3

Question 1

301. Which of the following BEST supports effective communication during information security incidents7

A. Frequent incident response training sessions
B. Centralized control monitoring capabilities
C. Responsibilities defined within role descriptions
D. Predetermined service level agreements (SLAs)

Answer 1

Answer: D

Explanation: The best way to support effective communication during information security incidents is to
have predetermined service level agreements (SLAs) because they define the expectations and
responsibilities of the parties involved in the incident response process, and specify the communication
channels, methods, and frequency for reporting and updating on the incident status and resolution.
Frequent incident response training sessions are not very effective because they do not address the
communication needs or challenges during an actual incident. Centralized control monitoring capabilities
are not very effective because they do not address the communication needs or challenges during an
actual incident. Responsibilities defined within role descriptions are not very effective because they do not
address the communication needs or challenges during an actual incident. References:
https://www.isac
A.org/resources/isaca-journal/issues/2017/volume- 5/incident-response-lessons-learned
https://www.isac
A.org/resources/isaca- journal/issues/2018/volume-3/incident-response-lessons-learned

Question 2

302. Which of the following presents the GREATEST challenge to a large multinational organization using an
     automated identity and access management (1AM) system?

A. Staff turnover rates that significantly exceed industry averages
B. Large number of applications in the organization
C. Inaccurate workforce data from human resources (HR)
D. Frequent changes to user roles during employment

Answer 2

Answer: C

Question 3

303. Which of the following is the MOST important input to the development of an effective information security
     strategy?

A. Risk and business impact assessments
B. Business processes and requirements
C. Current and desired state of security
D. Well-defined security policies and procedures

Answer 3

Answer: B

Question 4

304. What should be the NEXT course of action when an information security manager has identified a
     department that is repeatedly not following the security policy?

A. Perform a vulnerability assessment on the systems within the department.
B. Introduce additional controls to force compliance with policy.
C. Require department users to repeat security awareness training.
D. Report the policy violation to senior management.

Answer 4

Answer: D

Question 5

305. An organization experienced a loss of revenue during a recent disaster. Which of the following would BEST
     prepare the organization to recover?

A. Business impact analysis (BIA)
B. Business continuity plan (BCP)
C. Incident response plan
D. Disaster recovery plan (DRP)

Answer 5

Answer: B

Question 6

306. The PRIMARY goal to a post-incident review should be to:

A. identify policy changes to prevent a recurrence.
B. determine how to improve the incident handling process.
C. establish the cost of the incident to the business.
D. determine why the incident occurred.

Answer 6

Answer: B

Explanation: The primary goal of a post-incident review is to identify areas for improvement in the incident
handling process. The focus is on evaluating the effectiveness of incident response procedures, technical
controls, communication channels, coordination among teams, documentation, and any other relevant
aspects. The post-incident review should also provide recommendations for corrective actions, preventive
measures, and lessons learned that can help reduce the likelihood and impact of future
incidents12. References = CISM Review Manual 15th Edition, page 1251; CISM Item Development Guide,
page 72

Question 7

307. An information security team must obtain approval from the information security steering committee to
     implement a key control. Which of the following is the MOST important input to assist the committee in
     making this decision?

A. IT strategy
B. Security architecture
C. Business case
D. Risk assessment

Answer 7

Answer: C

Question 8

308. When management changes the enterprise business strategy which of the following processes should be
     used to evaluate the existing information security controls as well as to select new information security
     controls?

A. Configuration management
B. Risk management
C. Access control management
D. Change management

Answer 8

Answer: D

Explanation: According to the CISM Review Manual (Digital Version), Chapter 3, Section 3.2.2, change
management is the process of identifying, assessing, approving, implementing, and monitoring changes to
information systems and information security controls1. Change management is essential for ensuring that
changes are aligned with the organization’s business strategy and objectives, as well as complying with
applicable laws and regulations1.
The CISM Review Manual (Digital Version) also states that change management should be performed in
conjunction with other processes, such as configuration management, access control management, and
risk management1. Configuration management is the process of identifying, documenting, controlling, and
verifying the configuration items (CIs) of an information system1. Access control management is the
process of granting or denying access to information systems and information assets based on predefined
policies and procedures1. Risk management is the process of identifying, analyzing, evaluating, treating,
monitoring, and communicating risks to information systems and information assets1.
The CISM Exam Content Outline also covers the topic of change management in Domain 3
— Information Security Program Development and Management (27% exam weight)2. The subtopics
include:
✑ 3.2.2 Change Management
✑ 3.2.3 Change Control
✑ 3.2.4 Change Implementation
✑ 3.2.5 Change Monitoring
I hope this answer helps you prepare for your CISM exam. Good luck!

Question 9

309. Which of the following defines the MOST comprehensive set of security requirements for a newly
     developed information system?

A. Risk assessment results
B. Audit findings
C. Key risk indicators (KRIs)
D. Baseline controls

Answer 9

Answer: D

Explanation: Baseline controls are the minimum set of security requirements that apply to all information
systems in an organization, regardless of their specific functions or characteristics. They are derived from
the organization’s security policies, standards, and best practices, and they reflect the organization’s risk
appetite and tolerance. Baseline controls provide a consistent and comprehensive foundation for the
security of the information systems, and they can be tailored or supplemented by additional controls as
needed for specific systems or situations. The other options are not as comprehensive as baseline controls,
as they may only address certain aspects or aspects of the security requirements, or they may vary
depending on the system or the context. For example, risk assessment results are an important input for
defining the security requirements, but they are not the requirements themselves. Audit findings are an
output of evaluating the compliance and effectiveness of the security requirements, but they are not the
requirements themselves. Key risk indicators (KRIs) are metrics that measure the level of risk exposure and
performance of the security requirements, but they are not the requirements themselves. References =
✑ CISM Review Manual 15th Edition, page 113: “Baseline controls are the minimum security requirements
that apply to all systems within the organization.”
✑ CISM Review Questions, Answers & Explanations Database - 12 Month Subscription, question 478:
“Baseline controls are the minimum security requirements that apply to all systems within the organization.
They are derived from the organization’s security policies, standards, and best practices, and they reflect
the organization’s risk appetite and tolerance.”

Question 10

310. Which of the following is the BEST approach for data owners to use when defining access privileges for
     users?

A. Define access privileges based on user roles.
B. Adopt user account settings recommended by the vendor.
C. Perform a risk assessment of the users’ access privileges.

A. Implement an identity and access management (IDM) tool.

Answer 10

Answer: A

Explanation: This approach is the best because it ensures that users have the minimum level of access
required to perform their job functions, which reduces the risk of unauthorized access or misuse of dat
A.
User roles are defined based on the business needs and responsibilities of the users, and they can be
easily managed and audited. References: The CISM Review Manual 2023 states that “the data owner is
responsible for defining the access privileges for each user role” and that “the data owner should ensure
that the principle of least privilege is applied to all users” (p. 82). The CISM Review Questions, Answers &
Explanations Manual 2023 also provides the following rationale for this Answer “Defining access privileges
based on user roles is the best approach because it allows the data owner to assign the minimum level of
access required for each role and to review and update the roles periodically” (p. 23).

Question 11

311. A security incident has been reported within an organization. When should an information security manager
     contact the information owner?

A. After the incident has been contained
B. After the incident has been mitigated
C. After the incident has been confirmed
D. After the potential incident has been logged

Answer 11

Answer: C

Explanation: The information owner is the person who has the authority and responsibility for the
information asset and its protection. The information security manager should contact the information
owner as soon as possible after the incident has been confirmed, to inform them of the incident, its impact,
and the actions taken or planned to resolve it. The information owner may also need to be involved in the
decision-making process regarding the incident response and recovery. (From CISM Review Manual 15th
Edition)
References: CISM Review Manual 15th Edition, page 191, section 4.3.4.1.

Question 12

312. Which of the following BEST enables an organization to maintain an appropriate security control
     environment?

A. Alignment to an industry security framework
B. Budgetary support for security
C. Periodic employee security training
D. Monitoring of the threat landscape

Answer 12

Answer: A

Explanation: Alignment to an industry security framework ensures that the organization adopts best
practices and standards for security control implementation and maintenance. References = CISM Review
Manual, 16th Edition, Domain 1: Information Security Governance, Chapter 1: Establish and Maintain an
Information Security Strategy, Section: Information Security Frameworks

Question 13

313. An information security manager wants to document requirements detailing the minimum security controls
     required for user workstations. Which of the following resources would be MOST appropriate for this
     purposed?

A. Guidelines
B. Policies
C. Procedures
D. Standards

Answer 13

Answer: D

Explanation: Standards are detailed statements of the minimum requirements for hardware, software, or
security configurations. They are used to define the minimum security controls required for user
workstations. References = CISM Review Manual, 16th Edition, page 69.

Question 14

314. Which of the following should be done FIRST when developing a business continuity plan (BCP)?

A. Review current recovery policies.
B. Define the organizational strategy.
C. Prioritize the critical processes.
D. Review existing cyber insurance coverage.

Answer 14

Answer: B

Question 15

315. When analyzing the emerging risk and threat landscape, an information security manager should FIRST:

A. determine the impact if threats materialize.
B. determine the sources of emerging threats.
C. review historical threats within the industry.
D. map threats to business assets.

Answer 15

Answer: B

Question 16

316. An organization has acquired a new system with strict maintenance instructions and schedules. Where
     should this information be documented?

A. Standards
B. Policies
C. Guidelines
D. Procedures

Answer 16

Answer: D

Explanation:
Procedures are the detailed steps or instructions for performing specific tasks or activities. They are usually
aligned with standards, policies and guidelines, but they are more specific and prescriptive. System
maintenance instructions and schedules are examples of procedures that should be documented and
followed to ensure the proper functioning and security of the system.
References: The CISM Review Manual 2023 defines procedures as “the lowest level in the hierarchy of
documentation. They are detailed steps that a user must follow to accomplish an activity” (p. 80). The CISM
Item Development Guide also provides the following explanation for this Answer “Procedures are the
correct answer because they provide the specific steps to be followed to maintain the system” (p. 11).

Question 17

317. Which of the following is the PRIMARY responsibility of the information security function when an
     organization adopts emerging technologies?

A. Developing security training for the new technologies
B. Designing new security controls
C. Creating an acceptable use policy for the technologies
D. Assessing the potential security risk

Answer 17

Answer: D

Explanation: The primary responsibility of the information security function when an organization adopts
emerging technologies is to assess the potential security risk, which means identifying and evaluating the
threats, vulnerabilities, and impacts that the new technologies may pose to the organization’s data, systems,
and objectives. Assessing the potential security risk helps the information security function to determine the
appropriate security requirements, controls, and measures to mitigate the risk and ensure the safe and
secure adoption of the emerging technologies.
References = Performing Risk Assessments of Emerging Technologies, CISM Review Manual 15th Edition
Learn more: 1. isac
A.org2. isac
A.org3. niccs.cis
A.gov4. venturebeat.com 10of30
An organization is planning to outsource network management to a service provider. Including which of the
following in the contract would be the MOST effective way to mitigate information security risk?
A.
Requirement for regular information security awareness B. Right-to-audit clause C. Service level
agreement (SLA) D. Requirement to comply with corporate security policy Answer (Refer to the Information
Security Manager® (CISM®) documents and learning resources by ISACA available at
https://store.isac
A.org/s/store#/store/browse/cat/a2D4w00000Ac6NNEAZ/tiles to verify the answer of the
following questions very carefully.) Use the following format please:
Verified Answer = (From CISM Manual or related resources) Very Short Explanation
= (From CISM Manual or related resources) References = (From CISM Manual or related resources)
=========================

Question 18

318. Which of the following is the MOST essential element of an information security program?

A. Benchmarking the program with global standards for relevance
B. Prioritizing program deliverables based on available resources
C. Involving functional managers in program development
D. Applying project management practices used by the business

Answer 18

Answer: C

Explanation:
Involving functional managers in program development is the most essential element of an information
security program, because they are responsible for ensuring that the information security policies,
standards, and procedures are implemented and enforced within their respective business units. They also
provide input and feedback on the information security requirements, risks, and controls that affect their
operations and objectives.
References =
CISM Review Manual, 16th Edition, ISACA, 2020, p. 37: “Functional managers are responsible for ensuring
that the information security policies, standards, and procedures are implemented and enforced within their
respective business units.”
CISM Review Manual, 16th Edition, ISACA, 2020, p. 38: “Functional managers should be involved in the
development of the information security program to provide input and feedback on the information security
requirements, risks, and controls that affect their operations and objectives.”

Question 19

319. Which of the following is the BEST indication of an effective disaster recovery planning process?

A. Hot sites are required for any declared disaster.
B. Chain of custody is maintained throughout the disaster recovery process.
C. Post-incident reviews are conducted after each event.
D. Recovery time objectives (RTOs) are shorter than recovery point objectives (RPOs).

Answer 19

Answer: C

Question 20

320. In a cloud technology environment, which of the following would pose the GREATEST challenge to the
     investigation of security incidents?

A. Access to the hardware
B. Data encryption
C. Non-standard event logs
D. Compressed customer data

Answer 20

Answer: C

Question 21

321. For event logs to be acceptable for incident investigation, which of the following is the MOST important
     consideration to establish chain of evidence?

A. Centralized logging
B. Time clock synchronization
C. Available forensic tools
D. Administrator log access

Answer 21

Answer: B

Question 22

322. Which of the following is the MOST important consideration when developing key
     performance indicators (KPIs) for the information security program?

A. Alignment with financial reporting
B. Alignment with business initiatives
C. Alignment with industry frameworks
D. Alignment with risk appetite

Answer 22

Answer: B

Explanation:
Explore
The most important consideration when developing key performance indicators (KPIs) for the information
security program is B. Alignment with business initiatives. This is because KPIs are measurable values that
demonstrate how effectively the information security program is achieving its objectives and delivering
value to the organization. KPIs should be aligned with the business initiatives, such as the strategic goals,
the mission, the vision, and the values of the organization, and support the achievement of the desired
outcomes and benefits. KPIs should also reflect the needs, expectations, and challenges of the business
stakeholders, and provide relevant, meaningful, and actionable information for decision making and
improvement. KPIs should not be too technical, complex, or ambiguous, but rather focus on the key
aspects of information security performance, such as risk, compliance, maturity, value, and effectiveness.
KPIs are measurable values that demonstrate how effectively the information security program is achieving
its objectives and delivering value to the organization. KPIs should be aligned with the business initiatives,
such as the strategic goals, the mission, the vision, and the values of the organization, and support the
achievement of the desired outcomes and benefits. (From CISM Manual or related resources)
References = CISM Review Manual 15th Edition, Chapter 1, Section 1.3.2, page 281; CISM Domain –
Information Security Program Development | Infosec2; KPIs in Information Security: The 10 Most Important
Security Metrics3

Question 23

323. Which of the following is MOST important to ensuring that incident management plans are
     executed effectively?

A. Management support and approval has been obtained.
B. The incident response team has the appropriate training.
C. An incident response maturity assessment has been conducted.
D. A reputable managed security services provider has been engaged.

Answer 23

Answer: A

Question 24

324. Which of the following is the PRIMARY reason to regularly update business continuity and disaster
     recovery documents?

A. To enforce security policy requirements
B. To maintain business asset inventories
C. To ensure audit and compliance requirements are met
D. To ensure the availability of business operations

Answer 24

Answer: D

Explanation:
The primary reason to regularly update business continuity and disaster recovery documents is to ensure
that the plans and procedures are aligned with the current business needs and objectives, and that they
can effectively support the availability of business operations in the event of a disaster. Updating the
documents also helps to enforce security policy requirements, maintain business asset inventories, and
ensure audit and compliance requirements are met, but these are secondary benefits.
References = CISM Review Manual, 16th Edition eBook1, Chapter 9: Business Continuity and Disaster
Recovery, Section: Business Continuity Planning, Subsection: Business Continuity Plan Maintenance,
Page 378.

Question 25

325. Which of the following is the MOST effective way to ensure the security of services and solutions delivered
     by third-party vendors?

A. Integrate risk management into the vendor management process.
B. Conduct security reviews on the services and solutions delivered.
C. Review third-party contracts as part of the vendor management process.
D. Perform an audit on vendors’ security controls and practices.

Answer 25

Answer: A

Explanation:
Integrating risk management into the vendor management process is the most effective way to ensure the
security of services and solutions delivered by third-party vendors, as it enables the organization to identify,
assess, treat, and monitor the risks associated with outsourcing. Risk management should be applied
throughout the vendor life cycle, from selection, contracting, onboarding, monitoring, to termination. Risk
management also helps the organization to define the security requirements, expectations, and
responsibilities for the vendors, and to evaluate their performance and compliance. (From CISM Review
Manual 15th Edition)
References: CISM Review Manual 15th Edition, page 184, section 4.3.3.2; Preparing Your First Supplier
Audit Plan1.

Question 26

326. Which of the following BEST enables the assignment of risk and control ownership?

A. Aligning to an industry-recognized control framework
B. Adopting a risk management framework
C. Obtaining senior management buy-in
D. Developing an information security strategy

Answer 26

Answer: C

Explanation: Obtaining senior management buy-in is the best way to enable the assignment of risk and
control ownership because it helps to establish the authority and accountability of the risk and control
owners, as well as to provide them with the necessary resources and support to perform their roles. Risk
and control ownership refers to the assignment of specific responsibilities and accountabilities for managing
risks and controls to individuals or groups within the organization. Obtaining senior management buy-in
helps to ensure that risk and control ownership is aligned with the organizational objectives, structure, and
culture, as well as to communicate the expectations and benefits of risk and control ownership to all
stakeholders. Therefore, obtaining senior management buy-in is the correct answer.
References:
✑ https://www.protechtgroup.com/en-au/blog/risk-control-management
✑
https://www.mckinsey.com/~/media/mckinsey/dotcom/client_service/risk/working%20papers/23_getting_ris
k_ownership_right.ashx
✑ https://www.linkedin.com/pulse/risk-controls-who-owns-them-david-tattam

Question 27

327. Following an employee security awareness training program, what should be the expected outcome?

A. A decrease in the number of viruses detected in incoming emails
B. A decrease in reported social engineering attacks
C. An increase in reported social engineering attempts
D. An increase in user-reported false positive incidents

Answer 27

Answer: C

Explanation:
This outcome indicates that the employees are more aware of the signs and techniques of social
engineering and are able to report them to the appropriate authorities. This also helps to prevent successful
attacks and reduce the impact of potential breaches. References: The CISM Review Manual 2023 states
that “security awareness training should include information on how to identify and report social engineering
attempts” and that “the effectiveness of security awareness training can be measured by the number and
quality of reported incidents” (p. 121). The CISM Review Questions, Answers & Explanations Manual 2023
also provides the following rationale for this Answer “An increase in reported social engineering attempts is
the best indicator that the security awareness training program has been effective, as it shows that the
employees are more vigilant and proactive in detecting and reporting such attempts” (p. 45).

Question 28

328. A KEY consideration in the use of quantitative risk analysis is that it:

A. aligns with best practice for risk analysis of information assets.
B. assigns numeric values to exposures of information assets.
C. applies commonly used labels to information assets.
D. is based on criticality analysis of information assets.

Answer 28

Answer: B

Explanation: A key consideration in the use of quantitative risk analysis is that it assigns numeric values to
exposures of information assets, such as the probability of occurrence, the frequency of occurrence, the
impact of occurrence, and the monetary value of the assets. These numeric values help to measure and
compare the risks in a more objective and consistent way, and to support the decision-making process
based on cost-benefit analysis. Quantitative risk analysis also requires reliable and accurate data sources,
and it may involve the use of statistical tools and techniques.
References = CISM Review Manual, 16th Edition eBook1, Chapter 2: Information Risk Management,
Section: Risk Analysis, Subsection: Quantitative Risk Analysis, Page 84.

Question 29

329. A newly appointed information security manager has been asked to update all security- related policies and
     procedures that have been static for five years or more. What should be done NEXT?

A. Update in accordance with the best business practices.
B. Perform a risk assessment of the current IT environment.
C. Gain an understanding of the current business direction.
D. Inventory and review current security policies.

Answer 29

Answer: D

Explanation: The next step for the information security manager should be to inventory and review the
current security policies to understand the existing security requirements, controls, and gaps. This will help
to identify the areas that need to be updated, revised, or replaced to align with the current business needs
and objectives, as well as the legal and regulatory requirements. Updating the policies in accordance with
the best business practices, performing a risk assessment of the current IT environment, or gaining an
understanding of the current business direction are important activities, but they should be done after
reviewing the current security policies.
References = CISM Review Manual, 16th Edition eBook1, Chapter 1: Information Security Governance,
Section: Information Security Policies, Standards, Procedures and Guidelines, Subsection: Information
Security Policies, Page 28.

Question 30

330. An employee of an organization has reported losing a smartphone that contains sensitive information The
     BEST step to address this situation is to:

A. disable the user’s access to corporate resources.
B. terminate the device connectivity.
C. remotely wipe the device
D. escalate to the user’s management

Answer 30

Answer: C

Explanation:
The best step to address the situation of losing a smartphone that contains sensitive information is to
remotely wipe the device, which means erasing all the data on the device and restoring it to factory settings.
Remotely wiping the device can prevent unauthorized access to the sensitive information and protect the
organization from data breaches or leaks. Remotely wiping the device can be done through services such
as Find My Device for Android or Find My iPhone for iOS, or through mobile device management (MDM)
solutions. The other options, such as disabling the user’s access, terminating the device connectivity, or
escalating to the user’s management, may not be effective or timely enough to secure the sensitive
information on the device. References:
✑ https://www.security.org/resources/protect-data-lost-device/
✑ https://support.google.com/android/answer/6160491?hl=en
✑ https://www.pcmag.com/how-to/locate-lock-erase-how-to-find-lost-android-phone

Question 31

331. Which of the following should an information security manager do FIRST upon confirming a privileged
     user’s unauthorized modifications to a security application?

A. Implement compensating controls to address the risk.
B. Report the risk associated with the policy breach.
C. Implement a privileged access management system.
D. Enforce the security configuration and require the change to be reverted.

Answer 31

Answer: D

Explanation: The first step in handling unauthorized modifications to a security application is to assess the
problems and institute rollback procedures, if needed. This will ensure that the security application is
restored to its original state and prevent further damage or exploitation. The other options are possible
actions to take after the rollback, but they are not the first priority.
References = Protect, Detect and Correct Methodology to Mitigate Incidents: Insider Threats (section: The
Insider Threat)

Question 32

332. An organization plans to leverage popular social network platforms to promote its products and services.
     Which of the following is the BEST course of action for the information security manager to support this
     initiative?

A. Establish processes to publish content on social networks.
B. Assess the security risk associated with the use of social networks.
C. Conduct vulnerability assessments on social network platforms.
D. Develop security controls for the use of social networks.

Answer 32

Answer: B

Explanation: The best course of action for the information security manager to support the initiative of
leveraging popular social network platforms to promote the organization’s products and services is to
assess the security risk associated with the use of social networks. Security risk assessment is a process of
identifying, analyzing, and evaluating the potential threats and vulnerabilities that may affect the
confidentiality, integrity, and availability of information assets and systems. By conducting a security risk
assessment, the information security manager can provide valuable input to the decision-making process
regarding the benefits and costs of using social networks, as well as the appropriate security controls and
mitigation strategies to reduce the risk to an acceptable level. The other options are not the best course of
action, although they may be part of the security risk management process. Establishing processes to
publish content on social networks is an operational task that should be performed after assessing the
security risk and implementing the necessary controls. Conducting vulnerability assessments on social
network platforms is a technical activity that may not be feasible or effective, as the organization does not
have control over the platforms’ infrastructure and configuration. Developing security controls for the use of
social networks is a preventive measure that should be based on the results of the security risk assessment
and aligned with the organization’s risk appetite and tolerance

Question 33

333. Which of the following should be the NEXT step after a security incident has been reported?

A. Recovery
B. Investigation
C. Escalation
D. Containment

Answer 33

Answer: D

Question 34

334. To effectively manage an organization’s information security risk, it is MOST important to:

A. assign risk management responsibility to an experienced consultant.
B. periodically identify and correct new systems vulnerabilities.
C. establish and communicate risk tolerance.
D. benchmark risk scenarios against peer organizations.

Answer 34

Answer: C

Explanation:
To effectively manage an organization’s information security risk, it is most important to establish and
communicate risk tolerance, which is the level of risk that the organization is willing to accept or bear. By
establishing and communicating risk tolerance, the organization can align its risk management strategy and
objectives with its business goals and values, and ensure that the risk management activities and decisions
are consistent and appropriate across the organization.
References: The CISM Review Manual 2023 defines risk tolerance as “the acceptable level of variation that
management is willing to allow for any particular risk as the enterprise pursues its objectives” and states
that “the information security manager should assist the enterprise in establishing and communicating its
risk tolerance, and ensure that the risk management process is aligned with the enterprise’s risk tolerance”
(p. 94). The CISM Review Questions, Answers & Explanations Manual 2023 also provides the following
rationale for this Answer “Establish and communicate risk tolerance is the correct answer because it is the
most important factor to effectively manage an organization’s information security risk, as it helps to define
the scope, direction, and priorities of the risk management process, and to ensure that the risk
management activities and decisions are consistent and appropriate across the organization” (p. 29).
Additionally, the article Risk Tolerance: The Forgotten Factor from the ISACA Journal 2019 states that “risk
tolerance is the key factor that influences the risk management process and outcomes” and that “risk
tolerance should be established and communicated by the organization’s senior management and board of
directors, and should reflect the organization’s strategy, culture, and governance” (p. 1)1

Question 35

335. What should be the FIRST step when implementing data loss prevention (DLP) technology?

A. Perform due diligence with vendor candidates.
B. Build a business case.
C. Classify the organization’s dat
A.
D. Perform a cost-benefit analysis.

Answer 35

Answer: C

Question 36

336. An organization has decided to outsource IT operations. Which of the following should be the PRIMARY
     focus of the information security manager?

A. Security requirements are included in the vendor contract
B. External security audit results are reviewed.
C. Service level agreements (SLAs) meet operational standards.
D. Business continuity contingency planning is provided

Answer 36

Answer: A

Explanation:
Security requirements are included in the vendor contract is the primary focus of the information security
manager when outsourcing IT operations because it ensures that the vendor is legally bound to comply with
the client’s security policies and standards, as well as any external regulations or laws. This also helps to
define the roles and responsibilities of both parties, the security metrics and controls to be used, and the
penalties for non- compliance or breach. Therefore, security requirements are included in the vendor
contract is the correct answer.
References:
✑ https://www.techtarget.com/searchsecurity/tip/15-benefits-of-outsourcing-your-cybersecurity-operations
✑ https://www.sciencedirect.com/science/article/pii/S0378720616302166

Question 37

337. Recommendations for enterprise investment in security technology should be PRIMARILY based on:

A. adherence to international standards
B. availability of financial resources
C. the organization s risk tolerance
D. alignment with business needs

Answer 37

Answer: C

Explanation: Verified Answer According to the CISM Review Manual, 15th Edition, Chapter 3, Section
3.2.1.1, Recommendations for enterprise investment in security technology should be primarily based on
the organization’s risk tolerance.1 Comprehensive and Detailed
Explanation: The organization’s risk tolerance is the degree of uncertainty that the organization is willing to
accept in order to pursue its objectives. It reflects the organization’s appetite for risk and its ability to cope
with potential losses or disruptions. The higher the risk tolerance, the more aggressive and innovative the
security investments can be, as they can help achieve faster growth or competitive advantage. The lower
the risk tolerance, the more conservative and defensive the security investments should be, as they can
help protect the organization’s assets and reputation from potential threats.
References: 1: CISM Review Manual, 15th Edition, Chapter 3, Section 3.2.1.1

Question 38

338. The MOST important element in achieving executive commitment to an information security governance
     program is:

A. a defined security framework.
B. a process improvement model
C. established security strategies.
D. identified business drivers.

Answer 38

Answer: D

Explanation: The most important element in achieving executive commitment to an information security
governance program is to align the program with the identified business drivers of the organization.
Business drivers are the factors that influence the strategic objectives, goals, and priorities of the
organization. They reflect the needs and expectations of the stakeholders, customers, regulators, and other
parties that are relevant to the organization’s mission and vision. By aligning the information security
governance program with the business drivers, the executive can demonstrate the value and benefits of
information security to the organization’s performance, reputation, and competitiveness. The other options
are not the most important element, although they may be part of an information security governance
program. A defined security framework is a set of standards, guidelines, and best practices that provide a
structure and direction for implementing information security. A process improvement model is a
methodology that helps to identify, analyze, and improve the processes related to information security.
Established security strategies are the plans and actions that define how information security supports and
enables the business objectives and goals. These elements are important for developing and executing an
information security governance program, but they do not necessarily ensure executive commitment unless
they are aligned with the business drivers

Question 39

339. Which of the following is the BEST indication that an organization has integrated information security
     governance with corporate governance?

A. Security performance metrics are measured against business objectives.
B. Impact is measured according to business loss when assessing IT risk.
C. Security policies are reviewed whenever business objectives are changed.
D. Service levels for security vendors are defined according to business needs.

Answer 39

Answer: A

Explanation:
Security performance metrics are quantitative or qualitative measures that indicate the effectiveness and
efficiency of the information security program in achieving the organization’s security goals and objectives.
Measuring security performance metrics against business objectives is the best indication that an
organization has integrated information security governance with corporate governance, as it demonstrates
that the security program is aligned with and supports the business strategy, value delivery, and risk
management. (From CISM Review Manual 15th Edition)
References: CISM Review Manual 15th Edition, page 37, section 1.3.2.2.

Question 40

340. Senior management recently approved a mobile access policy that conflicts with industry best practices.
     Which of the following is the information security manager’s BEST course of action when developing
     security standards for mobile access to the organization’s network?

A. Align the standards with the organizational policy.
B. Align the standards with industry best practices.
C. Resolve the discrepancy before developing the standards.
D. Perform a cost-benefit analysis of aligning the standards to policy.

Answer 40

Answer: C

Explanation: The Information Security Manager’s primary responsibility is to ensure that the organization’s
information assets are adequately protected. In this scenario, there is a conflict between the approved
mobile access policy and industry best practices. Developing security standards based on a flawed policy
could lead to significant security vulnerabilities.
Why the other options are not the best course of action:
✑
A. Align the standards with the organizational policy: This would perpetuate the misalignment with best
practices, potentially leaving the organization exposed to risks.
✑ B. Align the standards with industry best practices: While this is ideal from a
security perspective, it directly contradicts the approved policy, which could create operational and
compliance issues.
✑ D. Perform a cost-benefit analysis of aligning the standards to policy: A costbenefit
analysis might be useful at some point, but it does not address the fundamental issue of a policy that
is not in line with best practices.
Key CISM Principles Reflected:
✑ Alignment with Organizational Objectives: Security standards and policies should support and enable
the organization’s business objectives.
✑ Risk Management: Identifying, assessing, and mitigating risks are essential elements of information
security management.
✑ Governance: Effective governance ensures that information security activities are aligned with the
organization’s strategies and objectives.
In summary: The Information Security Manager should proactively engage senior management to highlight
the discrepancy between the approved policy and industry best practices. The goal is to revise the policy to
ensure it adequately addresses security risks while supporting the organization’s objectives. Once the
policy is aligned with best practices, the security standards can be developed accordingly.

Question 41

341. A software vendor has announced a zero-day vulnerability that exposes an organization’s critical business
     systems. The vendor has released an emergency patch. Which of the following should be the information
     security managers PRIMARY concern?

A. Ability to test the patch prior to deployment
B. Documentation of patching procedures
C. Adequacy of the incident response plan
D. Availability of resources to implement controls

Answer 41

Answer: D

Question 42

342. Which of the following is MOST important to include in an information security policy?

A. Best practices
B. Management objectives
C. Baselines
D. Maturity levels

Answer 42

Answer: B

Question 43

343. Which of the following is MOST important to the effectiveness of an information security steering
     committee?

A. The committee has strong regulatory knowledge.
B. The committee is comprised of representatives from senior management.
C. The committee has cross-organizational representation.
D. The committee uses a risk management framework.

Answer 43

Answer: C

Question 44

344. Which of the following is the BEST way to obtain organization-wide support for an information security
     program?

A. Mandate regular security awareness training.
B. Develop security performance metrics.
C. Position security as a business enabler.
D. Prioritize security initiatives based on IT strategy.

Answer 44

Answer: C

Explanation:
Positioning security as a business enabler is the BEST way to obtain organization-wide support for an
information security program, because it helps to demonstrate the value and benefits of security to the
organization’s strategic objectives, performance, and reputation. By aligning security with the business
goals and needs, the information security manager can gain the buy-in and commitment of senior
management and other stakeholders, and foster a positive security culture across the organization.
References =
CISM Review Manual, 16th Edition, ISACA, 2020, p. 37: “The information security manager should position
information security as a business enabler that supports the achievement of the enterprise’s business
objectives and adds value to the enterprise.”
CISM Review Manual, 16th Edition, ISACA, 2020, p. 39: “The information security manager
should communicate the value and benefits of information security to senior management and other
stakeholders to obtain their support and commitment for the information security program.”
CISM Review Manual, 16th Edition, ISACA, 2020, p. 40: “The information security manager should promote
a positive security culture within the enterprise by influencing the behavior and attitude of employees and
other parties toward information security.”

Question 45

345. Which of the following should be the GREATEST consideration when determining the recovery time
     objective (RTO) for an in-house critical application, database, or server?

A. Impact of service interruption
B. Results of recovery testing
C. Determination of recovery point objective (RPO)
D. Direction from senior management

Answer 45

Answer: A

Question 46

346. Which of the following is MOST important to include in an information security status report to senior
     management?

A. Key risk indicators (KRIs)
B. Review of information security policies
C. Information security budget requests
D. List of recent security events

Answer 46

Answer: A

Explanation:
According to the CISM Review Manual, key risk indicators (KRIs) are the most important information to
include in an information security status report to senior management, as they provide a measure of the
current level of risk exposure and the effectiveness of the
risk management activities. KRIs also help to identify trends, patterns and emerging risks that may require
management attention or action.
References = CISM Review Manual, 27th Edition, Chapter 4, Section 4.3.2, page 209

Question 47

347. An organization has implemented a new customer relationship management (CRM) system. Who should
     be responsible for enforcing authorized and controlled access to the CRM data?

A. The information security manager
B. The data custodian
C. Internal IT audit
D. The data owner

Answer 47

Answer: B

Explanation: The data custodian is the person or role who is responsible for enforcing authorized and
controlled access to the CRM data, according to the security policies and standards defined by the data
owner. The data custodian implements and maintains the technical and operational controls, such as
authentication, authorization, encryption, backup, and recovery, to protect the data from unauthorized
access, modification, disclosure, or destruction. The data custodian also monitors and reports on the data
access activities and incidents.
References = Setting Up Access Controls and Permissions in Your CRM, Accountability for Information
Security Roles and Responsibilities, Part 1, How to Meet the Shared Responsibility Model with CIS

Question 48

348. Which of the following BEST facilitates the effective execution of an incident response plan?

A. The plan is based on risk assessment results.
B. The response team is trained on the plan
C. The plan is based on industry best practice.
D. The incident response plan aligns with the IT disaster recovery plan (DRP).

Answer 48

Answer: B

Explanation: The effective execution of an incident response plan depends largely on the competence and
readiness of the response team, who are responsible for carrying out the tasks and activities defined in the
plan. Therefore, the best way to facilitate the effective execution of an incident response plan is to ensure
that the response team is trained on the plan, and that they are familiar with their roles, responsibilities,
procedures, and tools. Training the response team on the plan will also help to improve their confidence,
communication, coordination, and collaboration during an incident response. The other options are not the
best ways to facilitate the effective execution of an incident response plan, although they may be important
factors for developing or improving the plan. The plan should be based on risk assessment results and
industry best practice, but these do not guarantee that the plan will be executed effectively. The incident
response plan should align with the IT disaster recovery plan, but this does not ensure that the response
team is prepared and capable of executing the plan. References = CISM Review Manual, 16th Edition,
page 1031
The best way to facilitate the effective execution of an incident response plan is to ensure that the response
team is trained on the plan. An incident response plan is a set of instructions that defines the roles,
responsibilities, procedures, and tools for detecting, responding to, and recovering from security incidents.
An incident response team is a group of individuals that are assigned to perform specific tasks and activities
during an incident response process. The response team may include security analysts, IT staff, legal
counsel, public relations, and other stakeholders. To execute an incident response plan effectively, the
response team needs to be trained on the plan, which means they need to be familiar with the following
aspects of the plan: The scope and objectives of the plan The roles and responsibilities of each team
member The communication and escalation protocols The incident classification and prioritization criteria
The incident response procedures and tools The incident documentation and reporting requirements The
incident review and improvement processes By training the response team on the plan, the organization
can ensure that the team members are prepared and confident to handle any security incidents that may
occur, and that they can perform their tasks efficiently and consistently. The other options are not the best
way to facilitate the effective execution of an incident response plan, although they may be some steps or
outcomes of the process. The plan being based on risk assessment results is a desirable practice, as it
ensures that the plan is aligned with the organization’s risk profile and addresses the most relevant and
likely threats and vulnerabilities. However, it does not guarantee that the plan will be executed effectively
unless the response team is trained on the plan. The plan being based on industry best practice is a
desirable practice, as it ensures that the plan follows
established standards and guidelines for incident response. However, it does not guarantee that the plan
will be executed effectively unless the response team is trained on the plan. The incident response plan
aligning with the IT disaster recovery plan (DRP) is a desirable practice, as it ensures that the plans are
consistent and coordinated in terms of objectives, scope, roles, procedures, and tools. However, it does not
guarantee that the plan will be executed effectively unless the response team is trained on the plan

Question 49

349. Identifying which of the following BEST enables a cyberattack to be contained?

A. The vulnerability exploited by the attack
B. The segment targeted by the attack
C. The IP address of the computer that launched the attack
D. The threat actor that initiated the attack

Answer 49

Answer: B

Question 50

350. Which of the following BEST facilitates the reporting of useful information about the effectiveness of the
     information security program?

A. Risk heat map.
B. Security benchmark report.
C. Security metrics dashboard.
D. Key risk indicators (KRIs).

Answer 50

Answer: C

Explanation:
A security metrics dashboard is a graphical representation of key performance indicators (KPIs) and key
risk indicators (KRIs) that provide useful information about the effectiveness of the information security
program. A security metrics dashboard can help communicate the value and performance of the
information security program to senior management and other stakeholders, as well as identify areas for
improvement and alignment with business objectives. A security metrics dashboard should be concise,
relevant, timely, accurate, and actionable.
References = CISM Review Manual 16th Edition, page 163; CISM Review Questions, Answers &
Explanations Manual 9th Edition, page 419.

Question 51

351. Which of the following is MOST important to include in an information security status report management?

A. List of recent security events
B. Key risk indication (KRIs)
C. Review of information security policies
D. information security budget requests

Answer 51

Answer: B

Explanation: Key risk indicators (KRIs) are the most useful to include in an information security status report
for management because they measure and report the level of risk exposure or performance against
predefined risk thresholds or targets, and alert management of any deviations or issues that may require
attention or action. List of recent security events is not very useful to include in an information security
status report for management because it does not provide any analysis or evaluation of the events or their
impact on the organization’s objectives or performance. Review of information security policies is not very
useful to include in an information security status report for management because it does not reflect any
progress or results of implementing or enforcing the policies. Information security budget requests are not
very useful to include in an information security status report for management because they do not indicate
any value or benefit of investing in information security initiatives or controls. References:
https://www.isac
A.org/resources/isaca-journal/issues/2016/volume-6/how-to-measure-theeffectiveness-
of-information-security-using-iso-27004

Question 52

352. Which of the following is the PRIMARY benefit of an information security awareness training program?

A. Influencing human behavior
B. Evaluating organizational security culture
C. Defining risk accountability
D. Enforcing security policy

Answer 52

Answer: A

Explanation: Influencing human behavior is the primary benefit of an information security awareness
training program because it helps to reduce the human errors and vulnerabilities that can compromise the
security of data and systems. An information security awareness training program is a process or a
program that informs and empowers users to protect data and computing assets from security risks and
cyberattacks. It includes educational offerings that cover regulatory requirements, compliance policies, and
safe computing practices. An information security awareness training program helps to influence human
behavior by raising awareness of the security threats and challenges, enhancing knowledge and skills of
the security best practices and controls, and fostering a positive security culture and attitude among the
users. By influencing human behavior, an information security awareness training program can improve the
security posture and performance of the organization, as well as prevent or mitigate the impact of security
incidents. Therefore, influencing human behavior is the correct answer.
References:
✑ https://www.isms.online/iso-27002/control-6-3-information-security-awareness- education-and-training/
✑ https://www.isac
A.org/resources/isaca-journal/issues/2019/volume-1/the-benefitsof-
information-security-and-privacy-awareness-training-programs
✑ https://threatcop.com/blog/benefits-and-purpose-of-security-awareness-training/.

Question 53

353. Which of the following is the MOST important reason to document information security incidents that are
     reported across the organization?

A. Evaluate the security posture of the organization.
B. Identify unmitigated risk.
C. Prevent incident recurrence.
D. Support business investments in security.

Answer 53

Answer: C

Question 54

354. An organization learns that a third party has outsourced critical functions to another external provider.
     Which of the following is the information security manager’s MOST important course of action?

A. Engage an independent audit of the third party’s external provider.
B. Recommend canceling the contract with the third party.
C. Evaluate the third party’s agreements with its external provider.
D. Conduct an external audit of the contracted third party.

Answer 54

Answer: C

Explanation: According to the CISM Review Manual, the information security manager should evaluate the
third party’s agreements with its external provider to ensure that the security requirements and controls are
adequate and consistent with the organization’s expectations. Engaging or conducting an audit may be a
subsequent step, but not the most important one. Recommending canceling the contract may be premature
and impractical. References = CISM Review Manual, 27th Edition, Chapter 3, Section 3.4.2, page 1431.

Question 55

355. An organization recently updated and published its information security policy and standards. What should
     the information security manager do NEXT?

A. Conduct a risk assessment.
B. Communicate the changes to stakeholders.
C. Update the organization’s risk register.
D. Develop a policy exception process.

Answer 55

Answer: B

Explanation:
Communicating the changes to stakeholders is the next step after updating and publishing the information
security policy and standards, as it ensures that the stakeholders are aware of the new or revised
requirements, expectations and responsibilities, and can provide feedback or raise concerns if needed.
Communication also helps to promote the acceptance and adoption of the policy and standards, and to
reinforce the security culture and awareness within the organization. (From CISM Review Manual 15th
Edition) References: CISM Review Manual 15th Edition, page 183, section 4.3.3.1.

Question 56

356. A business requires a legacy version of an application to operate but the application cannot be patched. To
     limit the risk exposure to the business, a firewall is implemented in front of the legacy application. Which
     risk treatment option has been applied?

A. Mitigate
B. Accept
C. Transfer
D. Avoid

Answer 56

Answer: A

Explanation: Mitigate is the risk treatment option that has been applied by implementing a firewall in front of
the legacy application because it helps to reduce the impact or probability of a risk. Mitigate is a process of
taking actions to lessen the negative effects of a risk, such as implementing security controls, policies, or
procedures. A firewall is a security device that monitors and filters the network traffic between the legacy
application and the external network, blocking or allowing packets based on predefined rules. A firewall
helps to mitigate the risk of unauthorized access, exploitation, or attack on the legacy application that
cannot be patched. Therefore, mitigate is the correct answer.
References:
✑ https://simplicable.com/risk/risk-treatment
✑ https://resources.infosecinstitute.com/topic/risk-treatment-options-planning- prevention/
✑ https://www.enis
A.europ
A.eu/topics/risk-management/current-risk/riskmanagement-
inventory/rm-process/risk-treatment.

Question 57

357. When drafting the corporate privacy statement for a public website, which of the following MUST be
     included?

A. Limited liability clause
B. Explanation of information usage
C. Information encryption requirements
D. Access control requirements

Answer 57

Answer: B

Explanation: A privacy statement should inform the users of the website how their personal information will
be collected, used, shared, and protected by the organization. References = CISM Review Manual, 16th
Edition, Chapter 4, Section 4.2.1.11

Question 58

358. Which of the following is the BEST way to reduce the risk of security incidents from targeted email attacks?

A. Implement a data loss prevention (DLP) system
B. Disable all incoming cloud mail services
C. Conduct awareness training across the organization
D. Require acknowledgment of the acceptable use policy

Answer 58

Answer: C

Explanation:
Conducting awareness training across the organization is the best way to reduce the risk of security
incidents from targeted email attacks because it helps to educate and empower the employees to recognize
and avoid falling for such attacks. Targeted email attacks, such as phishing, spear phishing, or business
email compromise, rely on social engineering techniques to deceive and manipulate the recipients into
clicking on malicious links, opening malicious attachments, or disclosing sensitive information. Awareness
training can help to raise the level of security culture and behavior among the employees, as well as to
provide them with practical tips and best practices to protect themselves and the organization from targeted
email attacks. Therefore, conducting awareness training across the organization is the correct answer.
References:
✑ https://almanac.upenn.edu/articles/one-step-ahead-dont-get-caught-by-targeted- email-attacks
✑
https://www.microsoft.com/en-us/security/business/security-101/what-is-business-email-compromise-bec
✑
https://www.csoonline.com/article/3334617/what-is-spear-phishing-examples-tactics-and-techniques.html

Question 59

359. Which of the following should an organization do FIRST upon learning that a subsidiary is located in a
     country where civil unrest has just begun?

A. Assess changes in the risk profile.
B. Activate the disaster recovery plan (DRP).
C. Invoke the incident response plan.
D. Conduct security awareness training.

Answer 59

Answer: A

Question 60

360. When developing an information security strategy for an organization, which of the following is MOST
     helpful for understanding where to focus efforts?

A. Gap analysis
B. Project plans
C. Vulnerability assessment
D. Business impact analysis (BIA)

Answer 60

Answer: A

Explanation: Gap analysis is the MOST helpful tool for understanding where to focus efforts when
developing an information security strategy for an organization, because it helps to identify the current state
and the desired state of the information security governance, and the gaps between them. Gap analysis
also helps to prioritize the actions and resources needed to close the gaps and achieve the information
security objectives. References =
CISM Review Manual, 16th Edition, ISACA, 2020, p. 36: “Gap analysis is the process of comparing the
current state and the desired state of information security governance and identifying the gaps that need to
be addressed.”
CISM Review Manual, 16th Edition, ISACA, 2020, p. 37: “Gap analysis should be performed periodically to
assess the effectiveness and efficiency of the information security strategy and program and to identify the
areas for improvement.”
CISM domain 1: Information security governance [Updated 2022] - Infosec Resources: “Gap analysis: This
is a comparison of the current state of security with the desired state. It helps to identify the gaps in security
and prioritize the actions required to close them.”

Question 61

361. Which of the following should an information security manager do FIRST upon confirming a privileged
     user’s unauthorized modifications to a security application?

A. Report the risk associated with the policy breach.
B. Enforce the security configuration and require the change to be reverted.
C. Implement compensating controls to address the risk.
D. Implement a privileged access management system.

Answer 61

Answer: B

Explanation: The first thing that an information security manager should do upon confirming a privileged
user’s unauthorized modifications to a security application is to enforce the security configuration and
require the change to be reverted. This is because the unauthorized modification may have compromised
the security of the application and the data it protects, and may have violated the security policies and
standards of the organization. By enforcing the security configuration and requiring the change to be
reverted, the information security manager can restore the security posture of the application and prevent
further unauthorized modifications.
References: The CISM Review Manual 2023 states that “the information security manager is responsible
for ensuring that the security configuration of information systems is in compliance with the security policies
and standards of the organization” and that “the information security manager should monitor and review
the security configuration of information systems on a regular basis and take corrective actions when
deviations or violations are detected” (p. 138). The CISM Review Questions, Answers & Explanations
Manual 2023 also provides the following rationale for this Answer: “Enforcing the security configuration and
requiring the change to be reverted is the correct answer because it is the most immediate and effective
action to address the unauthorized modification and to maintain the security of the application” (p. 63).
Additionally, the Effective Interactive Privileged Access Review article from the ISACA Journal 2018 states
that “any unauthorized changes to the production environment should be reverted back to the original state
and the incident should be reported to the appropriate authority” (p. 4)1.

Question 62

362. Which of the following is the BEST course of action when confidential information is inadvertently
     disseminated outside the organization?

A. Review compliance requirements.
B. Communicate the exposure.
C. Declare an incident.
D. Change the encryption keys.

Answer 62

Answer: C

Explanation:
Declaring an incident is the best course of action when confidential information is inadvertently
disseminated outside the organization, as it triggers the incident response process, which aims to contain,
analyze, eradicate, recover, and learn from the incident. Declaring an incident also helps to communicate
the exposure to the relevant stakeholders, such as senior management, legal authorities, customers, or
regulators, and to comply with the applicable laws and regulations regarding notification and disclosure.
Changing the encryption keys, reviewing compliance requirements, or communicating the exposure are
possible steps within the incident response process, but they are not the first course of action.
References = CISM Review Manual 2022, page 3121; CISM Exam Content Outline, Domain 4, Task 4.12;
CISM 2020: Incident Management; How to Respond to a Data Breach

Question 63

363. Which of the following is MOST important to have in place to help ensure an organization’s cybersecurity
     program meets the needs of the business?

A. Risk assessment program
B. Information security awareness training
C. Information security governance
D. Information security metrics

Answer 63

Answer: C

Explanation: = Information security governance is the process of establishing and maintaining the policies,
standards, frameworks, and best practices that guide the information security program of an organization.
Information security governance helps to ensure that the information security program meets the needs of
the business by aligning it with the organization’s risk appetite, objectives, and strategy. Information
security governance also helps to coordinate and integrate various assurance functions, such as risk
management, compliance, audit, and incident response, to provide a holistic view of
the information security posture. Information security governance is essential for achieving a positive return
on investment (ROI) from information security investments, as well as for enhancing the trust and
confidence of internal and external stakeholders. References = CISM Review Manual (Digital Version),
Chapter 1: Introduction to Information Security Management, Section 1.1: Overview of Information Security
Management1. CISM Review Manual (Print Version), Chapter 1: Introduction to Information Security
Management, Section 1.1: Overview of Information Security Management2. CISM ITEM DEVELOPMENT
GUIDE, Domain 1: Information Security Governance, Task Statement 1.1, p. 193. Information security
governance is MOST important to have in place to help ensure an organization’s cybersecurity program
meets the needs of the business. This is because information security governance provides the strategic
direction, oversight and accountability for the cybersecurity program. It also ensures that the program aligns
with the business objectives, risk appetite and compliance requirements of the organization. Information
security governance involves defining roles and responsibilities, establishing policies and standards, setting
goals and metrics, allocating resources and monitoring performance of the cybersecurity program.

Question 64

364. Which of the following is MOST important for an information security manager to consider when identifying
     information security resource requirements?

A. Current resourcing levels
B. Availability of potential resources
C. Information security strategy
D. Information security incidents

Answer 64

Answer: C

Question 65

365. Capacity planning would prevent:

A. file system overload arising from distributed denial of service (DDoS) attacks.
B. system downtime for scheduled security maintenance.
C. application failures arising from insufficient hardware resources.
D. software failures arising from exploitation of buffer capacity vulnerabilities.

Answer 65

Answer: C

Explanation: Capacity planning is the process of estimating and allocating the required resources (such as
CPU, memory, disk space, bandwidth, etc.) to meet the current and future demands of the information
systems and applications. Capacity planning would prevent application failures arising from insufficient
hardware resources, as it would ensure that the applications have enough resources to function properly
and efficiently, and avoid performance degradation, errors, or crashes.
References = CISM Review Manual 2022, page 3081; CISM Exam Content Outline, Domain 4, Knowledge
Statement 4.92; What is Capacity Planning? Definition and Examples

Question 66

366. Which of the following should be done FIRST when a SIEM flags a potential event?

A. Validate the event is not a false positive.
B. Initiate the incident response plan.
C. Escalate the event to the business owner.
D. Implement compensating controls.

Answer 66

Answer: A

Explanation:
The first thing that should be done when a SIEM flags a potential event is
A. Validate the
event is not a false positive. This is because a false positive is an event that is incorrectly identified as
malicious or suspicious by the SIEM, when in fact it is benign or normal. False positives can waste the time
and resources of the security team, and reduce the trust and confidence in the SIEM system. Therefore, it
is important to verify the accuracy and validity of the event before initiating any further actions, such as
incident response, escalation, or compensating controls. Validation can be done by analyzing the event
data, comparing it with the baseline or normal behavior, and checking for any anomalies or indicators of
compromise.
A false positive is an event that is incorrectly identified as malicious or suspicious by the SIEM, when in fact
it is benign or normal. Validation can be done by analyzing the event data, comparing it with the baseline or
normal behavior, and checking for any anomalies or indicators of compromise. (From CISM Manual or
related resources)
References = CISM Review Manual 15th Edition, Chapter 4, Section 4.2.1, page 2091; CISM Review
Questions, Answers & Explanations Manual 9th Edition, Question 72, page 19

Question 67

367. Which of the following trends would be of GREATEST concern when reviewing the performance of an
     organization’s intrusion detection systems (IDSs)?

A. Increase in false positives
B. Increase in false negatives
C. Decrease in false negatives
D. Decrease in false positives

Answer 67

Answer: B

Explanation:
False negatives are events that are not detected by the IDS, but should have been. An increase in false
negatives indicates that the IDS is missing potential attacks or intrusions, which could compromise the
security of the organization.
References = CISM Review Manual, 15th Edition, page 212; CISM Review Questions, Answers &
Explanations Database, question ID 1001.

Question 68

368. Which of the following is an information security manager’s BEST course of action when a penetration test
     reveals a security exposure due to a firewall that is not configured correctly?

A. Ensure a plan with milestones is developed.
B. Implement a distributed denial of service (DDoS) control.
C. Engage the incident response team.
D. Define new key performance indicators (KPIs).

Answer 68

Answer: A

Explanation: A penetration test is a proactive way to identify and remediate security vulnerabilities in a
network. When a penetration test reveals a security exposure due to a firewall that is not configured
correctly, the information security manager’s best course of action is to ensure a plan with milestones is
developed to address the issue. This plan should include the root cause analysis, the corrective actions, the
responsible parties, the deadlines, and the verification methods. This way, the information security
manager can ensure that the security exposure is resolved in a timely and effective manner, and that the
firewall configuration is aligned with the security policy and the business objectives. References =
CISM Review Manual (Digital Version), page 193: “The information security manager should ensure that a
plan with milestones is developed to address the issues identified during the penetration test.”
How to configure a network firewall: Walkthrough: “A good network firewall is essential. Learn the basics of
configuring a network firewall, including stateful vs. stateless firewalls and access control lists in this
episode of Cyber Work Applied.”

Question 69

369. Following a risk assessment, an organization has made the decision to adopt a bring your own device
     (BYOD) strategy. What should the information security manager do NEXT?

A. Develop a personal device policy
B. Implement a mobile device management (MDM) solution
C. Develop training specific to BYOD awareness
D. Define control requirements

Answer 69

Answer: D

Explanation: Defining control requirements is the next step to ensure the security policy framework
encompasses the new business model because it is a process of identifying and specifying the security
measures and standards that are needed to protect the data and applications accessed by the BYOD
devices. Defining control requirements helps to establish the baseline security level and expectations for
the BYOD strategy, as well as to align them with the business objectives and risks. Therefore, defining
control requirements is the correct answer.
References:
✑ https://www.digitalguardian.com/blog/ultimate-guide-byod-security-overcomingchallenges-
creating-effective-policies-and-mitigating
✑ https://learn.microsoft.com/en-us/mem/intune/fundamentals/byod-technology- decisions

Question 70

370. When remote access is granted to a company’s internal network, the MOST important consideration should
     be that access is provided:

A. on a need-to-know basis subject to controls.
B. subject to legal and regulatory requirements.
C. by the use of a remote access server.
D. if a robust IT infrastructure exists.

Answer 70

Answer: A

Question 71

371. The PRIMARY purpose of conducting a business impact analysis (BIA) is to determine the:

A. scope of the business continuity program.
B. resources needed for business recovery.
C. recovery time objective (RTO).
D. scope of the incident response plan.

Answer 71

Answer: B

Question 72

372. Which of the following should be done NEXT following senior management’s decision to comply with new
     personal data regulations that are much more stringent than those currently followed to avoid massive
     fines?

A. Encrypt data in transit and at rest.
B. Complete a return on investment (ROI) analysis.
C. Create and implement a data minimization plan.
D. Conduct a gap analysis.

Answer 72

Answer: D

Explanation:
A gap analysis is a tool that helps to identify the current state of compliance and the desired state of
compliance, as well as the actions needed to achieve the desired state. A gap analysis should be done
before implementing any specific controls or solutions, such as encryption, data minimization, or ROI
analysis.
References = CISM Review Manual 15th Edition, page 65; Information Security Architecture: Gap
Assessment and Prioritization, ISACA Journal, volume 2, 2018.

Question 73

373. Who has the PRIMARY authority to decide if additional risk treatments are required to mitigate an identified
     risk?

A. Information security manager
B. IT risk manager
C. Internal auditor
D. Risk owner

Answer 73

Answer: D

Explanation:
The risk owner is the person who has the authority and accountability to make decisions about the risk,
including whether to accept, avoid, transfer, or mitigate it. The risk owner is also responsible for
implementing and monitoring the risk treatment plan and reporting on the risk status. The risk owner is
usually the business process owner or the information owner of the asset affected by the risk. (From CISM
Review Manual 15th Edition) References: CISM Review Manual 15th Edition, page 64, section 2.2.1.2.

Question 74

374. Spoofing should be prevented because it may be used to:

A. gain illegal entry to a secure system by faking the sender’s address,
B. predict which way a program will branch when an option is presented
C. assemble information, track traffic, and identify network vulnerabilities.
D. capture information such as passwords traveling through the network

Answer 74

Answer: A

Explanation:
Gaining illegal entry to a secure system by faking the sender’s address is one of the reasons why spoofing
should be prevented. Spoofing is a technique that involves impersonating someone or something else to
deceive or manipulate the recipient or target. Spoofing can be applied to various communication channels,
such as emails, websites,
phone calls, IP addresses, or DNS servers. One of the common goals of spoofing is to gain unauthorized
access to a secure system by faking the sender’s address, such as an email address or an IP address. For
example, an attacker may spoof an email address of a trusted person or organization and send a phishing
email that contains a malicious link or attachment. If the recipient clicks on the link or opens the attachment,
they may be redirected to a fake website that asks for their credentials or downloads malware onto their
device. Alternatively, an attacker may spoof an IP address of a trusted source and send packets to a secure
system that contains malicious code or commands. If the system accepts the packets as legitimate, it may
execute the code or commands and compromise its security. Therefore, gaining illegal entry to a secure
system by faking the sender’s address is one of the reasons why spoofing should be prevented.
References:
✑ https://www.kaspersky.com/resource-center/definitions/spoofing
✑ https://www.cis
A.gov/resources-tools/resources/business-case-security
✑ https://www.avast.com/c-spoofing

Question 75

375. Which of the following roles is PRIMARILY responsible for developing an information classification
     framework based on business needs?

A. Information security manager
B. Information security steering committee
C. Information owner
D. Senior management

Answer 75

Answer: C

Explanation: According to the CISM Review Manual (Digital Version), Chapter 3, Section 3.2.1, Information
owners are responsible for developing an information classification framework based on business needs1.
They are also responsible for defining and maintaining the classification scheme, policies, and procedures
for their information assets1.
The CISM Review Manual (Digital Version) also states that information owners should collaborate with
other stakeholders, such as information security managers, information security steering committees,
senior management, and legal counsel, to ensure that the classification framework is aligned with the
organization’s objectives and complies with applicable laws and regulations1.
The CISM Exam Content Outline also covers the topic of information classification frameworks in Domain 3
— Information Security Program Development and Management
(27% exam weight)2. The subtopics include:
✑ 3.2.1 Information Classification Frameworks
✑ 3.2.2 Information Classification Policies
✑ 3.2.3 Information Classification Procedures
✑ 3.2.4 Information Classification Training
I hope this answer helps you prepare for your CISM exam. Good luck!

Question 76

376. Which of the following is the BEST option to lower the cost to implement application security controls?

A. Perform security tests in the development environment.
B. Integrate security activities within the development process
C. Perform a risk analysis after project completion.
D. Include standard application security requirements

Answer 76

Answer: B

Explanation: Integrating security activities within the development process is the best option to lower the
cost to implement application security controls because it ensures that security is considered and
addressed throughout the software development life cycle (SDLC), from design to deployment, and
reduces the likelihood and impact of security flaws or vulnerabilities that may require costly fixes or patches
later on. Performing security tests in the development environment is not the best option because it may not
detect or prevent all security issues that may arise in different environments or scenarios. Performing a risk
analysis after project completion is not a good option because it may be too late to identify or mitigate
security risks that may have been introduced during the project. Including standard application security
requirements is not a good option because it may not account for specific or unique security needs or
challenges of different applications or projects. References:
https://www.isac
A.org/resources/isaca-journal/issues/2017/volume-2/securesoftware-
development-lifecycle https://www.isac
A.org/resources/isacajournal/
issues/2016/volume-4/technical-security-standards-for-information-systems

Question 77

377. An information security manager has recently been notified of potential security risks associated with a
     third-party service provider. What should be done NEXT to address this
     concern?

A. Escalate to the chief risk officer (CRO).
B. Conduct a vulnerability analysis.
C. Conduct a risk analysis.
D. Determine compensating controls.

Answer 77

Answer: C

Explanation: A risk analysis is the next step to identify and evaluate the potential security risks associated
with a third-party service provider and determine the appropriate risk response strategies. References =
CISM Review Manual, 16th Edition, Domain 2: Information Risk Management, Chapter 2: Risk Identification,
p. 97-981; Chapter 3: Risk Assessment, p. 109-1101; Chapter 4: Risk Response, p. 123-1241

Question 78

378. Which of the following is the BEST way to address data availability concerns when outsourcing information
     security administration?

A. Develop service level agreements (SLAs).
B. Stipulate insurance requirements.
C. Require nondisclosure agreements (NDAs).
D. Create contingency plans.

Answer 78

Answer: D

Question 79

379. The PRIMARY goal of the eradication phase in an incident response process is to:

A. maintain a strict chain of custody.
B. provide effective triage and containment of the incident.
C. remove the threat and restore affected systems
D. obtain forensic evidence from the affected system.

Answer 79

Answer: C

Explanation: The primary goal of the eradication phase in an incident response process is to remove the
threat and restore affected systems because it eliminates any traces or remnants of malicious activity or
compromise from the systems or network, and returns
them to their normal or secure state. Maintaining a strict chain of custody is not a goal of the eradication
phase, but rather a requirement for preserving and documenting digital evidence throughout the incident
response process. Providing effective triage and containment of the incident is not a goal of the eradication
phase, but rather a goal of the containment phase, which isolates and stops the spread of malicious activity
or compromise. Obtaining forensic evidence from the affected system is not a goal of the eradication phase,
but rather a goal of the identification phase, which collects and analyzes data or artifacts related to
malicious activity or compromise. References:
https://www.isac
A.org/resources/isaca-journal/issues/2017/volume-5/incident-response- lessons-learned
https://www.isac
A.org/resources/isaca-journal/issues/2018/volume- 3/incident-response-lessons-learned

Question 80

380. Which of the following is the BEST reason for senior management to support a business case for
     developing a monitoring system for a critical application?

A. An industry peer experienced a recent breach with a similar application.
B. The system can be replicated for additional use cases.
C. The cost of implementing the system is less than the impact of downtime.
D. The solution is within the organization’s risk tolerance.

Answer 80

Answer: C

Explanation: A monitoring system for a critical application can help detect and prevent incidents that could
affect the availability, integrity, and confidentiality of the application and its dat
A. The impact of downtime
could include loss of revenue, reputation, customer satisfaction, and regulatory compliance. Therefore, the
cost of implementing the system should be justified by the potential savings from avoiding or minimizing
these impacts. References = CISM Review Manual, 15th Edition, page 173; An Introduction to Metrics,
Monitoring, and Alerting; Business-critical applications: What are they and how do you protect them from
cyberattack?

Question 81

381. When an organization experiences a disruptive event, the business continuity plan (BCP) should be
     triggered PRIMARILY based on:

A. expected duration of outage.
B. management direction.
C. type of security incident.
D. the root cause of the event.

Answer 81

Answer: A

Explanation:
The expected duration of outage is the primary factor that should trigger the BCP because it indicates how
long the organization can tolerate the disruption of its critical business processes and functions before it
causes unacceptable consequences. The expected duration of outage is determined by the recovery time
objectives (RTOs) that are defined for each critical business process and function based on the business
impact analysis (BIA). The BCP should be triggered when the expected duration of outage exceeds or is
likely to exceed the RTOs.
References: The CISM Review Manual 2023 defines RTO as “the maximum acceptable time that a service
can be unavailable or disrupted before it causes unacceptable consequences” and states that “the RTO is
determined based on the impact of service interruption on the enterprise’s business processes, reputation,
customers, and stakeholders” (p. 189). The CISM Review Questions, Answers & Explanations Manual
2023 also provides the following rationale for this Answer “Expected duration of outage is the correct
answer because it is the primary factor that should trigger the BCP, as it reflects the maximum time that the
organization can afford to lose its critical business processes and functions without causing unacceptable
consequences” (p. 96). Additionally, the article Invoking your business continuity plan: five triggers, six
decision points from the ITWeb website states that “the expected duration of outage is the most important
consideration when deciding to invoke the BCP, as it indicates how long the organization can sustain the
disruption before it impacts its business objectives, operations, reputation, and legal obligations” (p. 2)

Question 82

382. In a call center, the BEST reason to conduct a social engineering is to:

A. Identify candidates for additional security training.
B. minimize the likelihood of successful attacks.
C. gain funding for information security initiatives.
D. improve password policy.

Answer 82

Answer: A

Explanation: The best reason to conduct a social engineering test in a call center is to identify candidates
for additional security training because it helps to assess the level of awareness and skills of the call center
staff in recognizing and resisting social engineering attacks, and provide them with the necessary training
or education to improve their security posture. Minimizing the likelihood of successful attacks is not a
reason to conduct a social engineering test, but rather a possible outcome or benefit of conducting such a
test. Gaining funding for information security initiatives is not a reason to conduct a social engineering test,
but rather a possible outcome or benefit of conducting such a test. Improving password policy is not a
reason to conduct a social engineering test, but rather a possible outcome or benefit of conducting such a
test. References: https://www.isac
A.org/resources/isaca-journal/issues/2017/volume-6/the-value-ofpenetration-
testing https://www.isac
A.org/resources/isaca-journal/issues/2016/volume-
5/security-scanning-versus-penetration-testing

Question 83

383. After a ransomware incident an organization’s systems were restored. Which of the following should be of
     MOST concern to the information security manager?

A. The service level agreement (SLA) was not met.
B. The recovery time objective (RTO) was not met.
C. The root cause was not identified.
D. Notification to stakeholders was delayed.

Answer 83

Answer: C

Explanation: = After a ransomware incident, the most important concern for the information security
manager is to identify the root cause of the incident and prevent it from happening again. The root cause
analysis (RCA) is a systematic process of finding and eliminating the underlying factors that led to the
incident, such as vulnerabilities, misconfigurations, human errors, or malicious actions. Without performing
a RCA, the organization may not be able to address the root cause and may face the same or similar
incidents in the future, which could result in more damage, costs, and reputational loss. Therefore, the
information security manager should prioritize the RCA over other concerns, such as meeting the SLA,
RTO, or notification requirements, which are important but
secondary to the RC
A.
References = CISM Review Manual 15th Edition, page 254-2551; CISM Review Questions, Answers &
Explanations Database - 12 Month Subscription, QID 4202

Question 84

384. An organization has purchased an Internet sales company to extend the sales department. The information
     security manager’s FIRST step to ensure the security policy framework encompasses the new business
     model is to:

A. perform a gap analysis.
B. implement both companies’ policies separately
C. merge both companies’ policies
D. perform a vulnerability assessment

Answer 84

Answer: A

Explanation: Performing a gap analysis is the first step to ensure the security policy framework
encompasses the new business model because it is a process of comparing the current state of security
policies and controls with the desired or required state. A gap analysis helps to identify the strengths and
weaknesses of the existing security policy framework, as well as the opportunities and threats posed by the
new business model. A gap analysis also helps to prioritize the actions and resources needed to close the
gaps and align the security policy framework with the new business objectives and requirements. Therefore,
performing a gap analysis is the correct answer.
References:
✑ https://secureframe.com/blog/security-frameworks
✑ https://www.techtarget.com/searchsecurity/tip/IT-security-frameworks-andstandards-
Choosing-the-right-one

Question 85

385. Which of the following is the MOST effective way to increase security awareness in an organization?

A. Implement regularly scheduled information security audits.
B. Require signed acknowledgment of information security policies.
C. Conduct periodic simulated phishing exercises.
D. Include information security requirements in job descriptions.

Answer 85

Answer: C

Question 86

386. Internal audit has reported a number of information security issues that are not in compliance with
     regulatory requirements. What should the information security manager do FIRST?

A. Perform a vulnerability assessment
B. Perform a gap analysis to determine needed resources
C. Create a security exception
D. Assess the risk to business operations

Answer 86

Answer: D

Explanation: According to the CISM Manual, the information security manager should first assess the risk to
business operations before taking any other action. This will help to prioritize the issues and determine the
appropriate response. Performing a vulnerability assessment, a gap analysis, or creating a security
exception are possible actions, but they should be based on the risk assessment results. References =
CISM Manual, 5th Edition, page 1211; CISM Practice Quiz, question 32

Question 87

387. Which of the following is ESSENTIAL to ensuring effective incident response?

A. Business continuity plan (BCP)
B. Cost-benefit analysis
C. Classification scheme
D. Senior management support

Answer 87

Answer: D

Explanation: Senior management support is essential to ensuring effective incident response because it
provides the necessary authority, resources, and guidance for the information security team to perform their
roles and responsibilities. Senior management
support also helps to establish the goals, scope, policies, and procedures for the incident response plan
(IRP), as well as to ensure its alignment with the business objectives and strategy. Senior management
support also fosters a culture of security awareness, accountability, and collaboration among all
stakeholders involved in the incident response process.
The other options are not essential to ensuring effective incident response, although they may be helpful or
beneficial. A business continuity plan (BCP) is a document that outlines the actions and arrangements to
ensure the continuity of critical business functions in the event of a disruption or disaster. A cost-benefit
analysis is a method of comparing the costs and benefits of different alternatives or solutions to a problem.
A classification scheme is a system of categorizing information assets based on their sensitivity, value, and
criticality. References = CISM Manual1, Chapter 6: Incident Response Planning (IRP), Section 6.1: Incident
Response Plan2
1: https://store.isac
A.org/s/store#/store/browse/cat/a2D4w00000Ac6NNEAZ/tiles 2: 4

Question 88

388. Which of the following should be the FIRST step in patch management procedures when receiving an
     emergency security patch?

A. Schedule patching based on the criticality.
B. Install the patch immediately to eliminate the vulnerability.
C. Conduct comprehensive testing of the patch.
D. Validate the authenticity of the patch.

Answer 88

Answer: D

Explanation:
Validating the authenticity of the patch is the first step in patch management procedures when receiving an
emergency security patch, as it helps to ensure that the patch is genuine and not malicious. Validating the
authenticity of the patch can be done by verifying the source, signature, checksum, or certificate of the
patch, and comparing it with the information provided by the software vendor or manufacturer. Installing an
unverified patch may introduce malware, compromise the system, or cause unexpected errors or conflicts.
References = CISM Review Manual 2022, page 3131; CISM Exam Content Outline, Domain 4, Task 4.42;
Practical Patch Management and Mitigation1; Vulnerability and patch
management in the CISSP exam3

Question 89

389. Which of the following BEST facilitates effective strategic alignment of security initiatives?

A. The business strategy is periodically updated
B. Procedures and standards are approved by department heads.
C. Periodic security audits are conducted by a third-party.
D. Organizational units contribute to and agree on priorities

Answer 89

Answer: D

Explanation: Organizational units contribute to and agree on priorities is the best way to facilitate effective
strategic alignment of security initiatives because it ensures that the security initiatives are aligned with the
business goals and objectives, supported by relevant stakeholders, and prioritized based on risk and value.
The business strategy is periodically updated is not sufficient to facilitate effective strategic alignment of
security initiatives because it does not involve collaboration or communication between different
organizational units. Procedures and standards are approved by department heads is not sufficient to
facilitate effective strategic alignment of security initiatives because it does not reflect the strategic direction
or vision of the organization. Periodic security audits are conducted by a third-party is not sufficient to
facilitate effective strategic alignment of security initiatives because it does not address the planning or
implementation of security initiatives. References:
https://www.isac
A.org/resources/isaca-journal/issues/2016/volume-
2/how-to-align-security-initiatives-with-business-goals-and-objectives
https://www.isac
A.org/resources/isaca-journal/issues/2015/volume-1/how-to-measure-theeffectiveness-
of-information-security-governance

Question 90

390. A recent application security assessment identified a number of low- and medium-level vulnerabilities.
     Which of the following stakeholders is responsible for deciding the appropriate risk treatment option?

A. Security manager
B. Chief information security officer (CISO)
C. System administrator
D. Business owner

Answer 90

Answer: B

Explanation: Verified

Question 91

391. The PRIMARY purpose for deploying information security metrics is to:

A. compare program effectiveness to benchmarks.
B. support ongoing security budget requirements.
C. ensure that technical operations meet specifications.
D. provide information needed to make decisions.

Answer 91

Answer: D

Question 92

392. Internal audit has reported a number of information security issues that are not in compliance with
     regulatory requirements. What should the information security manager do FIRST?

A. Create a security exception.
B. Perform a gap analysis to determine needed resources.
C. Perform a vulnerability assessment.
D. Assess the risk to business operations.

Answer 92

Answer: D

Explanation: The information security manager should first assess the risk to business operations that are
caused by the information security issues reported by internal audit. This will help to prioritize the
remediation actions and allocate the necessary resources. Creating a security exception, performing a gap
analysis, or performing a vulnerability assessment are possible subsequent steps, but they are not the first
action to take. References = CISM Review Manual, 16th Edition, page 48

Question 93

393. The PRIMARY purpose for continuous monitoring of security controls is to ensure:

A. system availability.
B. control gaps are minimized.
C. alignment with compliance requirements.
D. effectiveness of controls.

Answer 93

Answer: D

Explanation: The primary purpose for continuous monitoring of security controls is to ensure that the
controls are effective in achieving the desired security objectives and mitigating the identified risks.
Continuous monitoring provides ongoing assurance that the planned and implemented security controls are
aligned with the organizational risk tolerance and can respond to changes in the threat environment, the
system, or the business processes. Continuous monitoring also helps to identify and address any control
weaknesses or gaps in a timely manner. (From CISM Review Manual 15th Edition and NIST Special
Publication 800-1371)
References: CISM Review Manual 15th Edition, page 181, section 4.3.2.4; NIST Special Publication
800-1371, page 1, section 1.1.

Question 94

394. Which of the following presents the GREATEST risk associated with the use of an automated security
     information and event management (SIEM) system?

A. Low number of false positives
B. Low number of false negatives
C. High number of false positives
D. High number of false negatives

Answer 94

Answer: D

Explanation:
A false negative is a security incident that was not detected by the SIEM system, which presents the
greatest risk as it allows attackers to compromise the organization’s assets and data without being noticed
or stopped. A high number of false negatives can indicate that the SIEM system is not configured properly,
has insufficient data sources, or lacks effective analytics and correlation rules. (From CISM Review Manual
15th Edition) References: CISM Review Manual 15th Edition, page 181, section 4.3.2.4.

Question 95

395. During the implementation of a new system, which of the following processes proactively minimizes the
     likelihood of disruption, unauthorized alterations, and errors?

A. Configuration management
B. Password management
C. Change management
D. Version management

Answer 95

Answer: C

Explanation: Change management is the process of planning, implementing, and monitoring changes to
information systems in a controlled and coordinated manner. Change management proactively minimizes
the likelihood of disruption, unauthorized alterations, and errors by ensuring that changes are aligned with
the organization’s objectives, policies, and procedures. Change management also involves identifying and
mitigating the risks associated with changes, as well as communicating and documenting the changes to all
relevant stakeholders12.
References = 1: CISM Review Manual (Digital Version), page 271 2: CISM Review Manual (Print Version),
page 271

Question 96

396. When multiple Internet intrusions on a server are detected, the PRIMARY concern of the information
     security manager should be to ensure:

A. the integrity of evidence is preserved.
B. forensic investigation software is loaded on the server.
C. the incident is reported to senior management.
D. the server is unplugged from power.

Answer 96

Answer: A

Question 97

397. A new information security manager finds that the organization tends to use short-term solutions to address
     problems. Resource allocation and spending are not effectively tracked, and there is no assurance that
     compliance requirements are being met. What should be done FIRST to reverse this bottom-up approach
     to security?

A. Conduct a threat analysis.
B. Implement an information security awareness training program.
C. Establish an audit committee.
D. Create an information security steering committee.

Answer 97

Answer: D

Question 98

398. Which of the following MUST be established to maintain an effective information security governance
     framework?

A. Security controls automation
B. Defined security metrics
C. Change management processes
D. Security policy provisions

Answer 98

Answer: D

Explanation:
Security policy provisions are the statements or rules that define the information security objectives,
principles, roles and responsibilities, and requirements for the organization. Security policy provisions must
be established to maintain an effective information security governance framework, as they provide the
foundation and direction for the information security activities and processes within the organization.
Security policy provisions also help to align the information security governance framework with the
business strategy and objectives, and ensure compliance with relevant laws and regulations. The other
options, such as security controls automation, defined security metrics, or change management processes,
are important components of an information security governance framework, but they are not essential to
establish it. References:
✑ https://www.iso.org/standard/74046.html
✑ https://www.nistf.gov/cyberframework
✑ https://www.iso.org/standard/27001

Question 99

399. Which of the following is the PRIMARY reason to conduct a post-incident review?

A. To aid in future risk assessments
B. To improve the response process
C. To determine whether digital evidence is admissible
D. To notify regulatory authorities

Answer 99

Answer: B

Question 100

400. In order to gain organization-wide support for an information security program, which of the following is
     MOST important to consider?

A. Maturity of the security policy
B. Clarity of security roles and responsibilities
C. Corporate culture
D. Corporate risk framework

Answer 100

Answer: C

Explanation:
Corporate culture is the most important factor to consider when trying to gain organization- wide support for
an information security program because it reflects the values, beliefs, and behaviors of the organization
and its members. Corporate culture influences how the organization perceives, prioritizes, and responds to
information security risks and issues, and how it adopts and implements information security policies and
practices. By understanding and aligning with the corporate culture, the information security manager can
communicate the benefits and value of the information security program, and foster a positive and
collaborative security culture across the organization.
References: The CISM Review Manual 2023 states that “corporate culture is the set of shared values,
beliefs, and behaviors that characterize the organization and its members” and that “corporate culture
affects how the organization views and manages information security risks and issues, and how it supports
and implements information security policies and practices” (p. 81). The CISM Review Questions, Answers
& Explanations Manual 2023 also provides the following rationale for this Answer: “Corporate culture is the
correct answer because it is the most important factor to consider when trying to gain organization- wide
support for an information security program, as it reflects the values, beliefs, and behaviors of the
organization and its members, and influences how they perceive, prioritize, and respond to information
security risks and issues, and how they adopt and implement information security policies and practices” (p.
23). Additionally, the article Building a Culture of Security from the ISACA Journal 2019 states that
“corporate culture is the key factor that determines the success or failure of an information security
program” and that “corporate culture can be either an enabler or a barrier for information security,
depending on how well it aligns with the information security objectives, values, and practices of the
organization” (p. 1)