2 Flashcards
- When performing a business impact analysis (BIA), who should calculate the recovery time and cost
estimates?
A. Business process owner
B. Business continuity coordinator
C. Senior management
D. Information security manager
Answer: A
Explanation: The business process owner is the person who is responsible for overseeing and managing
the business processes and functions that are essential for the organization’s operations and objectives.
The business process owner has the most direct and detailed knowledge of the inputs, outputs,
dependencies, resources, and performance indicators of the business processes and functions. Therefore,
the business process owner is the best person to calculate the recovery time and cost estimates when
performing a business impact analysis (BIA), which is a process of identifying and quantifying the potential
losses, damages, or consequences that could result from a disruption or an incident that affects the
availability, integrity, or confidentiality of the information assets and systems that support the business
processes and functions. The recovery time and cost estimates are the measures that indicate the time and
money that are needed to resume and restore the normal business operations and functions after the
disruption or incident. The recovery time and cost estimates can help to prioritize and protect the critical
activities and resources, to allocate the appropriate budget and resources, to implement the necessary
controls and measures, and to evaluate the effectiveness and efficiency of the business continuity and
disaster recovery plans.
The business continuity coordinator, the senior management, and the information security manager are all
important roles in the BIA process, but they are not the best ones to calculate the recovery time and cost
estimates. The business continuity coordinator is the person who is responsible for coordinating and
facilitating the BIA process, as well as the development, implementation, and maintenance of the business
continuity and disaster recovery plans. The business continuity coordinator can help to define and
communicate the scope, objectives, and methodology of the BIA, to collect and analyze the data and
information from the business process owners and other stakeholders, to report and present the BIA results
and recommendations, and to provide feedback and suggestions for improvement and optimization of the
BIA and the plans. The senior management is the group of people who have the ultimate authority and
accountability for the organization’s strategy, direction, and performance. The senior management can help
to approve and support the BIA process and the plans, to provide the strategic guidance and vision for the
business continuity and disaster recovery, to allocate the necessary budget and resources, to oversee and
monitor the BIA and the plans, and to make the final decisions and approvals. The information security
manager is the person who is responsible for ensuring the security of the information assets and systems
that support the business processes and functions. The information security manager can help to identify
and assess the information security risks and issues that could affect the BIA and the plans, to implement
and manage the security controls and measures that are needed to protect and recover the information
assets and systems, to coordinate and collaborate with the business process owners and other
stakeholders on the security aspects of the BIA and the plans, and to provide the security expertise and
advice. References = CISM Review Manual 15th Edition, pages 228-2291; CISM Practice Quiz, question
1722
- Which of the following is the GREATEST value provided by a security information and event management
(SIEM) system?
A. Maintaining a repository base of security policies
B. Measuring impact of exploits on business processes
C. Facilitating the monitoring of risk occurrences
D. Redirecting event logs to an alternate location for business continuity plan
Answer: C
Explanation: A security information and event management (SIEM) system is a tool that collects, analyzes,
and correlates security events from various sources, such as firewalls, intrusion detection systems,
antivirus software, and other devices. A SIEM system can provide real-time alerts, dashboards, reports,
and forensic analysis of security incidents. The greatest value of a SIEM system is that it can facilitate the
monitoring of risk occurrences by identifying anomalies, trends, patterns, and indicators of compromise that
may otherwise go unnoticed. A SIEM system can also help with incident response, compliance, and audit
activities by providing evidence and documentation of security events.
References =
✑ ISACA, CISM Review Manual, 16th Edition, 2020, page 2291
✑ ISACA, CISM Review Questions, Answers & Explanations Database - 12 Month Subscription, 2020,
question ID 2082
The greatest value provided by a Security Information and Event Management (SIEM) system is facilitating
the monitoring of risk occurrences. SIEM systems collect, analyze and alert on security-related data from
various sources such as firewall logs, intrusion detection/prevention systems, and system logs. This allows
organizations to identify security threats in real-time and respond quickly, helping to mitigate potential harm
to their systems and dat
A.
- Which of the following BEST facilitates an information security manager’s efforts to obtain senior
management commitment for an information security program?
A. Presenting evidence of inherent risk
B. Reporting the security maturity level
C. Presenting compliance requirements
D. Communicating the residual risk
Answer: D
Explanation: Communicating the residual risk is the best way to facilitate an information security manager’s
efforts to obtain senior management commitment for an information security program. The residual risk is
the level of risk that remains after applying the security controls and mitigation measures. The residual risk
reflects the effectiveness and efficiency of the information security program, as well as the potential impact
and exposure of the organization. The information security manager should communicate the residual risk
to the senior management in a clear, concise, and relevant manner, using quantitative or qualitative
methods, such as risk matrices, heat maps, dashboards, or reports. The communication of the residual risk
should also include the comparison with the inherent risk, which is the level of risk before applying any
security controls, and the risk appetite, which is the level of risk that the organization is willing to accept.
The communication of the residual risk should help the senior management to understand the value and
performance of the information security program, as well as the need and justification for further investment
or improvement. Presenting evidence of inherent risk, reporting the security maturity level, and presenting
compliance requirements are all important aspects of the information security program, but they are not the
best ways to obtain senior management commitment. These aspects may not directly demonstrate the
benefits or outcomes of the information security program, or they may not align with the business objectives
or priorities of the organization. For example, presenting evidence of inherent risk may show the potential
threats and vulnerabilities that the organization faces, but it may not indicate how the information security
program addresses or reduces them. Reporting the security maturity level may show the progress and
status of the information security program, but it may not relate to the risk level or the business impact.
Presenting compliance requirements may show the legal or regulatory obligations that the organization
must fulfill, but it may not reflect the actual security needs or goals of the organization. Therefore,
communicating the residual risk is the best way to obtain senior management commitment for an
information security program, as it shows the results and value of the information security program for the
organization. References = CISM Review Manual 2023, page 41 1; CISM Practice Quiz 2
- To confirm that a third-party provider complies with an organization’s information security requirements, it is
MOST important to ensure:
A. security metrics are included in the service level agreement (SLA).
B. contract clauses comply with the organization’s information security policy.
C. the information security policy of the third-party service provider is reviewed.
D. right to audit is included in the service level agreement (SLA).
Answer: D
Explanation: = To confirm that a third-party provider complies with an organization’s information security
requirements, it is most important to ensure that the right to audit is included in the service level agreement
(SLA), which is a contract that defines the scope, quality, and terms of the services that the third-party
provider delivers to the organization. The right to audit is a clause that grants the organization the authority
and opportunity to inspect and verify the third-party provider’s security policies, procedures, controls, and
performance, either by itself or by an independent auditor, at any time during the contract period or after a
security incident. The right to audit can help to ensure that the third-party provider adheres to the
organization’s information security requirements, as well as to the legal and regulatory standards and
obligations, and that the organization can monitor and measure the security risks and issues that arise from
the outsourcing relationship. The right to audit can also help to identify and address any gaps, weaknesses,
or errors that could compromise the security of the information assets and systems that are shared, stored,
or processed by the third-party provider, and to provide feedback and recommendations for improvement
and optimization of the security posture and performance.
Security metrics, contract clauses, and the information security policy of the third-party provider are all
important elements of ensuring the compliance of the third-party provider with the organization’s
information security requirements, but they are not the most important ones. Security metrics are
quantitative and qualitative measures that indicate the effectiveness and efficiency of the security controls
and processes that the third-party provider implements and reports to the organization, such as the number
of security incidents, the time to resolve them, the level of customer satisfaction, or the compliance rate.
Security metrics can help to evaluate and compare the security performance and outcomes of the
third-party provider, as well as to identify and address any deviations or discrepancies from the expected or
agreed levels. Contract clauses are legal and contractual terms and conditions that bind the third-party
provider to the organization’s information security requirements, such as the confidentiality, integrity, and
availability of the information assets and systems, the roles and responsibilities of the parties, the liabilities
and penalties for breach or violation, or the dispute resolution mechanisms. Contract clauses can help to
enforce and protect the organization’s information security interests and rights, as well as to prevent or
resolve any conflicts or issues that arise from the outsourcing relationship. The information security policy
of the third-party provider is a document that defines and communicates the third-party provider’s security
vision, mission, objectives, and principles, as well as the security roles, responsibilities, and rules that apply
to the third-party provider’s staff, customers, and partners. The information security policy of the third-party
provider can help to ensure that the third-party provider has a clear and consistent security direction and
guidance, as well as to align and integrate the third-party provider’s security practices and culture with the
organization’s security expectations and requirements. References = CISM Review Manual 15th Edition,
pages 57-581; CISM Practice Quiz, question 1662
- An information security manager has been notified about a compromised endpoint device Which of the
following is the BEST course of action to prevent further damage?
A. Wipe and reset the endpoint device.
B. Isolate the endpoint device.
C. Power off the endpoint device.
D. Run a virus scan on the endpoint device.
Answer: B
Explanation: A compromised endpoint device is a potential threat to the security of the network and the data
stored on it. The best course of action to prevent further damage is to isolate the endpoint device from the
network and other devices, so that the attacker cannot access or spread to other systems. Isolating the
endpoint device also allows the information security manager to investigate the incident and determine the
root cause, the extent of the compromise, and the appropriate remediation steps. Wiping and resetting the
endpoint device may not be feasible or desirable, as it may result in data loss or evidence destruction.
Powering off the endpoint device may not stop the attack, as the attacker may have installed persistent
malware or backdoors that can resume once the device is powered on again. Running a virus scan on the
endpoint device may not be effective, as the attacker may have used sophisticated techniques to evade
detection or disable the antivirus software. References = CISM Review Manual, 15th Edition, page 1741;
CISM Review Questions, Answers & Explanations Database, question ID 2112; Using EDR to Address
Unmanaged Devices - ISACA3; Boosting Cyberresilience for Critical Enterprise IT Systems With COBIT
and NIST Cybersecurity Frameworks - ISACA; Endpoint Security: On the Frontline of Cyber Risk.
The best way to reduce the risk associated with a bring your own device (BYOD) program is to implement a
mobile device policy and standard. This policy should include guidelines and rules regarding the use of
mobile devices, such as acceptable use guidelines and restrictions on the types of data that can be stored
or accessed on the device. Additionally, it should also include requirements for secure mobile device
practices, such as the use of strong passwords, encryption, and regular patching. A mobile device
management (MDM) solution can also be implemented to help ensure mobile devices meet the
organizational security requirements. However, it is not enough to simply implement the policy and MDM
solution; employees must also be trained on the secure mobile device practices to ensure the policy is
followed.
- To overcome the perception that security is a hindrance to business activities, it is important for an
information security manager to:
A. rely on senior management to enforce security.
B. promote the relevance and contribution of security.
C. focus on compliance.
D. reiterate the necessity of security.
Answer: B
Explanation: To overcome the perception that security is a hindrance to business activities, it is important
for an information security manager to promote the relevance and contribution of security to the
organization’s goals and objectives. Security is not only a technical function, but also a business enabler
that supports the organization’s strategy, vision, and mission. By promoting the relevance and contribution
of security, the information security manager can demonstrate the value and benefits of security to the
stakeholders, such as increasing customer trust, enhancing reputation, reducing costs, improving efficiency,
and complying with regulations. Promoting the relevance and contribution of security can also help the
information security manager to build relationships and partnerships with the business units, and to align
the security program with the business needs and expectations. Promoting the relevance and contribution
of security can also help the information security manager to foster a positive security culture and
awareness within the organization, and to encourage the adoption and support of security policies and
practices.
The other options are not the best ways to overcome the perception that security is a hindrance to business
activities. Relying on senior management to enforce security is not the best way, because it may create a
sense of coercion and resentment among the employees, and may undermine the credibility and authority
of the information security manager. Focusing on compliance is not the best way, because it may create a
false sense of security and satisfaction, and may neglect the other aspects and dimensions of security,
such as risk management, value creation, and innovation. Reiterating the necessity of security is not the
best way, because it may not address the root causes and factors of the negative perception, and may not
provide sufficient evidence and justification for the security investments and decisions. References = CISM
Review Manual, 16th Edition, ISACA, 2020, pp. 13-14, 23-241; CISM Online Review Course, Domain 1:
Information Security Governance, Module 1: Information Security Governance Overview, ISACA2
To overcome the perception that security is a hindrance to business activities, it is important for an
information security manager to promote the relevance and contribution of security. By demonstrating the
value that security brings to the organization, including protecting assets and supporting business
objectives, the information security manager can help to change the perception of security from a hindrance
to a critical component of business success.
Relying on senior management to enforce security, focusing on compliance, and reiterating the necessity of
security are all important elements of a comprehensive security program, but they do not directly address
the perception that security is a hindrance to business activities. By promoting the relevance and
contribution of security, the information security manager can help to align security with the overall goals
and objectives of the organization, and foster a culture that values and supports security initiatives.
- Which of the following should be the FIRST step in developing an information security strategy?
A. Determine acceptable levels of information security risk
B. Create a roadmap to identify security baselines and controls
C. Perform a gap analysis based on the current state
D. Identify key stakeholders to champion information security
Answer: D
Explanation: The first step in developing an information security strategy is to identify key stakeholders who
can provide support, guidance and resources for information security initiatives. These stakeholders may
include senior management, business unit leaders, legal counsel, audit and compliance officers and other
relevant parties. By engaging these stakeholders early on, an information security manager can ensure that
the strategy aligns with business objectives and expectations, as well as gain buy-in and commitment from
them. Determining acceptable levels of risk, creating a roadmap and performing a gap
analysis are all important steps in developing an information security strategy, but they should follow after
identifying key stakeholders.
- Which of the following is the BEST method to ensure compliance with password standards?
A. Implementing password-synchronization software
B. Using password-cracking software
C. Automated enforcement of password syntax rules
D. A user-awareness program
Answer: C
Explanation:
Automated enforcement of password syntax rules is the best method to ensure compliance with password
standards. Password syntax rules define the minimum and maximum length, character types, and
construction of passwords. By enforcing these rules automatically, the system can prevent users from
creating or using weak or insecure passwords that do not meet the standards. According to NIST,
password syntax rules should allow at least 8 characters and up to 64 characters, accept all printable ASCII
characters and Unicode characters, and encourage the use of long passphrases1. The other options are
not methods to ensure compliance with password standards, but rather methods to verify or improve
password security. Implementing password-synchronization software can help users manage multiple
passwords across different systems, but it does not ensure that the passwords comply with the standards2.
Using password-cracking software can help test the strength of passwords and identify weak or
compromised ones, but it does not ensure that users follow the standards3. A user-awareness program can
help educate users about the importance of password security and the best practices for creating and using
passwords, but it does not ensure that users comply with the standards. References: 1: NIST Password
Guidelines and Best Practices for 2020 - Auth0 2: Password synchronization - Wikipedia 3:
- A risk assessment exercise has identified the threat of a denial of service (DoS) attack
Executive management has decided to take no further action related to this risk. The MO ST likely reason
for this decision is
A. the risk assessment has not defined the likelihood of occurrence
B. the reported vulnerability has not been validated
C. executive management is not aware of the impact potential
D. the cost of implementing controls exceeds the potential financial losses.
Answer: D
Explanation: The most likely reason for executive management to take no further action related to the risk
of a denial of service (DoS) attack is that the cost of implementing controls exceeds the potential financial
losses. This means that the risk is acceptable or tolerable for the organization, and that the benefits of
reducing the risk do not outweigh the costs of applying the controls. This decision is based on a cost-benefit
analysis, which is a common technique for evaluating and comparing different risk response options. A
cost- benefit analysis considers the following factors:
✑ The estimated impact of the risk, which is the potential loss or damage that the
organization may suffer if the risk materializes. The impact can be expressed in quantitative or qualitative
terms, such as monetary value, reputation, customer satisfaction, legal liability, etc.
✑ The estimated likelihood of occurrence, which is the probability or frequency that
the risk will occur within a given time period. The likelihood can be expressed in numerical or descriptive
terms, such as percentage, rating, high, medium, low, etc.
✑ The estimated cost of controls, which is the total amount of resources that the
organization needs to invest in order to implement and maintain the controls. The cost can include direct
and indirect expenses, such as hardware, software, personnel, training, maintenance, etc.
✑ The estimated benefit of controls, which is the reduction in the impact or likelihood
of the risk as a result of implementing the controls. The benefit can be expressed in the same terms as the
impact or likelihood, such as monetary value, percentage, rating, etc.
A cost-benefit analysis can be performed using various methods, such as net present value (NPV), return
on investment (ROI), internal rate of return (IRR), etc. The general principle is to compare the cost and
benefit of each control option, and select the one that provides the highest net benefit or the lowest net cost.
A control option is considered feasible and desirable if its benefit exceeds its cost, or if its cost is lower than
the impact of the risk.
In this case, executive management has decided to take no further action related to the risk of a DoS attack,
which implies that the cost of implementing controls exceeds the potential financial losses. This could be
because the impact or likelihood of the risk is low, or because the cost or complexity of the controls is high,
or both. For example, the organization may have a robust backup and recovery system, a diversified
network infrastructure, a strong customer loyalty, or a low dependency on online services, which reduce the
impact or likelihood of a DoS attack. Alternatively, the organization may face technical, financial, or
operational challenges in implementing effective controls, such as firewalls, load balancers, traffic filters, or
cloud services, which increase the cost or complexity of the controls. Therefore, executive management
may have concluded that the risk is acceptable or tolerable, and that taking no further action is the most
rational and economical choice.
The other options are not the most likely reasons for executive management to take no further action
related to the risk of a DoS attack, as they indicate a lack of proper risk assessment or validation. The risk
assessment should define the likelihood of occurrence and the reported vulnerability should be validated,
as these are essential steps for identifying and analyzing the risk. Executive management should be aware
of the impact potential, as this is a key factor for evaluating and prioritizing the risk. If any of these options
were true, executive management would not have enough information or evidence to make an informed
and justified decision about the risk response. References =
✑ CISM Review Manual, Chapter 2, pages 67-69
✑ CISM Exam Content Outline | CISM Certification | ISACA, Domain 2, Task 2.2
✑ Information Security Risk Management for CISM® - Pluralsight, Module 2, Section 2.3
✑ CISM: Information Risk Management Part 2 from Skillsoft - NICCS, Section 2.4
Executive management may not take action related to a risk if they have determined that the cost of
implementing necessary controls to mitigate the risk exceeds the potential financial losses that the
organization may incur if the risk were to materialize. In cases such as this, it is important for the information
security team to provide the executive team with thorough cost-benefit analysis that outlines the cost of
implementing the controls versus the expected losses from the risk.
- An information security manager determines there are a significant number of exceptions to a newly
released industry-required security standard. Which of the following should be done NEXT?
A. Document risk acceptances.
B. Revise the organization’s security policy.
C. Assess the consequences of noncompliance.
D. Conduct an information security audit.
Answer: C
Explanation: Assessing the consequences of noncompliance is the next step that should be done after
determining that there are a significant number of exceptions to a newly released industry-required security
standard. The information security manager should evaluate the potential impact and exposure of the
organization due to the noncompliance with the security standard. The assessment should consider the
legal, regulatory, contractual, and reputational implications of the noncompliance, as well as the likelihood
and severity of the incidents or penalties that may result from the noncompliance. The assessment should
also compare the cost and benefit of complying with the security standard versus accepting the risk of
noncompliance. The assessment should provide the basis for making informed and rational decisions about
how to address the noncompliance issue and prioritize the actions and resources needed to achieve
compliance. Documenting risk acceptances, revising the organization’s security policy, and conducting an
information security audit are all possible actions that may be taken to address the noncompliance issue,
but they are not the next steps that should be done. These actions should be performed after assessing the
consequences of noncompliance, and based on the results and recommendations of the assessment.
Documenting risk acceptances may be appropriate if the organization decides to accept the risk of
noncompliance, and if the risk is within the risk appetite and tolerance of the organization. Revising the
organization’s security policy may be necessary if the organization decides to comply with the security
standard, and if the policy needs to be updated to reflect the new requirements and expectations.
Conducting an information security audit may be useful if the organization wants to verify the level of
compliance and identify the gaps and weaknesses in the security controls and processes. Therefore,
assessing the consequences of noncompliance is the next step that should be done after determining that
there are a significant number of exceptions to a newly released industry-required security standard, as it
helps the information security manager to understand the risk and impact of the noncompliance and
to make informed and rational decisions about how to address it. References = CISM Review Manual 2023,
page 43 1; CISM Practice Quiz 2
- A multinational organization is required to follow governmental regulations with different security
requirements at each of its operating locations. The chief information security officer (CISO) should be
MOST concerned with:
A. developing a security program that meets global and regional requirements.
B. ensuring effective communication with local regulatory bodies.
C. using industry best practice to meet local legal regulatory requirements.
D. monitoring compliance with defined security policies and standards.
Answer: A
Explanation: = A multinational organization is required to follow governmental regulations with different
security requirements at each of its operating locations. This means that the CISO has to deal with multiple
and diverse legal, regulatory, and compliance issues across different jurisdictions and markets. The CISO
should be most concerned with developing a security program that meets global and regional requirements,
such as ISO/IEC 27001, NIST CSF, PCI DSS, GDPR, etc. These standards provide a framework for
establishing, implementing, maintaining, and improving an information security management system
(ISMS) that aligns with the organization’s business objectives and risk appetite. The CISO should also
ensure that the security program is consistent and coherent across all operating locations, and that it
complies with the specific regulations of each location. Therefore, option A is the most appropriate answer.
References = CISM Review Manual 15th Edition, page 255; CISM Review Questions, Answers &
Explanations Database - 12 Month Subscription, QID 234.In this scenario, the chief information security
officer (CISO) should be most concerned with developing a security program that meets the global and
regional requirements of the organization. This includes considering the different legal and regulatory
requirements of each operating location, and designing a security program that meets all of these
requirements. The CISO should also ensure effective communication with local regulatory bodies to ensure
compliance and understanding of the security program. Additionally, the CISO should use industry best
practices and defined security policies and standards to ensure the program meets all applicable
requirements.
- Which of the following desired outcomes BEST supports a decision to invest in a new security initiative?
A. Enhanced security monitoring and reporting
B. Reduced control complexity
C. Enhanced threat detection capability
D. Reduction of organizational risk
Answer: D
Explanation: The reduction of organizational risk is the desired outcome that best supports a decision to
invest in a new security initiative. The organizational risk is the level of exposure or uncertainty that the
organization faces in achieving its objectives. The organizational risk is influenced by various factors, such
as the threat landscape, the vulnerability of the assets, the impact of the incidents, and the effectiveness of
the controls. The information security manager should evaluate the organizational risk and propose security
initiatives that can reduce the risk to an acceptable level. The security initiatives should be aligned with the
business goals, the risk appetite, and the available resources of the organization. The security initiatives
should also provide a positive return on investment (ROI) or value for money (VFM) for the organization.
The reduction of organizational risk is the ultimate goal and benefit of any security initiative, as it enhances
the security posture, performance, and resilience of the organization. Enhanced security monitoring and
reporting, reduced control complexity, and enhanced threat detection capability are all possible outcomes
of security initiatives, but they are not the best ones to support a decision to invest in a new security
initiative. These outcomes are more specific and technical, and they may not directly relate to the business
objectives or the risk appetite of the organization. These outcomes are also intermediate or enabling, rather
than final or ultimate, as they may not necessarily lead to the reduction of organizational risk. For example,
enhanced security monitoring and reporting may improve the visibility and awareness of the security status,
but it may not prevent or mitigate the incidents. Reduced control complexity may simplify the security
management and maintenance, but it may not address the emerging or evolving threats. Enhanced threat
detection capability may increase the speed and accuracy of identifying the attacks, but it may not reduce
the impact or the likelihood of the attacks. Therefore, the reduction of organizational risk is the best
outcome to support a decision to invest in a new security initiative, as it demonstrates the value and
effectiveness of the security initiative for the organization. References = CISM Review Manual 2023, page
40 1; CISM Practice Quiz 2
- What is the PRIMARY benefit to an organization when information security program requirements are
aligned with employment and staffing processes?
A. Security incident reporting procedures are followed.
B. Security staff turnover is reduced.
C. Information assets are classified appropriately.
D. Access is granted based on task requirements.
Answer: D
Explanation: The PRIMARY benefit to an organization when information security program requirements are
aligned with employment and staffing processes is that access is granted based on task requirements. This
means that the organization can ensure that the employees have the appropriate level and scope of access
to the information assets and systems that they need to perform their duties, and that the access is granted,
reviewed, and revoked in accordance with the security policies and standards. This can help to reduce the
risk of unauthorized access, misuse, or leakage of information, as well as to comply with the principle of
least privilege and the segregation of duties12. Security incident reporting procedures are followed (A) is a
benefit to an organization when information security program requirements are aligned with employment
and staffing processes, but it is not the PRIMARY benefit. Security incident reporting procedures are the
steps and guidelines that the employees should follow when they detect, report, or respond to a security
incident. Aligning the information security program requirements with the employment and staffing
processes can help to ensure that the employees are aware of and trained on the security incident reporting
procedures, and that they are enforced and monitored by the management. This can help to improve the
effectiveness and efficiency of the incident response process, as well as to comply with the legal and
contractual obligations12. Security staff turnover is reduced (B) is a benefit to an organization when
information security program requirements are aligned with employment and staffing processes, but it is not
the PRIMARY benefit. Security staff turnover is the rate at which the security personnel leave or join the
organization. Aligning the information security program requirements with the employment and staffing
processes can help to reduce the security staff turnover by ensuring that the security roles and
responsibilities are clearly defined and communicated, that the security personnel are adequately
compensated and motivated, and that the security personnel are evaluated and developed regularly. This
can help to retain the security talent and expertise, as well as to reduce the costs and risks associated with
the security staff turnover12. Information assets are classified appropriately © is a benefit to an
organization when information security program requirements are aligned with employment and staffing
processes, but it is not the PRIMARY benefit. Information asset classification is the process of assigning a
security level or category to the information assets based on their value, sensitivity, and criticality to the
organization. Aligning the information security program requirements with the employment and staffing
processes can help to ensure that the information assets are classified appropriately by establishing the
ownership and custody of the information assets, the criteria and methods for the information asset
classification, and the roles and responsibilities for the information asset classification. This can help to
protect the information assets according to their security level or category, as well as to comply with the
regulatory and contractual requirements12. References = 1: CISM Review Manual 15th Edition, page
75-76, 81-82, 88-89, 93-941; 2: CISM Domain 1: Information Security Governance (ISG) [2022 update]2
- An information security manager learns through a threat intelligence service that the organization may be
targeted for a major emerging threat. Which of the following is the information security manager’s FIRST
course of action?
A. Conduct an information security audit.
B. Validate the relevance of the information.
C. Perform a gap analysis.
D. Inform senior management
Answer: B
Explanation: The information security manager’s first course of action should be to validate the relevance of
the information received from the threat intelligence service. This means verifying the source, credibility,
accuracy, and timeliness of the information, as well as assessing the potential impact and likelihood of the
threat for the organization. This will help the information security manager to determine the appropriate
response and prioritize the actions to mitigate the threat. Conducting an information security audit,
performing a gap analysis, and informing senior management are possible subsequent actions, but they
are not the first course of action. An information security audit is a systematic and independent assessment
of the effectiveness of the information security controls and processes. A gap analysis is a comparison of
the current state of the information security program with the desired state or best practices. Informing
senior management is a communication activity that should be done after validating the information and
assessing the risk. References = CISM Review Manual, 16th Edition, pages 44-451; CISM Review
Questions, Answers & Explanations Manual, 10th Edition, page 632
The first step the information security manager should take upon learning of the potential threat is to
validate the relevance of the information. This should involve researching the threat to evaluate its potential
impact on the organization and to determine the accuracy of the threat intelligence. Once the information is
validated, the information security manager can then take action, such as informing senior management,
conducting an information security audit, or performing a gap analysis.
- An organization is creating a risk mitigation plan that considers redundant power supplies to reduce the
business risk associated with critical system outages. Which type of control is being considered?
A. Preventive
B. Corrective
C. Detective
D. Deterrent
Answer: A
Explanation: A preventive control is a type of control that aims to prevent or reduce the occurrence or
impact of potential adverse events that can affect the organization’s objectives and performance.
Preventive controls are proactive measures that are implemented before an incident happens, and they are
designed to address the root causes or sources of risk. Preventive controls can also help the organization
to comply with the relevant laws, regulations, standards, and best practices regarding information
security1.
An example of a preventive control is a redundant power supply, which is a backup or
alternative source of power that can be used in case of a power outage or failure. A redundant power
supply can reduce the business risk associated with critical system outages, which can result from power
disruptions caused by natural disasters, technical faults, human errors, or malicious attacks. A redundant
power supply can provide the following benefits for information security2:
✑ Maintain the availability and continuity of the critical systems and services that
depend on power, such as servers, databases, networks, or applications. A redundant power supply can
ensure that the critical systems and services can operate normally or resume quickly after a power outage
or failure, minimizing the downtime and data loss that can affect the organization’s operations, customers,
or reputation.
✑ Protect the integrity and reliability of the critical systems and data that are stored or
processed by the power-dependent devices, such as computers, hard drives, or memory cards. A
redundant power supply can prevent or reduce the damage or corruption of the critical systems and data
that can be caused by sudden or unexpected power fluctuations, surges, or interruptions, which can
compromise the accuracy, completeness, or consistency of the information.
✑ Enhance the resilience and redundancy of the power infrastructure and network
that supports the critical systems and services. A redundant power supply can provide an alternative or
backup route for power delivery and distribution, which can increase the flexibility and adaptability of the
power infrastructure and network to cope with different scenarios or conditions of power supply or demand.
The other options are not the type of control that is being considered by the organization. A corrective
control is a type of control that aims to restore or recover the normal state or function of the affected
systems or processes after an incident has occurred. A corrective control is a reactive measure that is
implemented during or after an incident, and it is designed to address the consequences or impacts of risk.
A corrective control can also help the organization to learn from the incident and improve its information
security practices1. An example of a corrective control is a backup or restore system, which is a method of
creating and restoring copies of the system or data that have been lost or damaged due to an incident.
A detective control is a type of control that aims to identify or discover the occurrence or existence of an
incident or a deviation from the expected or desired state or behavior of the systems or processes. A
detective control is a monitoring or auditing measure that is implemented during or after an incident, and it
is designed to provide information or evidence of risk. A detective control can also help the organization to
analyze or investigate the incident and determine the root cause or source of risk1. An example of a
detective control is a log or alert system, which is a tool of recording or reporting the activities or events that
have occurred or are occurring within the systems or processes.
A deterrent control is a type of control that aims to discourage or dissuade the potential perpetrators or
sources of risk from initiating or continuing an incident or an attack. A deterrent control is a psychological or
behavioral measure that is implemented before or during an incident, and it is designed to influence or
manipulate the motivation or intention of risk. A deterrent control can also help the organization to reduce
the likelihood or frequency of incidents or attacks1. An example of a deterrent control is a warning or
notification system, which is a method of communicating or displaying the consequences or
penalties of violating the information security policies or rules. References = Risk Control Techniques:
Preventive, Corrective, Directive, And …, Learn Different types of Security Controls in CISSP - Eduonix
Blog
- Which of the following BEST enables an organization to transform its culture to support information
security?
A. Periodic compliance audits
B. Strong management support
C. Robust technical security controls
D. Incentives for security incident reporting
Answer: B
Explanation: According to the CISM Review Manual (Digital Version), page 5, information security culture is
the set of values, attitudes, and behaviors that shape how an organization and its employees view and
practice information security. Transforming the information security culture requires a change management
process that involves the following steps: creating a sense of urgency, forming a powerful coalition,
developing a vision and strategy, communicating the vision, empowering broad-based action, generating
short-term wins, consolidating gains and producing more change, and anchoring new approaches in the
culture1. Among the four options, strong management support is the best enabler for transforming the
information security culture, as it can provide the necessary leadership, resources, sponsorship, and
alignment for the change management process. Periodic compliance audits, robust technical security
controls, and incentives for security incident reporting are important elements of information security, but
they are not sufficient to change the culture without strong management support. References = 1: CISM
Review Manual (Digital Version), page 5
- Which of the following is the GREATEST benefit of including incident classification criteria within an incident
response plan?
A. Ability to monitor and control incident management costs
B. More visibility to the impact of disruptions
C. Effective protection of information assets
D. Optimized allocation of recovery resources
Answer: D
Explanation: The explanation given in the manual is:
Incident classification criteria enable an organization to prioritize incidents based on their impact and
urgency. This allows for an optimized allocation of recovery resources to minimize business disruption and
ensure timely restoration of normal operations. The other choices are benefits of incident management but
not directly related to incident classification criteri
A.
- Which of the following should be an information security manager’s FIRST course of action when a newly
introduced privacy regulation affects the business?
A. Consult with IT staff and assess the risk based on their recommendations
B. Update the security policy based on the regulatory requirements
C. Propose relevant controls to ensure the business complies with the regulation
D. Identify and assess the risk in the context of business objectives
Answer: D
Explanation: Identify and assess the risk in the context of business objectives. Before making any changes
to the security policy or introducing any new controls, the information security manager should first identify
and assess the risk that the new privacy regulation poses to the business. This should be done in the
context of the overall business objectives so that the security measures introduced are tailored to meet the
specific needs of the organization.
- An intrusion has been detected and contained. Which of the following steps represents the BEST practice
for ensuring the integrity of the recovered system?
A. Install the OS, patches, and application from the original source.
B. Restore the OS, patches, and application from a backup.
C. Restore the application and data from a forensic copy.
D. Remove all signs of the intrusion from the OS and application.
Answer: A
Explanation: After an intrusion has been detected and contained, the system should be
recovered to a known and trusted state. The best practice for ensuring the integrity of the recovered system
is to install the OS, patches, and application from the original source, such as the vendor’s website or
medi
A. This way, any malicious code or backdoors that may have been inserted by the intruder can be
eliminated. Restoring the OS, patches, and application from a backup may not guarantee the integrity of the
system, as the backup may have been compromised or outdated. Restoring the application and data from a
forensic copy may preserve the evidence of the intrusion, but it may also reintroduce the vulnerability or
malware that allowed the intrusion in the first place. Removing all signs of the intrusion from the OS and
application may not be sufficient or feasible, as the intruder may have made subtle or hidden changes that
are difficult to detect or undo.
References =
✑ ISACA, CISM Review Manual, 16th Edition, 2020, page 2401
✑ ISACA, CISM Review Questions, Answers & Explanations Database - 12 Month Subscription, 2020,
question ID 2132
The BEST practice for ensuring the integrity of the recovered system after an intrusion is to restore the OS,
patches, and application from a backup. This will ensure that the system is in a known good state, without
any potential residual malicious code or changes from the intrusion. Restoring from a backup also enables
the organization to revert to a previous configuration that has been tested and known to be secure. This
step should be taken prior to conducting a thorough investigation and forensic analysis to determine the
cause and extent of the intrusion.
- Which of the following analyses will BEST identify the external influences to an organization’s information
security?
A. Business impact analysis (BIA)
B. Gap analysis
C. Threat analysis
D. Vulnerability analysis
Answer: C
Explanation: A threat analysis will best identify the external influences to an organization’s information
security because it involves identifying and evaluating the sources and likelihood of potential adverse
events that could affect the organization’s assets, operations, or reputation. External influences include
factors such as emerging technologies, social media, business environment, risk tolerance, regulatory
requirements, third-party considerations, and threat landscape1. A threat analysis can help the organization
to align its information security strategy with its business objectives and risk appetite, and to prioritize and
mitigate the most relevant and impactful threats. A business impact analysis (BIA) is a process of assessing
the potential consequences of a disruption to the organization’s critical business functions or processes. A
BIA does not directly identify the external influences to the organization’s information security, but rather the
impact of those influences on the organization’s continuity and recovery. A gap analysis is a process of
comparing the current state of the organization’s information security with a desired or expected state,
based on best practices, standards, or frameworks. A gap analysis does not directly identify the external
influences to the organization’s information security, but rather the areas of improvement or compliance. A
vulnerability analysis is a process of identifying and evaluating the weaknesses or flaws in the
organization’s information systems or processes that could be exploited by threats. A vulnerability analysis
does not directly identify the external influences to the organization’s information security, but rather the
exposure or susceptibility of the organization to those influences. References = CISM Review Manual, 15th
Edition, pages 22-232; CISM Exam Content Outline, Domain 1, Knowledge Statement 1.113
Threat analysis is a process that is used to identify and assess the external influences or threats that could
potentially affect an organization’s information security. It is used to identify potential risks and develop
strategies to mitigate or reduce those risks. Threat analysis involves analyzing the environment, identifying
potential threats and their potential impacts, and then evaluating the organization’s current security
measures and developing strategies to address any deficiencies.
- Which of the following will ensure confidentiality of content when accessing an email system over the
Internet?
A. Multi-factor authentication
B. Digital encryption
C. Data masking
D. Digital signatures
Answer: B
Explanation: Digital encryption is the process of transforming data into an unreadable form using a secret
key or algorithm. Digital encryption will ensure the confidentiality of content when accessing an email
system over the Internet, as it prevents unauthorized parties from intercepting, viewing, or modifying the
email messages. Digital encryption can be applied to both the email content and the email transmission,
using different methods such as symmetric encryption, asymmetric encryption, or hybrid encryption. Digital
encryption can also provide other benefits such as authentication, integrity, and non-repudiation,
depending on the encryption scheme and the use of digital signatures or certificates. References = CISM
Review Manual 15th Edition, page 101, page 102.
- Reevaluation of risk is MOST critical when there is:
A. resistance to the implementation of mitigating controls.
B. a management request for updated security reports.
C. a change in security policy.
D. a change in the threat landscape.
Answer: D
Explanation: = Reevaluation of risk is a vital aspect of the risk management process that helps
organizations to identify and analyze new or evolving threats, vulnerabilities, and impacts on their assets,
and implement the necessary controls to mitigate them. Reevaluation of risk is most critical when there is a
change in the threat landscape, which refers to the external and internal factors that influence the likelihood
and severity of potential attacks on the organization’s information assets. A change in the threat landscape
may be caused by various factors, such as technological innovations, geopolitical events, cybercrime
trends, regulatory changes, or organizational changes. A change in the threat landscape may introduce
new risks or alter the existing risk profile of the organization, requiring a reassessment of the risk appetite,
tolerance, and strategy. Reevaluation of risk helps the organization to adapt to the changing threat
landscape and ensure that the information security program remains effective, efficient, and aligned with
the business objectives.
References =
✑ CISM Review Manual 15th Edition, page 1131
✑ CISM Domain 2: Information Risk Management (IRM) [2022 update]2
✑ Reevaluation of Risk | CISM Exam Question Answer | ISACA3
- A critical server for a hospital has been encrypted by ransomware. The hospital is unable to function
effectively without this server Which of the following would MOST effectively allow the hospital to avoid
paying the ransom?
A. Employee training on ransomware
B. A properly tested offline backup system
C. A continual server replication process
D. A properly configured firewall
Answer: B
Explanation: The most effective way to avoid paying the ransom in a ransomware attack is to have a
properly tested offline backup system. A ransomware attack is a type of cyberattack that encrypts the
victim’s data or systems and demands a payment for the decryption key. A properly tested offline backup
system is a method of storing copies of the data or systems in a separate location that is not connected to
the network or the internet. By having a properly tested offline backup system, the hospital can restore its
critical server from the backup without paying the ransom or losing any dat
A. The other options are not the
most effective way to avoid paying the ransom in a ransomware attack, although they may be some
preventive or detective measures. Employee training on ransomware is a preventive measure that can help
raise awareness and reduce the likelihood of falling victim to phishing or other social engineering
techniques that may deliver ransomware. However, it does not guarantee that employees will always follow
best practices or that ransomware will not enter the network through other means. A continual server
replication process is a method of creating copies of the server data or systems in real time or near real
time. However, it may not be effective against ransomware, as the replication process may also copy the
encrypted data or systems, making them unusable. A properly configured firewall is a preventive measure
that can help block malicious network traffic and prevent unauthorized access to the server. However, it
does not guarantee that ransomware will not bypass the firewall through other channels, such as email
attachments or removable medi
A.
- Which of the following documents should contain the INITIAL prioritization of recovery of services?
A. IT risk analysis
B. Threat assessment
C. Business impact analysis (BIA)
D. Business process map
Answer: C
Explanation: A business impact analysis (BIA) is the document that should contain the initial priori-tization
of recovery of services. A BIA is a process of identifying and analyzing the po-tential effects of disruptions
to critical business functions and processes. A BIA typi-cally includes the following steps1:
•Identifying the critical business functions and processes that support the organization’s mission and
objectives.
•Estimating the maximum tolerable downtime (MTD) for each function or process, which is the longest time
that the organization can afford to be without that function or process before suffering unacceptable
consequences.
•Assessing the potential impacts of disruptions to each function or process, such as finan- cial losses,
reputational damage, legal liabilities, regulatory penalties, customer dissatis- faction, etc.
•Prioritizing the recovery of functions or processes based on their MTDs and impacts, and assigning
recovery time objectives (RTOs) and recovery point objectives (RPOs) for each function or process. RTOs
are the target times for restoring functions or processes after a disruption, while RPOs are the acceptable
amounts of data loss in case of a disruption.
•Identifying the resources and dependencies required for each function or process, such as staff,
equipment, software, data, suppliers, customers, etc.
A BIA provides the basis for developing a business continuity plan (BCP), which is a document that outlines
the strategies and procedures for ensuring the continuity or re- covery of critical business functions and
processes in the event of a disruption2. The other options are not documents that should contain the initial
prioritization of recov-ery of services. An IT risk analysis is a process of identifying and evaluating the
threats and vulnerabilities that affect the IT systems and assets of an organization. It helps to determine the
likelihood and impact of potential IT incidents, and to select and imple-ment appropriate controls to mitigate
the risks3. A threat assessment is a process of identifying and analyzing the sources and capabilities of
adversaries that may pose a threat to an organization’s security. It helps to determine the level of threat
posed by different actors, and to develop countermeasures to prevent or respond to attacks. A business
process map is a visual representation of the activities, inputs, outputs, roles, and resources involved in a
business process. It helps to understand how a process works, how it can be improved, and how it relates
to other processes. References: 1: Business impact analysis (BIA) - Wikipedia 2: Business continuity plan -
Wikipedia 3: IT risk management - Wikipedia : Threat assessment - Wikipedia : Business process map-ping
- Wikipedia
- The fundamental purpose of establishing security metrics is to:
A. increase return on investment (ROI)
B. provide feedback on control effectiveness
C. adopt security best practices
D. establish security benchmarks
Answer: B
Explanation: The fundamental purpose of establishing security metrics is to provide feedback on the
effectiveness of the information security controls and processes. Security metrics are quantitative or
qualitative measures that indicate how well the organization is achieving its security objectives and goals.
Security metrics can help the information security manager to monitor, evaluate, and improve the
performance of the information security program, as well as to identify gaps, weaknesses, and areas for
improvement. Security metrics can also help the organization to demonstrate compliance with internal and
external standards, regulations, and best practices. Increasing return on investment (ROI), adopting
security best practices, and establishing security benchmarks are possible outcomes or benefits of using
security metrics, but they are not the fundamental purpose of establishing them. References = CISM
Review Manual, 16th Edition, pages 46-471; CISM Review Questions, Answers & Explanations Manual,
10th Edition, page 642
Learn more: 1. isac
A.org2. amazon.com3. gov.uk
Security metrics are used to measure the effectiveness of controls and evaluate the overall security posture
of an organization. This feedback provides an understanding of the progress made towards achieving
security objectives and allows organizations to make necessary adjustments.
- Which of the following is MOST important for an information security manager to verify when selecting a
third-party forensics provider?
A. Existence of a right-to-audit clause
B. Results of the provider’s business continuity tests
C. Technical capabilities of the provider
D. Existence of the provider’s incident response plan
Answer: C
Explanation: The technical capabilities of the provider are the MOST important thing for an information
security manager to verify when selecting a third-party forensics provider because they determine the
quality, reliability, and validity of the forensic services and results that the provider can deliver. The
technical capabilities of the provider include the skills, experience, and qualifications of the forensic staff,
the methods, tools, and standards that the forensic staff use, and the facilities, equipment, and resources
that the forensic staff have. The information security manager should verify that the technical capabilities of
the provider match the forensic needs and expectations of the organization, such as the type, scope, and
complexity of the forensic investigation, the legal and regulatory requirements, and the time and cost
constraints12. The existence of a right-to-audit clause (A) is an important thing for an information security
manager to verify when selecting a third-party forensics provider, but it is not the MOST important thing. A
right-to-audit clause is a contractual provision that grants the organization the right to audit or review the
performance, compliance, and security of the provider. A right-to-audit clause can help to ensure the
accountability, transparency, and quality of the provider, as well as to identify and resolve any issues or
disputes that may arise during or after the forensic service. However, a right-to-audit clause does not
guarantee that the provider has the technical capabilities to conduct the forensic service effectively and
efficiently12. The results of the provider’s business continuity tests (B) are an important thing for an
information security manager to verify when selecting a third-party forensics provider, but they are not the
MOST important thing. The results of the provider’s business continuity tests can indicate the ability and
readiness of the provider to continue or resume the forensic service in the event of a disruption, disaster, or
emergency. The results of the provider’s business continuity tests can help to assess the availability,
resilience, and recovery of the provider, as well as to mitigate the risks of losing or compromising the
forensic evidence or dat
A. However, the results of the provider’s business continuity tests do not ensure
that the provider has the technical capabilities to perform the forensic service accurately and
professionally12. The existence of the provider’s incident response plan (D) is an important thing for an
information security manager to verify when selecting a third- party forensics provider, but it is not the
MOST important thing. The existence of the provider’s incident response plan can demonstrate the
preparedness and capability of the provider to detect, report, and respond to any security incidents that
may affect the forensic service or the organization. The existence of the provider’s incident response plan
can help to protect the confidentiality, integrity, and availability of the forensic evidence or data, as well as
to comply with the legal and contractual obligations. However, the existence of the provider’s incident
response plan does not confirm that the provider has the technical capabilities to execute the forensic
service competently and ethically12. References = 1: CISM Review Manual 15th Edition, page 310-3111; 2:
A Risk-Based Management Approach to Third-Party Data Security, Risk and Compliance - ISACA2
- An organization faces severe fines and penalties if not in compliance with local regulatory requirements by
an established deadline. Senior management has asked the information security manager to prepare an
action plan to achieve compliance.
Which of the following would provide the MOST useful information for planning purposes?
A. Results from a business impact analysis (BIA)
B. Deadlines and penalties for noncompliance
C. Results from a gap analysis
D. An inventory of security controls currently in place
Answer: C
Explanation: Results from a gap analysis would provide the most useful information for planning purposes
when preparing an action plan to achieve compliance with local regulatory requirements by an established
deadline. A gap analysis is an assessment of the difference between an organization’s current state of
compliance and its desired level or standard. It is a process used to identify potential areas for improvement
by comparing actual performance with expected performance. A gap analysis can help to prioritize the
actions needed to close the gaps and comply with the regulatory requirements, as well as to estimate the
resources and time required for each action1. The other options are not as useful as results from a gap
analysis for planning purposes when preparing an action plan to achieve compliance with local regulatory
requirements by an established deadline. Deadlines and penalties for noncompliance are important factors
to consider, but they do not provide information on how to achieve compliance or what actions are needed2.
Results from a business impact analysis (BIA) are useful for identifying the critical processes and assets
that need to be protected, but they do not provide information on how to comply with the regulatory
requirements or what actions are needed3. An inventory of security controls currently in place is useful for
assessing the current state of compliance, but it does not provide information on how to comply with the
regulatory requirements or what actions are needed4. References: 3: Business impact analysis (BIA) -
Wikipedia 2: Compliance Gap Analysis & Effectiveness Evaluation | SMS 1: What is Gap Analysis in
Compliance | Scytale 4: Gap Analysis & Risk Assessment — Riddle Compliance
- Which of the following should be the PRIMARY basis for determining the value of assets?
A. Cost of replacing the assets
B. Business cost when assets are not available
C. Original cost of the assets minus depreciation
D. Total cost of ownership (TCO)
Answer: B
Explanation: The primary basis for determining the value of assets should be the business cost when
assets are not available. This is because the value of assets is not only determined by their acquisition or
replacement cost, but also by their contribution to the organization’s business objectives and processes.
The business cost when assets are not available reflects the potential impact of losing or compromising the
assets on the organization’s operations, performance, reputation, and compliance. The business cost when
assets are not available can be estimated by conducting a business impact analysis (BIA), which identifies
the criticality, dependencies, and recovery requirements of the assets. By using the business cost when
assets are not available as the primary basis for determining the value of assets, the organization can
prioritize the protection and management of the assets according to their importance and risk level.
References = CISM Review Manual 15th Edition, page 64, page 65.
- Which of the following BEST enables an organization to provide ongoing assurance that legal and
regulatory compliance requirements can be met?
A. Embedding compliance requirements within operational processes
B. Engaging external experts to provide guidance on changes in compliance requirements
C. Performing periodic audits for compliance with legal and regulatory requirements
D. Assigning the operations manager accountability for meeting compliance requirements
Answer: A
Explanation: Embedding compliance requirements within operational processes ensures that they are
consistently followed and monitored as part of normal business activities. This provides ongoing assurance
that legal and regulatory compliance requirements can be met. The other choices are not as effective as
embedding compliance requirements within operational processes.
Regulatory compliance involves following external legal mandates set forth by state, federal, or
international government2. Compliance requirements may vary depending on the industry, location, and
nature of the organization2. Compliance helps organizations avoid legal penalties, protect their reputation,
and ensure ethical conduct2.
- Which of the following has The GREATEST positive impact on The ability to execute a disaster recovery
plan (DRP)?
A. Storing the plan at an offsite location
B. Communicating the plan to all stakeholders
C. Updating the plan periodically
D. Conducting a walk-through of the plan
Answer: D
Explanation: A walk-through of the disaster recovery plan (DRP) is a method of testing the plan by
simulating a disaster scenario and having the participants review their roles and responsibilities, as well as
the procedures and resources required to execute the plan. A walk-through has the greatest positive impact
on the ability to execute the DRP, as it helps to identify and resolve any gaps, errors, or inconsistencies in
the plan, as well as to enhance the awareness and readiness of the stakeholders involved in the recovery
process. References = CISM Review Manual, 16th Edition, Chapter 5, Section 5.3.2.21
- Of the following, whose input is of GREATEST importance in the development of an information security
strategy?
A. Process owners
B. End users
C. Security architects.
D. Corporate auditors
Answer: A
Explanation: Process owners are the people who are responsible for the design, execution, and
improvement of the business processes that support the organization’s objectives and operations. Process
owners have the greatest importance in the development of an information security strategy, as they
provide the input and feedback on the business requirements, expectations, and priorities that the
information security strategy should address and support. Process owners also help to identify and assess
the risks and impacts that the business processes face, and to define and implement the security controls
and measures that can mitigate or reduce them. Process owners also facilitate the alignment and
integration of the information security strategy with the business strategy, as well as the communication and
collaboration among the various stakeholders and functions involved in the information security program.
End users, security architects, and corporate auditors are all important stakeholders in the information
security program, but they do not have the greatest importance in the development of an information
security strategy. End users are the people who use the information systems and services that the
information security program protects and enables. End users provide the input and feedback on the
usability, functionality, and performance of the information systems and services, as well as the security
awareness and behavior that they exhibit. Security architects are the people who design and implement the
security architecture that supports the information security strategy. Security architects provide the input
and feedback on the technical requirements, capabilities, and solutions that the information security
strategy should leverage and optimize. Corporate auditors are the people who evaluate and verify the
compliance and effectiveness of the information security program. Corporate auditors provide the input and
feedback on the standards, regulations, and best practices that the information security strategy should
follow and adhere to. Therefore, process owners have the greatest importance in the development of an
information security strategy, as they provide the input and feedback on the business requirements,
expectations, and priorities that the information security strategy should address and support. References =
CISM Review Manual 2023, page 31 1; CISM Practice Quiz 2
- Which of the following is the GREATEST benefit of information asset classification?
A. Helping to determine the recovery point objective (RPO)
B. Providing a basis for implementing a need-to-know policy
C. Supporting segregation of duties
D. Defining resource ownership
Answer: B
Explanation:
The greatest benefit of information asset classification is providing a basis for imple- menting a
need-to-know policy. Information asset classification is a process of catego- rizing information based on its
level of sensitivity and importance, and applying appro-priate security controls based on the level of risk
associated with that information1. A need-to- know policy is a principle that states that access to
information should be granted only to those individuals who require it to perform their official duties or
tasks2. The purpose of a need-to-know policy is to limit the exposure of sensitive information to
unauthorized or unnecessary parties, and to reduce the risk of data breaches, leaks, or misuse. Information
asset classification provides a basis for implementing a need-to-know policy by:
•Defining the value and protection requirements of different types of information
•Labeling the information with the appropriate classification level, such as public, internal, confidential,
secret, or top secret
•Establishing the roles and responsibilities of information owners, custodians, and users
•Enforcing access controls and encryption for the information
•Documenting the security policies and procedures for the information
By providing a basis for implementing a need-to-know policy, information asset classi- fication can help
organizations to protect their sensitive information, comply with rele-vant laws and regulations, and achieve
their business objectives. The other options are not the greatest benefits of information asset classification.
Helping to determine the recovery point objective (RPO) is not a benefit, but rather a consequence of
applying security controls based on the classification level. RPO is the acceptable amount of data loss in
case of a disruption3. Supporting segregation of duties is not a benefit, but rather a prerequisite for
implementing a need-to-know policy. Segregation of duties is a principle that states that no single individual
should have control over two or more phases of a business process or transaction that are susceptible to
errors or fraud4. De-fining resource ownership is not a benefit, but rather a component of information asset
classification. Resource ownership is the assignment of accountability and authority for an information
asset to an individual or a group5. References: 1: Information Classifi-cation - Advisera 2: Need-to-Know
Principle - NIST 3: Recovery Point Objective - NIST 4: Segregation of Duties - NIST 5: Resource
Ownership - NIST : Information Classification in Information Security - GeeksforGeeks : Information Asset
Classification Policy - UCI
- An anomaly-based intrusion detection system (IDS) operates by gathering data on:
A. normal network behavior and using it as a baseline lor measuring abnormal activity
B. abnormal network behavior and issuing instructions to the firewall to drop rogue connections
C. abnormal network behavior and using it as a baseline for measuring normal activity
D. attack pattern signatures from historical data
Answer: A
Explanation: An anomaly-based intrusion detection system (IDS) operates by gathering data on normal
network behavior and using it as a baseline for measuring abnormal activity. This is important because it
allows the IDS to detect any activity that is outside of the normal range of usage for the network, which can
help to identify potential malicious activity or security threats. Additionally, the IDS will monitor for any
changes in the baseline behavior and alert the administrator if any irregularities are detected. By contrast,
signature-based IDSs operate by gathering attack pattern signatures from historical data and comparing
them against incoming traffic in order to identify malicious activity.
- Which of the following is the BEST way to assess the risk associated with using a Software as a Service
(SaaS) vendor?
A. Verify that information security requirements are included in the contract.
B. Request customer references from the vendor.
C. Require vendors to complete information security questionnaires.
D. Review the results of the vendor’s independent control reports.
Answer: D
Explanation: Reviewing the results of the vendor’s independent control reports is the best way to assess
the risk associated with using a SaaS vendor because it provides an objective and reliable evaluation of the
vendor’s security controls and practices. Independent control reports, such as SOC 2 or ISO 27001, are
conducted by third-party auditors who verify the vendor’s compliance with industry standards and best
practices. These reports can help the customer identify any gaps or weaknesses in the vendor’s security
posture and determine the level of assurance and trust they can place on the vendor.
Verifying that information security requirements are included in the contract is a good practice, but it does
not provide sufficient assurance that the vendor is actually meeting those requirements. The contract may
also have limitations or exclusions that reduce the customer’s rights or remedies in case of a breach or
incident.
Requesting customer references from the vendor is not a reliable way to assess the risk associated with
using a SaaS vendor because the vendor may only provide positive or biased references that do not reflect
the true experience or satisfaction of the customers. Customer references may also not have the same
security needs or expectations as the customer who is conducting the assessment.
Requiring vendors to complete information security questionnaires is a useful way to gather information
about the vendor’s security policies and procedures, but it does not provide enough evidence or verification
that the vendor is actually implementing and maintaining those policies and procedures. Information
security questionnaires are also subject to the vendor’s self-reporting and interpretation, which may not be
accurate or consistent. References =
✑ CISM Review Manual 15th Edition, page 144
✑ SaaS Security Risk and Challenges - ISACA1
✑ SaaS Security Checklist & Assessment Questionnaire | LeanIX2
✑ Risk Assessment Guide for Microsoft Cloud3
- An organization is in the process of acquiring a new company Which of the following would be the BEST
approach to determine how to protect newly acquired data assets prior to integration?
A. Include security requirements in the contract
B. Assess security controls.
C. Perform a risk assessment
D. Review data architecture.
Answer: C
Explanation: Performing a risk assessment is the best approach to determine how to protect newly acquired
data assets prior to integration, as it will help to identify the threats, vulnerabilities, impacts, and likelihoods
of the data assets, and to prioritize the appropriate risk treatment options. Including security requirements in
the contract is a good practice, but it may not be sufficient to address the specific risks of the data assets.
Assessing security controls and reviewing data architecture are also important steps, but they should be
done after performing a risk assessment, as they will depend on the risk level and the risk app
The best approach to determine how to protect newly acquired data assets prior to integration is to perform
a risk assessment. A risk assessment will identify the various threats and vulnerabilities associated with the
data assets and help the organization develop an appropriate security strategy. This risk assessment
should include an assessment of the security controls in place to protect the data, a review of the data
architecture, and a review of any contractual requirements related to security.
- Which of the following defines the triggers within a business continuity plan (BCP)? @
A. Needs of the organization
B. Disaster recovery plan (DRP)
C. Information security policy
D. Gap analysis
Answer: A
Explanation: The needs of the organization define the triggers within a business continuity plan (BCP).
Triggers are the events or conditions that initiate the activation of the BCP. The triggers should be based on
the organization’s business objectives, risk appetite, recovery time objectives, and recovery point
objectives. The triggers should also be aligned with the organization’s information security policy, disaster
recovery plan, and gap analysis. However, these are not the primary factors that define the triggers, but
rather the supporting elements that help implement the BCP. The needs of the organization are the main
drivers for determining the triggers, as they reflect the organization’s priorities, expectations, and
requirements for business continuity. References =
✑ CISM Review Manual (Digital Version) 1, Chapter 4: Information Security Incident
Management, pages 191-192, 195-196, 199-200.
✑ Business Continuity Management Guideline 2, page 5, Section 4.2.1: Triggers
✑ Business Continuity Plan - Open Risk Manual 3, page 1, Section 1: Introduction
- Which of the following is the BEST indication of effective information security governance?
A. Information security is considered the responsibility of the entire information security team.
B. Information security controls are assigned to risk owners.
C. Information security is integrated into corporate governance.
D. Information security governance is based on an external security framework.
Answer: C
Explanation: Information security governance (ISG) is the process of establishing and maintaining a
framework to provide assurance that information security strategies are aligned with and support business
objectives, are consistent with applicable laws and regulations through adherence to policies and internal
controls, and provide assignment of responsibility, all in an effort to manage risk1. Effective ISG ensures
that information security is integrated into corporate governance and is considered an essential component
of enterprise governance2. Information security is not just the responsibility of the information security team,
but of all stakeholders in the organization3. Information security controls are not assigned to risk owners,
but to control owners who are accountable for implementing and maintaining the controls4. Information
security governance is not based on an external security framework, but on the organization’s own
objectives, risk appetite, and compliance requirements. References = 1: CISM Review Manual (Digital
Version), page 3 2: CISM Review Manual (Digital Version), page 4 3: CISM Review Manual (Digital
Version), page 5 4: CISM Review Manual (Digital Version), page 14 : CISM Review Manual (Digital
Version), page 16
- Which of the following is the MOST important consideration when defining a recovery strategy in a business
continuity plan (BCP)?
A. Legal and regulatory requirements
B. Likelihood of a disaster
C. Organizational tolerance to service interruption
D. Geographical location of the backup site
Answer: C
Explanation: = The organizational tolerance to service interruption is the most important consideration
when defining a recovery strategy in a business continuity plan (BCP), as it reflects the degree of risk that
the organization is willing to accept in the event of a disaster. The organizational tolerance to service
interruption determines the acceptable level of downtime, data loss, or disruption that the organization can
tolerate, and thus guides the selection of recovery objectives, strategies, and resources. Legal and
regulatory requirements are external factors that influence the recovery strategy, but are not the primary
consideration. Likelihood of a disaster is a factor that affects the recovery strategy, but is not the most
important one. Geographical location of the backup site is a factor that affects the recovery strategy, but is
not as critical as organizational tolerance to service interruption. References = CISM Review Manual, 16th
Edition, page 1731; CISM Review Questions, Answers & Explanations Manual, 10th Edition, page 792
Learn more: 1. isac
A.org2. amazon.com3. gov.uk
- What should be an information security manager’s MOST important consideration when developing a
multi-year plan?
A. Ensuring contingency plans are in place for potential information security risks
B. Ensuring alignment with the plans of other business units
C. Allowing the information security program to expand its capabilities
D. Demonstrating projected budget increases year after year
Answer: B
Explanation: = The most important consideration when developing a multi-year plan for information security
is to ensure alignment with the plans of other business units. Alignment means that the information security
plan supports and enables the achievement of the business objectives, strategies, and priorities of the
organization and its various units. Alignment also means that the information security plan is consistent and
compatible with the plans of other business units, and that it addresses the needs, expectations, and
requirements of the relevant stakeholders1 .
By ensuring alignment with the plans of other business units, the information security manager can achieve
the following benefits1 :
✑ Increase the value and effectiveness of information security: By aligning the information security plan
with the business goals and drivers, the information security manager can demonstrate the value and
contribution of information security to the organization’s performance, growth, and competitiveness. The
information security manager can also ensure that the information security plan addresses the most critical
and relevant risks and opportunities for the organization and its units, and that it provides adequate and
appropriate protection and support for the organization’s assets, processes, and activities.
✑ Enhance the communication and collaboration with other business units: By aligning the information
security plan with the plans of other business units, the information security manager can enhance the
communication and collaboration with the other business unit leaders and managers, who are the key
stakeholders and partners in information security. The information security manager can also solicit and
incorporate their input, feedback, and suggestions into the information security plan, and provide them with
timely and relevant information, guidance, and support. The information security manager can also foster a
culture of trust, respect, and cooperation among the different business units, and promote a shared vision
and commitment to information security.
✑ Optimize the use and allocation of resources for information security: By aligning the information
security plan with the plans of other business units, the information security manager can optimize the use
and allocation of resources for information security, such as budget, staff, time, or technology. The
information security manager can also avoid duplication, conflict, or waste of resources among the different
business units, and ensure that the information security plan is feasible, realistic, and sustainable. The
information security manager can also leverage the resources and capabilities of other business units to
enhance the information security plan, and provide them with the necessary resources and capabilities to
implement and maintain the information security plan.
The other options are not the most important consideration when developing a multi-year plan for
information security, as they are less strategic, comprehensive, or impactful than ensuring alignment with
the plans of other business units. Ensuring contingency plans are in place for potential information security
risks is an important component of the information security plan, but it is not the most important
consideration, as it focuses on the reactive and preventive aspects of information security, rather than the
proactive and enabling aspects. Allowing the information security program to expand its capabilities is an
important objective of the information security plan, but it is not the most important consideration, as it
depends on the availability and suitability of the resources, technologies, and opportunities for information
security, and it may not align with the organization’s needs, priorities, or constraints. Demonstrating
projected budget increases year after year is an important outcome of the information security plan, but it is
not the most important consideration, as it reflects the cost and demand of information security, rather than
the value and benefit of information security, and it may not be justified or supported by the organization’s
financial situation or expectations1 . References = CISM Domain 1: Information Security Governance (ISG)
[2022 update], CISM Domain 2: Information Risk Management (IRM) [2022 update], Aligning Information
Security with Business Strategy - ISACA, [Aligning Information Security with Business Objectives - ISACA]
- Which of the following is the BEST justification for making a revision to a password policy?
A. Industry best practice
B. A risk assessment
C. Audit recommendation
D. Vendor recommendation
Answer: B
Explanation: A risk assessment should be conducted in order to identify the potential risks associated with
a particular system or process, and to determine the best way to mitigate those risks. Making a revision to a
password policy based on the results of a risk assessment is the best way to ensure that the policy is
effective and secure.
According to the Certified Information Security Manager (CISM) Study manual, the BEST justification for
making a revision to a password policy is a risk assessment. A risk assessment enables an organization to
identify and evaluate the risks to its information assets and determine the appropriate measures to mitigate
those risks, including password policies. Password policies should be based on the risks to the
organization’s information assets and the level of protection needed.
