Home > Information Security > Quizzes > Certified Information Security Manager (CISM) Test Prep Questions
Certified Information Security Manager (CISM) Test Prep Questions
Fast practice, instant feedback. Timer auto-submits when time’s up.
Avg score: 38% Most missed: “A control for protecting an information technology (IT) asset, such as a laptop …”

ISACA CISM Exam syllabus in brief:

Information Security Governance    
A. Enterprise Governance
B. Information Security Strategy

Information Security Risk Management    
A. Information Security Risk Assessment
B. Information Security Risk Response

Information Security Program    
A. Information Security Program Development
B. Information Security Program Management

Incident Management    
A. Incident Management Readiness
B. Incident Management Operations

Certified Information Security Manager (CISM) Test Prep Questions
Time left 00:00
25 Questions

1. Which of the following should be understood before defining risk management strategies?
2. Which of the following risk scenarios would BEST be assessed using qualitative risk assessment techniques?
3. N organization has recently developed and approved an access control policy. Which of the following will be MOST effective in communicating the access control policy to the employees?
4. What is the initial step that an information security manager would take during the requirements gathering phase of an IT project to avoid project failure?
5. What is the initial step that an information security manager would take during the requirements gathering phase of an IT project to avoid project failure?
6. Information security governance is PRIMARILY driven by:
7. Which of the following is the MOST appropriate position to sponsor the design and implementation of a new security infrastructure in a large global enterprise?
8. Which of the following roles would represent a conflict of interest for an information security manager?
9. Acceptable levels of information security risk should be determined by:
10. An operating system noncritical patch to enhance system security cannot be applied because a critical application is not compatible with the change. Which of the following is the BEST solution?
11. Which of the following should a successful information security management program use to determine the amount of resources devoted to mitigating exposures?
12. An effective risk management program should reduce risk to:
13. Which of the following is the MOST important consideration when developing an information security strategy?
14. The PRIMARY objective of a vulnerability assessment is to:
15. When performing a review of risk treatment options, the MOST important benefit to consider is:
16. Which of the following vulnerabilities allowing attackers access to the application database is the MOST serious?
17. There is a delay between the time when a security vulnerability is first published, and the time when a patch is delivered. Which of the following should be carried out FIRST to mitigate the risk during this time period?
18. Which of the following reasons is the MOST important to develop a strategy before implementing an information security program?
19. When performing a qualitative risk analysis, which of the following will BEST produce reliable results?
20. Which of the following recommendations is the BEST one to promote a positive information security governance culture within an organization?
21. A newly hired information security manager notes that existing information security practices and procedures appear ad hoc. Based on this observation, the next action should be to:
22. After a risk assessment study, a bank with global operations decided to continue conducting business in certain regions of the world where identity theft is rampant. The information security manager should encourage the business to:
23. An information security manager has two identical servers in the network subject to a viable threat, but decides to harden only one of them. The MOST likely reason for this choice is that the second server:
24. The MOST effective use of a risk register is to:
25. During a stakeholder meeting, a question was asked regarding who is ultimately accountable for the protection of sensitive data. Assuming that all of the following roles exist in the enterprise, which would be the MOST appropriate answer?