite?
A. Organizational objectives
B. Senior management input
C. Industry benchmarks
D. Independent audit results
View answer
Correct Answer: A
Question #48
Which of the following should be the MOST important consideration when reporting sensitive risk-related information to stakeholders?
A. Ensuring nonrepudiation of communication
B. Consulting with the public relations director
C. Transmitting the internal communication securely
D. Customizing the communication to the audience
View answer
Correct Answer: C
Question #49
Mitigating technology risks to acceptable levels should be based PRIMARILY upon:
A. business process reengineering
B. business process requirement
C. legal and regulatory requirements
D. information security budget
View answer
Correct Answer: B
Question #50
Which of the following is the BEST approach for encouraging business units to assume their roles and responsibilities in an information security program?
A. Perform a risk assessment
B. Conduct an awareness program
C. Conduct a security audit
D. Develop controls and countermeasures
View answer
Correct Answer: B
Question #51
The MOST effective way to communicate the level of impact of information security risks on organizational objectives is to present:
A. business impact analysis (BIA) results
B. detailed threat analysis results
C. risk treatment options
D. a risk heat map
View answer
Correct Answer: D
Question #52
An organization plans to implement a document collaboration solution to allow employees to share company information. Which of the following is the MOST important control to mitigate the risk associated with the new solution?
A. Assign write access to data owners
B. Allow a minimum number of user access to the solution
C. Have data owners perform regular user access reviews
D. Permit only non-sensitive information on the solution
View answer
Correct Answer: C
Question #53
What should the information security manager recommend to support the development of a new web application that will allow retail customers to view inventory and order products?
A. Building an access control matrix
B. Request customers adhere to baseline security standards
C. Access through a virtual private network (VPN)
D. Implementation of secure transmission protocols
View answer
Correct Answer: D
Question #54
Which of the following will BEST help to ensure security is addressed when developing a custom application?
A. Conducting security training for the development staff
B. Integrating security requirements into the development process
C. Requiring a security assessment before implementation
D. Integrating a security audit throughout the development process
View answer
Correct Answer: B
Question #55
An organization with a maturing incident response program conducts post-incident reviews for all major information security incidents. The PRIMARY goal of these reviews should be to:
A. document and report the root cause of the incidents for senior management
B. identify security program gaps or systemic weaknesses that need correction
C. prepare properly vetted notifications regarding the incidents to external parties
D. identify who should be held accountable for the security incidents
View answer
Correct Answer: A
Question #56
Which of the following should be of MOST influence to an information security manager when developing IT security policies?
A. Past and current threats
B. IT security framework
C. Compliance with regulations
D. Business strategy
View answer
Correct Answer: D
Question #57
When using a newly implemented security information and event management (SIEM) infrastructure, which of the following should be considered FIRST?
A. Retention
B. Tuning
C. Encryption
D. Report distribution
View answer
Correct Answer: D
Question #58
What should be the PRIMARY objective of conducting interviews with business unit managers when developing an information security strategy?
A. Determine information types
B. Obtain information on departmental goals
C. Identify data and system ownership
D. Classify information assets
View answer
Correct Answer: B
Question #59
A third-party service provider is developing a mobile app for an organization’s customers. Which of the following issues should be of GREATEST concern to the information security manager?
A. Software escrow is not addressed in the contract
B. The contract has no requirement for secure development practices
C. The mobile app’s programmers are all offshore contractors
D. SLAs after deployment are not clearly defined
View answer
Correct Answer: B
Question #60
Which of the following should be of GREATEST concern to an information security manager when establishing a set of key risk indicators (KRIs)?
A. The impact of security risk on organizational objectives is not well understood
B. Risk tolerance levels have not yet been established
C. Several business functions have been outsourced to third-party vendors
D. The organization has no historical data on previous security events
View answer
Correct Answer: B
Question #61
In addition to cost, what is the BEST criteria for selecting countermeasures following a risk assessment?
A. Effort of implementation
B. Skill requirements for implementation
C. Effectiveness of each option
D. Maintenance requirements
View answer
Correct Answer: C
Question #62
A. Which of the following needs to be established between an IT service provider and its clients to the BEST enable adequate continuity of service in preparation for an outage?
A. Data retention policies
B. Server maintenance plans
C. Recovery time objectives
D. Reciprocal site agreement
View answer
Correct Answer: C
Question #63
A CIO has asked the organization’s information security manager to provide both one-year and five-year plans for the information security program. What is the PRIMARY purpose for the long-term plan?
A. To create formal requirements to meet projected security needs for the future
B. To create and document a consistent progression of security capabilities
C. To prioritize risks on a longer scale than the one-year plan
D. To facilitate the continuous improvement of the IT organization
View answer
Correct Answer: D
Question #64
Which of the following is MOST helpful for prioritizing the recovery of IT assets during a disaster?
A. Business impact analysis (BIA)
B. Risk assessment
C. Vulnerability assessment
D. Cost-benefit analysis
View answer
Correct Answer: A
Question #65
Senior management has decided to accept a significant risk within a security remediation plan. Which of the following is the information security manager's BEST course of action?
A. Remediate the risk and document the rationale
B. Update the risk register with the risk acceptance
C. Communicate the remediation plan to the board of directors
D. Report the risk acceptance to regulatory agencies
View answer
Correct Answer: C
Question #66
An information security program should be established PRIMARILY on the basis of:
A. the approved information security strategy
B. the approved risk management approach
C. data security regulatory requirements
D. senior management input
View answer
Correct Answer: A
Question #67
Which of the following has the MOST direct impact on the usability of an organization's asset classification program?
A. The granularity of classifications in the hierarchy
B. The frequency of updates to the organization’s risk register
C. The business objectives of the organization
D. The support of senior management for the classification scheme
View answer
Correct Answer: A
Question #68
An organization has concerns regarding a potential advanced persistent threat (APT). To ensure that the risk associated with this threat is appropriately managed, what should be the organization's FIRST action?
A. Report to senior management
B. Initiate incident response processes
C. Implement additional controls
D. Conduct an impact analysis
View answer
Correct Answer: D

View Answers after Submission

Please submit your email and WhatsApp to get the answers of questions.

Note: Please make sure your email ID and Whatsapp are valid so that you can get the correct exam results.

Email:
Whatsapp/phone number: