CISM 1 Flashcards
- An organization recently outsourced the development of a mission-critical business application. Which of
the following would be the BEST way to test for the existence of backdoors?
A. Scan the entire application using a vulnerability scanning tool.
B. Run the application from a high-privileged account on a test system.
C. Perform security code reviews on the entire application.
D. Monitor Internet traffic for sensitive information leakage.
Answer: C
Explanation: The best way to test for the existence of backdoors in a mission-critical business application
that was outsourced to a third-party developer is to perform security code reviews on the entire application.
A backdoor is a hidden or undocumented feature or function in a software application that allows
unauthorized or remote access, control, or manipulation of the application or the system it runs on.
Backdoors can be intentionally or unintentionally introduced by the developers, or maliciously inserted by
the attackers, and they can pose serious security risks and threats to the organization and its dat
A. Security
code reviews are the process of examining and analyzing the source code of a software application to
identify and eliminate any security vulnerabilities, flaws, or weaknesses, such as backdoors, that may
compromise the functionality, performance, or integrity of the application or the system. Security code
reviews can be performed manually by the security experts, or automatically by the security tools, or both,
and they can be done at different stages of the software development life cycle, such as design, coding,
testing, or deployment. Security code reviews can help to detect and remove any backdoors in the
application before they can be exploited by the attackers, and they can also help to improve the quality,
reliability, and security of the application.
References = CISM Review Manual, 16th Edition, Chapter 3: Information Security Program Development
and Management, Section: Information Security Program Development, page 1581; CISM Review
Questions, Answers & Explanations Manual, 10th Edition, Question 87, page 812; CISM ITEM
DEVELOPMENT GUIDE, page 63.
- Which of the following would be MOST helpful to identify worst-case disruption scenarios?
A. Business impact analysis (BIA)
B. Business process analysis
C. SWOT analysis
D. Cast-benefit analysis
Answer: A
Explanation: A business impact analysis (BIA) is the process of identifying and evaluating the potential
effects of disruptions to critical business functions or processes. A BIA helps to determine the recovery
priorities, objectives, and strategies for the organization in the event of a disaster or crisis. A BIA also helps
to identify the worst-case disruption scenarios, which are the scenarios that would cause the most severe
impact to the organization in terms of financial, operational, reputational, or legal consequences. By
conducting a BIA, the organization can assess the likelihood and impact of various disruption scenarios,
and plan accordingly to mitigate the risks and ensure business continuity and resilience. References =
CISM Review Manual 15th Edition, page 181, page 183.
- An incident response team has been assembled from a group of experienced individuals, Which type of
exercise would be MOST beneficial for the team at the first drill?
A. Red team exercise
B. Black box penetration test
C. Disaster recovery exercise
D. Tabletop exercise
Answer: D
Explanation: = A tabletop exercise is the best type of exercise for an incident response team at the first drill,
as it is a low-cost, low-risk, and high-value method to test and evaluate the incident response plan,
procedures, roles, and capabilities. A tabletop exercise is a simulation of a realistic scenario that involves a
security incident, and requires the participation and discussion of the incident response team members and
other relevant stakeholders. The tabletop exercise allows the incident response team to identify and
address the gaps, issues, or challenges in the incident response process, and to improve the
communication, coordination, and collaboration among the team members and other parties. The tabletop
exercise also helps to enhance the knowledge, skills, and confidence of the incident response team
members, and to prepare them for more complex or advanced exercises or real incidents.
A red team exercise (A) is a type of exercise that involves a group of ethical hackers or security experts
who act as adversaries and attempt to compromise the organization’s security defenses, systems, or
processes. A red team exercise is a high-cost, high-risk, and high-value method to test and evaluate the
security posture and resilience of the organization, and to identify and exploit the security weaknesses or
vulnerabilities. However, a red team exercise is not the best type of exercise for an incident response team
at the first drill, as it is more suitable for a mature and experienced team that has already tested and
validated the incident response plan, procedures, roles, and capabilities.
A black box penetration test (B) is a type of security testing that simulates a malicious attack on the
organization’s systems or processes, without any prior knowledge or information about them. A black box
penetration test is a high-cost, high-risk, and high- value method to test and evaluate the security posture
and resilience of the organization, and to identify and exploit the security weaknesses or vulnerabilities.
However, a black box penetration test is not the best type of exercise for an incident response team at the
first drill, as it is more suitable for a mature and experienced team that has already tested and validated the
incident response plan, procedures, roles, and capabilities.
A disaster recovery exercise © is a type of exercise that simulates a catastrophic event that disrupts or
destroys the organization’s critical systems or processes, and requires the activation and execution of the
disaster recovery plan, procedures, roles, and capabilities. A disaster recovery exercise is a high-cost,
high-risk, and high-value method to test and evaluate the disaster recovery posture and resilience of the
organization, and to identify and address the recovery issues or challenges. However, a disaster recovery
exercise is not the best type of exercise for an incident response team at the first drill, as it is more suitable
for a mature and experienced team that has already tested and validated the incident response plan,
procedures, roles, and capabilities.
References = CISM Review Manual, 16th Edition, Chapter 4: Information Security Incident Management,
Section: Incident Response Plan, Subsection: Testing and Maintenance, page 184-1851
- Which of the following is the PRIMARY benefit of implementing a vulnerability assessment process?
A. Threat management is enhanced.
B. Compliance status is improved.
C. Security metrics are enhanced.
D. Proactive risk management is facilitated.
Answer: D
Explanation: The primary benefit of implementing a vulnerability assessment process is to facilitate
proactive risk management. A vulnerability assessment process is a systematic and periodic evaluation of
the security posture of an information system or network, which identifies and measures the weaknesses
and exposures that may be exploited by threats. By implementing a vulnerability assessment process, the
organization can proactively identify and prioritize the risks, and implement appropriate controls and
mitigation strategies to reduce the likelihood and impact of potential incidents. The other options are
possible benefits of implementing a vulnerability assessment process, but they are not the primary one.
References = CISM Review Manual 15th Edition, page 1731; CISM Review Questions, Answers &
Explanations Database - 12 Month Subscription, Question ID: 1029
- Which of the following will result in the MOST accurate controls assessment?
A. Mature change management processes
B. Senior management support
C. Well-defined security policies
D. Unannounced testing
Answer: D
Explanation: Unannounced testing is the most accurate way to assess the effectiveness of controls, as it
simulates a real-world scenario and does not allow the staff to prepare or modify their behavior in advance.
Mature change management processes, senior management support, and well-defined security policies
are all important factors for establishing and maintaining a strong security posture, but they do not directly
measure the performance of controls. References = CISM Review Manual, 16th Edition, page 149. CISM
Questions, Answers & Explanations Database, question ID 1003.
- Which of the following is MOST important when conducting a forensic investigation?
A. Analyzing system memory
B. Documenting analysis steps
C. Capturing full system images
D. Maintaining a chain of custody
Answer: D
Explanation: Maintaining a chain of custody is the most important step when conducting a forensic
investigation, as this ensures that the evidence is preserved, protected, and documented from the time of
collection to the time of presentation in court. A chain of custody provides a record of who handled the
evidence, when, where, why, and how, and prevents any tampering, alteration, or loss of the evidence. A
chain of custody also establishes the authenticity, reliability, and admissibility of the evidence in legal
proceedings. Analyzing system memory, documenting analysis steps, and capturing full system images are
also important, but not as important as maintaining a chain of custody, as they do not guarantee the
integrity and validity of the evidence. References = CISM Review Manual 2023, page 1701; CISM Review
Questions, Answers & Explanations Manual 2023, page 332; ISACA CISM - iSecPrep, page 183
- When investigating an information security incident, details of the incident should be shared:
A. widely to demonstrate positive intent.
B. only with management.
C. only as needed,
D. only with internal audit.
Answer: C
Explanation: When investigating an information security incident, details of the incident should be shared
only as needed, according to the principle of least privilege and the need- to-know basis. This means that
only the authorized and relevant parties who have a legitimate purpose and role in the incident response
process should have access to the incident information, and only to the extent that is necessary for them to
perform their duties. Sharing incident details only as needed helps to protect the confidentiality, integrity,
and availability of the incident information, as well as the privacy and reputation of the affected individuals
and the organization. Sharing incident details only as needed also helps to prevent unauthorized disclosure,
modification, deletion, or misuse of the incident information, which could compromise the investigation,
evidence, remediation, or legal actions.
References = CISM Review Manual, 16th Edition, Chapter 4: Information Security Incident Management,
Section: Incident Response Process, page 2311; CISM Review Questions, Answers & Explanations
Manual, 10th Edition, Question 49, page 462.
- Which of the following is the BEST approach for managing user access permissions to ensure alignment
with data classification?
A. Enable multi-factor authentication on user and admin accounts.
B. Review access permissions annually or whenever job responsibilities change
C. Lock out accounts after a set number of unsuccessful login attempts.
D. Delegate the management of access permissions to an independent third party.
Answer: B
- Which of the following BEST enables staff acceptance of information security policies?
A. Strong senior management support
B. Gomputer-based training
C. Arobust incident response program
D. Adequate security funding
Answer: A
Explanation: = Strong senior management support is the best factor to enable staff acceptance of
information security policies, as it demonstrates the commitment and leadership of the organization’s top
executives in promoting and enforcing a security culture. Senior management support can also help ensure
that the information security policies are aligned with the business goals and values, communicated
effectively to all levels of the organization, and integrated into the performance evaluation and reward
systems. Senior management support can also help overcome any resistance or challenges from other
stakeholders, such as business units, customers, or regulators123. References =
✑ 1: CISM Review Manual 15th Edition, page 26-274
✑ 2: CISM Practice Quiz, question 1102
✑ 3: Information Security Governance: Guidance for Boards of Directors and Executive Management, 2nd
Edition, page 5-6
- In violation of a policy prohibiting the use of cameras at the office, employees have been issued
smartphones and tablet computers with enabled web cameras. Which of the following should be the
information security manager’s FIRST course of action?
A. Revise the policy.
B. Perform a root cause analysis.
C. Conduct a risk assessment,
D. Communicate the acceptable use policy.
Answer: C
Explanation: = The information security manager’s first course of action in this situation should be to
conduct a risk assessment, which is a process of identifying, analyzing, and evaluating the information
security risks that arise from the violation of the policy prohibiting the use of cameras at the office. The risk
assessment can help to determine the likelihood and impact of the unauthorized or inappropriate use of the
cameras on the smartphones and tablet computers, such as capturing, transmitting, or disclosing sensitive
or confidential information, compromising the privacy or security of the employees, customers, or partners,
or violating the legal or regulatory requirements. The risk assessment can also help to identify and prioritize
the appropriate risk treatment options, such as implementing technical, administrative, or physical controls
to disable, restrict, or monitor the camera usage, enforcing the policy compliance and awareness, or
revising the policy to reflect the current business needs and environment. The risk assessment can also
help to communicate and report the risk level and status to the senior management and the relevant
stakeholders, and to provide feedback and recommendations for improvement and optimization of the
policy and the risk management process.
Revising the policy, performing a root cause analysis, and communicating the acceptable use policy are all
possible courses of action that the information security manager can take after conducting the risk
assessment, but they are not the first ones. Revising the policy is a process of updating and modifying the
policy to align with the business objectives and strategy, to address the changes and challenges in the
business and threat environment, and to incorporate the feedback and suggestions from the risk
assessment and the stakeholders. Performing a root cause analysis is a process of investigating and
identifying the underlying causes and factors that led to the violation of the policy, such as the lack of
awareness, training, or enforcement, the inconsistency or ambiguity of the policy, or the conflict or gap
between the policy and the business requirements or expectations. Communicating the acceptable use
policy is a process of informing and educating the employees and the other users of the smartphones and
tablet computers about the purpose, scope, and content of the policy, the roles and responsibilities of the
users, the benefits and consequences of complying or violating the policy, and the methods and channels
of reporting or resolving any policy issues or incidents. References = CISM
Review Manual 15th Edition, pages 51-531; CISM Practice Quiz, question 1482
- IT projects have gone over budget with too many security controls being added post- production. Which of
the following would MOST help to ensure that relevant controls are applied to a project?
A. Involving information security at each stage of project management
B. Identifying responsibilities during the project business case analysis
C. Creating a data classification framework and providing it to stakeholders
D. Providing stakeholders with minimum information security requirements
Answer: A
Explanation: The best way to ensure that relevant controls are applied to a project is to involve information
security at each stage of project management. This will help to identify and address the security risks and
requirements of the project from the beginning, and to integrate security controls into the project design,
development, testing, and implementation. This will also help to avoid adding unnecessary or ineffective
controls post- production, which can increase the project cost and complexity, and reduce the project
performance and quality. By involving information security at each stage of project management, the
information security manager can ensure that the project delivers the expected security value and aligns
with the organization’s security strategy and objectives. References = CISM Review Manual 15th Edition,
page 41.
- Reviewing which of the following would be MOST helpful when a new information security manager is
developing an information security strategy for a non-regulated organization?
A. Management’s business goals and objectives
B. Strategies of other non-regulated companies
C. Risk assessment results
D. Industry best practices and control recommendations
Answer: A
Explanation: When a new information security manager is developing an information security strategy for a
non-regulated organization, reviewing the management’s business goals and objectives would be the most
helpful. This is because the information security strategy should be aligned with and support the
organization’s vision, mission, values, and strategic direction. The information security strategy should also
enable the organization to achieve its desired outcomes, such as increasing revenue, reducing costs,
enhancing customer satisfaction, or improving operational efficiency. By reviewing the management’s
business goals and objectives, the information security manager can understand the business context,
needs, and expectations of the organization, and design the information security strategy accordingly. The
information security manager can also communicate the value proposition and benefits of the information
security strategy to the management and other stakeholders, and gain their support and commitment.
References = CISM Review Manual, 16th Edition, Chapter 1: Information Security Governance, Section:
Information Security Strategy, page 211; CISM Review Questions, Answers & Explanations Manual, 10th
Edition, Question 48, page 452.
- Which of the following is an information security manager’s MOST important course of action when
responding to a major security incident that could disrupt the business?
A. Follow the escalation process.
B. Identify the indicators of compromise.
C. Notify law enforcement.
D. Contact forensic investigators.
Answer: A
Explanation: When responding to a major security incident that could disrupt the business, the information
security manager’s most important course of action is to follow the escalation process. The escalation
process is a predefined set of steps and procedures that define who should be notified, when, how, and
with what information in the event of a security incident. The escalation process helps to ensure that the
appropriate stakeholders, such as senior management, business units, legal counsel, public relations, and
external parties, are informed and involved in the incident response process. The escalation process also
helps to coordinate the actions and decisions of the incident response team and the business continuity
team, and to align the incident response objectives with the business priorities and goals. The escalation
process should be documented and communicated as part of the incident response plan, and should be
reviewed and updated regularly to reflect the changes in the organization’s structure, roles, and
responsibilities. References =
✑ CISM Review Manual 15th Edition, page 1631
✑ CISM 2020: Incident Management and Response, video 32
✑ Incident Response Models3
- An organization needs to comply with new security incident response requirements. Which of the following
should the information security manager do FIRST?
A. Create a business case for a new incident response plan.
B. Revise the existing incident response plan.
C. Conduct a gap analysis.
D. Assess the impact to the budget,
Answer: C
Explanation: Before implementing any changes to the security incident response plan, the information
security manager should first conduct a gap analysis to identify the current state of the plan and compare it
with the new requirements. A gap analysis is a systematic process of evaluating the differences between
the current and desired state of a system, process, or program. A gap analysis can help to identify the
strengths and weaknesses of the existing plan, the gaps that need to be addressed, the priorities and
dependencies of the actions, and the resources and costs involved. A gap analysis can also help to create
a business case for the changes and justify the investment. A gap analysis can be conducted using various
methods and tools, such as frameworks, standards, benchmarks, questionnaires, interviews, audits, or
tests1234.
References =
✑ CISM Review Manual 15th Edition, page 1631
✑ CISM certified information security manager study guide, page 452
✑ How To Conduct An Information Security Gap Analysis3
✑ PROACTIVE DETECTION - GOOD PRACTICES GAP ANALYSIS RECOMMENDATIONS4
- The PRIMARY benefit of introducing a single point of administration in network monitoring is that it:
A. reduces unauthorized access to systems.
B. promotes efficiency in control of the environment.
C. prevents inconsistencies in information in the distributed environment.
D. allows administrative staff to make management decisions.
Answer: B
Explanation: A single point of administration in network monitoring is a centralized system that allows
network administrators to manage and monitor the entire network from one location. A single point of
administration can provide several benefits, such as:
✑ Promoting efficiency in control of the environment: A single point of administration can simplify and
streamline the network management tasks, such as configuration, troubleshooting, performance
optimization, security updates, backup and recovery, etc. It can also reduce the time and cost of network
maintenance and administration, as well as improve the consistency and quality of network services.
✑ Reducing unauthorized access to systems: A single point of administration can enhance the network
security by implementing centralized authentication, authorization and auditing mechanisms. It can also
enforce consistent security policies and standards across the network, and detect and respond to any
unauthorized or malicious activities.
✑ Preventing inconsistencies in information in the distributed environment: A single point of administration
can ensure the data integrity and availability by synchronizing and replicating the data across the network
nodes. It can also provide a unified view of the network status and performance, and facilitate the analysis
and reporting of network dat
A.
✑ Allowing administrative staff to make management decisions: A single point of administration can
support the decision-making process by providing relevant and timely information and feedback to the
network administrators. It can also enable the administrators to implement changes and improvements to
the network based on the business needs and objectives.
Therefore, the primary benefit of introducing a single point of administration in network monitoring is that it
promotes efficiency in control of the environment, as it simplifies and streamlines the network management
tasks and improves the network performance and quality. References = CISM Review Manual, 16th Edition
eBook | Digital | English1, Chapter 4: Information Security Program Development and Management,
Section 4.3: Information Security Program Resources, Subsection 4.3.1: Information Security Infrastructure
and Architecture, Page 205.
- In a business proposal, a potential vendor promotes being certified for international security standards as a
measure of its security capability.
Before relying on this certification, it is MOST important that the information security manager confirms that
the:
A. current international standard was used to assess security processes.
B. certification will remain current through the life of the contract.
C. certification scope is relevant to the service being offered.
D. certification can be extended to cover the client’s business.
Answer: C
Explanation: Before relying on a vendor’s certification for international security standards, such as ISO/IEC
27001, it is most important that the information security manager confirms that the certification scope is
relevant to the service being offered. The certification scope defines the boundaries and applicability of the
information security management system (ISMS) that the vendor has implemented and audited. The scope
should cover the processes, activities, assets, and locations that are involved in delivering the service to the
client. If the scope is too narrow, too broad, or not aligned with the service, the certification may not provide
sufficient assurance of the vendor’s security capability and performance. The current international standard
was used to assess security processes (A) is an important factor, but not the most important one. The
information security manager should verify that the vendor’s certification is based on the latest version of
the standard, which reflects the current best practices and requirements for information security. However,
the standard itself is generic and adaptable, and does not prescribe specific security controls or solutions.
Therefore, the certification does not guarantee that the vendor has implemented the most appropriate or
effective security processes for the service being offered.
The certification will remain current through the life of the contract (B) is also an important factor, but not the
most important one. The information security manager should ensure that the vendor’s certification is valid
and up to date, and that the vendor maintains its compliance with the standard throughout the contract
period. However, the certification is not a one-time event, but a continuous process that requires periodic
surveillance audits and recertification every three years. Therefore, the certification does not ensure that
the vendor’s security capability and performance will remain consistent or satisfactory for the duration of the
contract.
The certification can be extended to cover the client’s business (D) is not a relevant factor, as the
certification is specific to the vendor’s ISMS and does not apply to the client’s business. The information
security manager should not rely on the vendor’s certification to substitute or supplement the client’s own
security policies, standards, or controls. The information security manager should conduct a due diligence
and risk assessment of the vendor, and establish a clear and comprehensive service level agreement (SLA)
that defines the security roles, responsibilities, expectations, and metrics for both parties. References =
CISM Review Manual, 16th Edition, Chapter 3: Information Security Program Development and
Management, Section: Information Security Program Management, Subsection: Procurement and Vendor
Management, page 142-1431
- Which of the following is the MOST effective way to help staff members understand their responsibilities for
information security?
A. Communicate disciplinary processes for policy violations.
B. Require staff to participate in information security awareness training.
C. Require staff to sign confidentiality agreements.
D. Include information security responsibilities in job descriptions.
Answer: B
Explanation: The most effective way to help staff members understand their responsibilities for information
security is to require them to participate in information security awareness training. Information security
awareness training is a program that educates and motivates the staff members about the importance,
benefits, and principles of information security, and the roles and responsibilities that they have in
protecting the information assets and resources of the organization. Information security awareness
training also provides the staff members with the necessary knowledge, skills, and tools to comply with the
information security policies, procedures, and standards of the organization, and to prevent, detect, and
report any information security incidents or issues. Information security awareness training also helps to
create and maintain a positive and proactive information security culture among the staff members, and to
increase their confidence and competence in performing their information security duties.
References = CISM Review Manual, 16th Edition, Chapter 1: Information Security Governance, Section:
Information Security Culture, page 281; CISM Review Manual, 16th Edition, Chapter 3: Information Security
Program Development and Management, Section: Information Security Awareness, Training and
Education, pages 197-1982.
- Which is the BEST method to evaluate the effectiveness of an alternate processing site when continuous
uptime is required?
A. Parallel test
B. Full interruption test
C. Simulation test
D. Tabletop test
Answer: A
Explanation: A parallel test is the best method to evaluate the effectiveness of an alternate processing site
when continuous uptime is required. A parallel test involves processing the same transactions or data at
both the primary and the alternate site simultaneously, and comparing the results for accuracy and
consistency. A parallel test can validate the functionality, performance, and reliability of the alternate site
without disrupting the normal operations at the primary site. A parallel test can also identify and resolve any
issues or discrepancies between the two sites before a real disaster occurs. A parallel test can provide a
high level of assurance and confidence that the alternate site can support the organization’s continuity
requirements.
References = CISM Review Manual, 16th Edition, Chapter 3: Information Security Program Development
and Management, Section: Business Continuity Plan (BCP) Testing, page 1861; CISM Review Questions,
Answers & Explanations Manual, 10th Edition, Question 56, page 522.
A parallel test is the best method to evaluate the effectiveness of an alternate processing site when
continuous uptime is required because it involves processing data at both the primary and alternate sites
simultaneously without disrupting the normal operations1. A full interruption test would cause downtime and
potential loss of data or revenue2. A simulation test would not provide a realistic assessment of the
alternate site’s capabilities3. A tabletop test would only involve a discussion of the procedures and
scenarios without actually testing the site4.
1: CISM Exam Content Outline | CISM Certification | ISACA 2: CISM - ISACA Certified Information Security
Manager Exam Prep - NICCS 3: Prepare for the ISACA Certified Information Security Manager Exam:
CISM … 4: CISM: Certified Information Systems Manager | Official ISACA … - NICCS
- Which of the following BEST ensures timely and reliable access to services?
A. Nonrepudiation
B. Authenticity
C. Availability
D. Recovery time objective (RTO)
Answer: C
Explanation: = According to the CISM Review Manual, availability is the degree to which information and
systems are accessible to authorized users in a timely and reliable manner1. Availability ensures that
services are delivered to the users as expected and agreed upon. Nonrepudiation is the ability to prove the
occurrence of a claimed event or action and its originating entities1. It ensures that the parties involved in a
transaction cannot deny their involvement. Authenticity is the quality or state of being genuine or original,
rather than a reproduction or fabrication1. It ensures that the identity of a subject or resource is valid.
Recovery time objective (RTO) is the maximum acceptable period of time that can elapse before the
unavailability of a business function severely impacts the organization1. It is a metric used to measure the
recovery capability of a system or service, not a factor that ensures timely and reliable access to services.
References = CISM Review Manual, 16th Edition, Chapter 2, Information Risk Management, pages 66-67.
- Which of the following is the BEST indicator of an organization’s information security status?
A. Intrusion detection log analysis
B. Controls audit
C. Threat analysis
D. Penetration test
Answer: B
Explanation: A controls audit is the best indicator of an organization’s information security status, as it
provides an independent and objective assessment of the design, implementation, and effectiveness of the
information security controls. A controls audit can also identify the strengths and weaknesses of the
information security program, as well as the compliance with the policies, standards, and regulations. A
controls audit can cover various aspects of information security, such as governance, risk management,
incident management, business continuity, and technical security. A controls audit can be conducted by
internal or external auditors, depending on the scope, purpose, and frequency of the audit.
The other options are not as good as a controls audit, as they do not provide a comprehensive and holistic
view of the information security status. Intrusion detection log analysis is a technique to monitor and
analyze the network or system activities for signs of unauthorized or malicious access or attacks. It can help
to detect and respond to security incidents, but it does not measure the overall performance or maturity of
the information security program. Threat analysis is a process to identify and evaluate the potential sources,
methods, and impacts of threats to the information assets. It can help to prioritize and mitigate the risks, but
it does not verify the adequacy or functionality of the information security controls. Penetration test is a
simulated attack on the network or system to evaluate the vulnerability and exploitability of the information
security defenses. It can help to validate and improve the technical security, but it does not assess the
non-technical aspects of information security, such as governance, policies, or awareness. References =
✑ CISM Review Manual, 16th Edition, ISACA, 2022, pp. 211-212, 215-216, 233-234, 237-238.
✑ CISM Questions, Answers & Explanations Database, ISACA, 2022, QID 1012.
- Which of the following processes BEST supports the evaluation of incident response effectiveness?
A. Root cause analysis
B. Post-incident review
C. Chain of custody
D. Incident logging
Answer: B
Explanation: A post-incident review (PIR) is the process of evaluating the effectiveness of the incident
response after the incident has been resolved. A PIR aims to identify the strengths and weaknesses of the
response process, the root causes and impacts of the incident, the lessons learned and best practices, and
the recommendations and action plans for improvement1. A PIR can help an organization enhance its
incident response capabilities, reduce the likelihood and severity of future incidents, and increase its
resilience and maturity2.
A PIR is the best process to support the evaluation of incident response effectiveness, because it provides
a systematic and comprehensive way to assess the performance and outcomes of the response process,
and to identify and implement the necessary changes and improvements. A PIR involves collecting and
analyzing relevant data and feedback from various sources, such as incident logs, reports, evidence,
metrics, surveys, interviews, and observations. A PIR also involves comparing the actual response with the
expected or planned response, and measuring the achievement of the response objectives and the
satisfaction of the stakeholders3. A PIR also involves documenting and communicating the findings,
conclusions, and recommendations of the evaluation, and ensuring that they are followed up and
implemented.
The other options are not as good as a PIR in supporting the evaluation of incident response effectiveness,
because they are either more specific, limited, or dependent on a PIR. A root cause analysis (RCA) is a
technique to identify the underlying factors or reasons that caused the incident, and to prevent or mitigate
their recurrence. An RCA can help an organization understand the nature and origin of the incident, and to
address the problem at its source, rather than its symptoms. However, an RCA is not sufficient to evaluate
the effectiveness of the response process, because it does not cover other aspects, such as the response
performance, outcomes, impacts, lessons, and best practices. An RCA is usually a part of a PIR, rather
than a separate process. A chain of custody (CoC) is a process of maintaining and documenting the
integrity and security of the evidence collected during the incident response. A CoC can help an
organization ensure that the evidence is reliable, authentic, and admissible in legal or regulatory
proceedings. However, a CoC is not a process to evaluate the effectiveness of the response process, but
rather a requirement or a standard to follow during the response process. A CoC does not provide any
feedback or analysis on the response performance, outcomes, impacts, lessons, or best practices. An
incident logging is a process of recording and tracking the details and activities of the incident response. An
incident logging can help an organization monitor and manage the response process, and to provide an
audit trail and a source of information for the evaluation. However, an incident logging is not a process to
evaluate the effectiveness of the response process, but rather an input or a tool for the evaluation. An
incident logging does not provide any assessment or measurement on the response performance,
outcomes, impacts, lessons, or best practices. References = 1: CISM Review Manual 15th Edition, Chapter
5, Section 5.5 2: Post-Incident Review: A Guide to Effective Incident Response 3: Post-Incident Review: A
Guide to Effective Incident Response : CISM Review Manual 15th Edition, Chapter 5, Section 5.5 : CISM
Review Manual 15th Edition, Chapter 5, Section 5.5 : CISM Review Manual 15th Edition, Chapter 5,
Section 5.4 : CISM Review Manual 15th Edition, Chapter 5, Section 5.3
- An organization plans to offer clients a new service that is subject to regulations. What should the
organization do FIRST when developing a security strategy in support of this new service?
A. Determine security controls for the new service.
B. Establish a compliance program,
C. Perform a gap analysis against the current state
D. Hire new resources to support the service.
Answer: C
Explanation: A gap analysis is a process of comparing the current state of an organization’s security
posture with the desired or required state, and identifying the gaps or discrepancies that need to be
addressed. A gap analysis helps to determine the current level of compliance with relevant regulations,
standards, and best practices, and to prioritize the actions and resources needed to achieve the desired
level of compliance1. A gap analysis should be performed first when developing a security strategy in
support of a new service that is subject to regulations, because it provides the following benefits2:
✑ It helps to understand the scope and impact of the new service on the organization’s security objectives,
risks, and controls.
✑ It helps to identify the legal, regulatory, and contractual requirements that apply to the new service, and
the potential penalties or consequences of non-compliance.
✑ It helps to assess the effectiveness and efficiency of the existing security controls, and to identify the
gaps or weaknesses that need to be remediated or enhanced.
✑ It helps to align the security strategy with the business goals and objectives of the new service, and to
ensure the security strategy is consistent and coherent across the organization.
✑ It helps to communicate the security requirements and expectations to the stakeholders involved in the
new service, and to obtain their support and commitment.
The other options, such as determining security controls for the new service, establishing a compliance
program, or hiring new resources to support the service, are not the first steps when developing a security
strategy in support of a new service that is subject to regulations, because they depend on the results and
recommendations of the gap analysis. Determining security controls for the new service requires a clear
understanding of the security requirements and risks associated with the new service, which can be
obtained from the gap analysis. Establishing a compliance program requires a systematic and structured
approach to implement, monitor, and improve the security controls and processes that ensure compliance,
which can be based on the gap analysis. Hiring new resources to support the service requires a realistic
and justified estimation of the human and financial resources needed to achieve the security objectives and
compliance, which can be derived from the gap analysis. References = 1: What is a Gap Analysis? |
Smartsheet 2: CISM Review Manual 15th Edition, page 121 : CISM Review Manual 15th Edition, page
122 : CISM Review Manual 15th Edition, page 123 : CISM Review Manual 15th Edition, page 124 : CISM
Review Manual 15th Edition, page 125
Learn more:
1. infosectrain.com2. resources.infosecinstitute.com3. resources.infosecinstitute.com4.
resources.infosecinstitute.com+2 more
- A PRIMARY purpose of creating security policies is to:
A. define allowable security boundaries.
B. communicate management’s security expectations.
C. establish the way security tasks should be executed.
D. implement management’s security governance strategy.
Answer: D
Explanation: A security policy is a formal statement of the rules and principles that govern the protection of
information assets in an organization. A security policy defines the scope, objectives, roles and
responsibilities, and standards of the information security program. A primary purpose of creating security
policies is to implement management’s security governance strategy, which is the framework that guides
the direction and alignment of information security with the business goals and objectives. A security policy
translates the management’s vision and expectations into specific and measurable requirements and
controls that can be implemented and enforced by the information security staff and other stakeholders. A
security policy also helps to establish the accountability and authority of the information security function
and to demonstrate the commitment and support of the senior management for the information security
program.
References =
✑ CISM Review Manual 15th Edition, page 1631
✑ CISM 2020: IT Security Policies2
✑ CISM domain 1: Information security governance [Updated 2022]3
✑ What is CISM? - Digital Guardian4
- Which of the following would be the MOST effective way to present quarterly reports to the board on the
status of the information security program?
A. A capability and maturity assessment
B. Detailed analysis of security program KPIs
C. An information security dashboard
D. An information security risk register
Answer: C
Explanation: An information security dashboard is the most effective way to present quarterly reports to the
board on the status of the information security program, because it provides a concise, visual, and
high-level overview of the key performance indicators (KPIs), metrics, and trends of the information security
program. An information security dashboard can help the board to quickly and easily understand the current
state, progress, and performance of the information security program, and to identify any gaps, issues, or
areas of improvement. An information security dashboard can also help the board to align the information
security program with the organization’s business goals and strategies, and to support the decision-making
and oversight functions of the board.
A capability and maturity assessment is a way of measuring the effectiveness and efficiency of the
information security program, and of identifying the strengths and weaknesses of the program. However, a
capability and maturity assessment is not the most effective way to present quarterly reports to the board,
because it may not provide a clear and timely picture of the status of the information security program, and
it may not reflect the changes and dynamics of the information security environment. A capability and
maturity assessment is more suitable for periodic or annual reviews, rather than quarterly reports.
A detailed analysis of security program KPIs is a way of evaluating the performance and progress of the
information security program, and of determining the extent to which the program meets the predefined
objectives and targets. However, a detailed analysis of security program KPIs is not the most effective way
to present quarterly reports to the board, because it may be too technical, complex, or lengthy for the board
to comprehend and appreciate. A detailed analysis of security program KPIs is more suitable for
operational or tactical level reporting, rather than strategic level reporting.
An information security risk register is a tool for recording and tracking the information security risks that
affect the organization, and for documenting the risk assessment, treatment, and monitoring activities.
However, an information security risk register is not the most effective way to present quarterly reports to
the board, because it may not provide a comprehensive and balanced view of the information security
program, and it may not highlight the achievements and benefits of the program. An information security
risk register is more suitable for risk management or audit purposes, rather than performance reporting.
References =
✑ ISACA, CISM Review Manual, 16th Edition, 2020, pages 47-48, 59-60, 63-64, 67-68.
✑ ISACA, CISM Review Questions, Answers & Explanations Database, 12th Edition, 2020, question ID
1019.
An information security dashboard is an effective way to present quarterly reports to the board on the status
of the information security program. It allows the board to quickly view key metrics and trends at a glance
and to drill down into more detailed information as needed. The dashboard should include metrics such as
total incidents, patching compliance, vulnerability scanning results, and more. It should also include
high-level overviews of the security program and its components, such as the security policy, security
architecture, and security controls.
- An information security manager is reporting on open items from the risk register to senior management.
Which of the following is MOST important to communicate with regard to these risks?
A. Responsible entities
B. Key risk indicators (KRIS)
C. Compensating controls
D. Potential business impact
Answer: D
Explanation: The most important information to communicate with regard to the open items from the risk
register to senior management is the potential business impact of these risks. The potential business
impact is the estimated consequence or loss that the organization may suffer if the risk materializes or
occurs. The potential business impact can be expressed in quantitative or qualitative terms, such as
financial, operational, reputational, legal, or strategic impact. Communicating the potential business impact
of the open items from the risk register helps senior management to understand the severity and urgency of
these risks, and to prioritize the risk response actions and resources accordingly. Communicating the
potential business impact also helps senior management to align the risk management objectives and
activities with the business objectives and strategies, and to ensure that the risk appetite and tolerance of
the organization are respected and maintained.
References = CISM Review Manual, 16th Edition, Chapter 2: Information Risk Management, Section: Risk
Assessment, page 831; CISM Review Manual, 16th Edition, Chapter 2: Information Risk Management,
Section: Risk Reporting, page 1012.
- Which of the following is MOST important to consider when determining asset valuation?
A. Asset recovery cost
B. Asset classification level
C. Cost of insurance premiums
D. Potential business loss
Answer: D
Explanation: Potential business loss is the most important factor to consider when determining asset
valuation, as it reflects the impact of losing or compromising the asset on the organization’s objectives and
operations. Asset recovery cost, asset classification level, and cost of insurance premiums are also
relevant, but not as important as potential business loss, as they do not capture the full value of the asset to
the organization. References = CISM Review Manual 2023, page 461; CISM Review Questions, Answers &
Explanations Manual 2023, page 292
- Which of the following would BEST ensure that security is integrated during application development?
A. Employing global security standards during development processes
B. Providing training on secure development practices to programmers
C. Performing application security testing during acceptance testing
D. Introducing security requirements during the initiation phase
Answer: D
Explanation: Introducing security requirements during the initiation phase would BEST ensure that security
is integrated during application development because it would allow the security objectives and controls to
be defined and aligned with the business needs and risk appetite before any design or coding is done. This
would also facilitate the security by design approach, which is the most effective method to enhance the
security of applications and application development activities1. Introducing security requirements early
would also enable the collaboration between security professionals and developers, the identification and
specification of security architectures, and the integration and testing of security controls throughout the
development life cycle2. Employing global security standards during development processes (A) would
help to ensure the consistency and quality of security practices, but it would not necessarily ensure that
security is integrated during application development. Providing training on secure development practices
to programmers (B) would help to raise the awareness and skills of developers, but it would not ensure that
security is integrated during application development. Performing application security testing during
acceptance testing © would help to verify the security of the application before deployment, but it would not
ensure that security is integrated during application development. It would also be too late to identify and
remediate any security issues that could have been prevented or mitigated earlier in the development
process. References = 1: Five Key Components of an Application Security Program - ISACA1; 2: CISM
Domain – Information Security Program Development | Infosec2
- How does an incident response team BEST leverage the results of a business impact analysis (BIA)?
A. Assigning restoration priority during incidents
B. Determining total cost of ownership (TCO)
C. Evaluating vendors critical to business recovery
D. Calculating residual risk after the incident recovery phase
Answer: A
Explanation: The incident response team can best leverage the results of a business impact analysis (BIA)
by assigning restoration priority during incidents. A BIA is a process that identifies and evaluates the
criticality and dependency of the organization’s business functions, processes, and resources, and the
potential impacts and consequences of their disruption or loss. The BIA results provide the basis for
determining the recovery objectives, strategies, and plans for the organization’s business continuity and
disaster recovery. By using the BIA results, the incident response team can prioritize the restoration of the
most critical and time-sensitive business functions, processes, and resources, and allocate the appropriate
resources, personnel, and time to minimize the impact and duration of the incident.
Determining total cost of ownership (TCO) (B) is not a relevant way to leverage the results of a BIA, as it is
not directly related to incident response. TCO is a financial metric that estimates the total direct and indirect
costs of owning and operating an asset or a system over its lifecycle. TCO may be useful for evaluating the
cost-effectiveness and return on investment of different security solutions or alternatives, but it does not
help the incident response team to respond to or recover from an incident.
Evaluating vendors critical to business recovery © is also not a relevant way to leverage the results of a BIA,
as it is not a primary responsibility of the incident response team. Evaluating vendors critical to business
recovery is a part of the vendor management process, which involves selecting, contracting, monitoring,
and reviewing the vendors that provide essential products or services to support the organization’s
business continuity and disaster recovery. Evaluating vendors critical to business recovery may be done
before or after an incident, but not during an incident, as it does not contribute to the incident response or
restoration activities.
Calculating residual risk after the incident recovery phase (D) is also not a relevant way to leverage the
results of a BIA, as it is not a timely or effective use of the BIA results. Residual risk is the risk that remains
after the implementation of risk treatment or mitigation measures. Calculating residual risk after the incident
recovery phase may be done as a part of the incident review or improvement process, but not during the
incident response or restoration phase, as it does not help the incident response team to resolve or contain
the incident.
References = CISM Review Manual, 16th Edition, Chapter 4: Information Security Incident Management,
Section: Incident Response Plan, Subsection: Business Impact Analysis, page 182-1831
- An online bank identifies a successful network attack in progress. The bank should FIRST:
A. isolate the affected network segment.
B. report the root cause to the board of directors.
C. assess whether personally identifiable information (Pll) is compromised.
D. shut down the entire network.
Answer: A
Explanation: The online bank should first isolate the affected network segment, as this is the most effective
way to contain the attack and prevent it from spreading to other parts of the network or compromising more
data or systems. Isolating the affected network segment also helps to preserve the evidence and facilitate
the investigation and recovery process. Reporting the root cause to the board of directors, assessing
whether personally identifiable information (Pll) is compromised, and shutting down the entire network are
not the first actions that the online bank should take, as they may not be feasible or appropriate at the time
of the attack, and may cause more disruption, confusion, or damage to the business operations and
reputation. References = CISM Review Manual 2023, page 1641; CISM Review Questions, Answers &
Explanations Manual 2023, page 362; ISACA CISM - iSecPrep, page 213
- The effectiveness of an information security governance framework will BEST be enhanced if:
A. consultants review the information security governance framework.
B. a culture of legal and regulatory compliance is promoted by management.
C. risk management is built into operational and strategic activities.
D. IS auditors are empowered to evaluate governance activities
Answer: B
Explanation: The effectiveness of an information security governance framework will best be enhanced if
risk management is built into operational and strategic activities. This is because risk management is a key
component of information security governance, which is the process of establishing and maintaining a
framework to provide assurance that information security strategies are aligned with and support business
objectives, are consistent with applicable laws and regulations, and are effectively managed and measured.
Risk management involves identifying, analyzing, evaluating, treating, monitoring, and communicating
information security risks that may affect the organization’s objectives, assets, and stakeholders. By
integrating risk management into operational and strategic activities, the organization can ensure that
information security risks are considered and addressed in every decision and action, and that the
information security governance framework is aligned with the organization’s risk appetite and tolerance.
This also helps to optimize the allocation of resources, enhance the performance and value of information
security, and improve the accountability and transparency of information security governance.
References = CISM Review Manual, 16th Edition, Chapter 1: Information Security Governance, Section:
Information Security Governance Framework, page 181; CISM Review Manual, 16th Edition, Chapter 2:
Information Risk Management, Section: Risk Management, page 812; CISM Review Questions, Answers &
Explanations Manual, 10th Edition, Question 53, page 493.
- Which of the following security processes will BEST prevent the exploitation of system vulnerabilities?
A. Intrusion detection
B. Log monitoring
C. Patch management
D. Antivirus software
Answer: C
Explanation: = Patch management is the process of applying updates to software and hardware systems to
fix security vulnerabilities and improve functionality. Patch management is one of the best ways to prevent
the exploitation of system vulnerabilities, as it reduces the attack surface and closes the gaps that attackers
can exploit. Patch management also helps to ensure compliance with security standards and regulations,
and maintain the performance and availability of systems.
Intrusion detection is the process of monitoring network or system activities for signs of malicious or
unauthorized behavior. Intrusion detection can help to detect and respond to attacks, but it does not
prevent them from happening in the first place. Log monitoring is the process of collecting, analyzing and
reviewing log files generated by various systems and applications. Log monitoring can help to identify
anomalies, errors and security incidents, but it does not prevent them from occurring. Antivirus software is
the program that scans files and systems for viruses, malware and other malicious code. Antivirus software
can help to protect systems from infection, but it does not prevent the exploitation of system vulnerabilities
that are not related to malware.
Therefore, patch management is the best security process to prevent the exploitation of system
vulnerabilities, as it addresses the root cause of the problem and reduces the risk of compromise.
References = CISM Review Manual, 16th Edition eBook | Digital | English1, Chapter 4: Information Security
Program Development and Management, Section 4.3: Information Security Program Resources,
Subsection 4.3.1: Information Security Infrastructure and Architecture, Page 204.
- Which of the following is the BEST way to ensure the organization’s security objectives are embedded in
business operations?
A. Publish adopted information security standards.
B. Perform annual information security compliance reviews.
C. Implement an information security governance framework.
D. Define penalties for information security noncompliance.
Answer: C
Explanation: The best way to ensure the organization’s security objectives are embedded in business
operations is to implement an information security governance framework. An information security
governance framework is a set of policies, procedures, standards, guidelines, roles, and responsibilities
that define and direct how the organization manages and measures its information security activities. An
information security governance framework helps to align the information security strategy with the
business strategy and the organizational culture, and to ensure that the information security objectives are
consistent with the business objectives and the stakeholder expectations. An information security
governance framework also helps to establish the authority, accountability, and communication channels
for the information security function, and to provide the necessary resources, tools, and controls to
implement and monitor the information security program. By implementing an information security
governance framework, the organization can embed the information security objectives in business
operations, and ensure that the information security function supports and enables the business processes
and functions, rather than hinders or restricts them.
References = CISM Review Manual, 16th Edition, Chapter 1: Information Security Governance, Section:
Information Security Governance Framework, page 181; CISM Review Questions, Answers & Explanations
Manual, 10th Edition, Question 75, page 702.
- Due to changes in an organization’s environment, security controls may no longer be adequate. What is the
information security manager’s BEST course of action?
A. Review the previous risk assessment and countermeasures.
B. Perform a new risk assessment,
C. Evaluate countermeasures to mitigate new risks.
D. Transfer the new risk to a third party.
Answer: B
Explanation: According to the CISM Review Manual, the information security manager’s best course of
action when security controls may no longer be adequate due to changes in the organization’s environment
is to perform a new risk assessment. A risk assessment is a process of identifying, analyzing, and
evaluating the risks that affect the organization’s information assets and business processes. A risk
assessment should be performed periodically or whenever there are significant changes in the
organization’s environment, such as new threats, vulnerabilities, technologies, regulations, or business
objectives. A risk assessment helps to determine the current level of risk exposure and the adequacy of
existing security controls. A risk assessment also provides the basis for developing or updating the risk
treatment plan, which defines the appropriate risk responses, such as implementing new or enhanced
security controls, transferring the risk to a third party, accepting the risk, or avoiding the risk.
The other options are not the best course of action in this scenario. Reviewing the previous risk assessment
and countermeasures may not reflect the current state of the organization’s environment and may not
identify new or emerging risks. Evaluating countermeasures to mitigate new risks may be premature
without performing a new risk assessment to identify and prioritize the risks. Transferring the new risk to a
third party may not be feasible or cost-effective without performing a new risk assessment to evaluate the
risk level and the available risk transfer options.
References = CISM Review Manual, 16th Edition, Chapter 2, Section 1, pages 43-45.
- In which cloud model does the cloud service buyer assume the MOST security responsibility?
A. Disaster Recovery as a Service (DRaaS)
B. Infrastructure as a Service (laaS)
C. Platform as a Service (PaaS)
D. Software as a Service (SaaS)
Answer: B
Explanation: Infrastructure as a Service (IaaS) is a cloud model in which the cloud service provider (CSP)
offers the basic computing resources, such as servers, storage, network, and virtualization, as a service
over the internet. The cloud service buyer (CSB) is responsible for installing, configuring, managing, and
securing the operating systems, applications, data, and middleware on top of the infrastructure. Therefore,
the CSB assumes the most security responsibility in the IaaS model, as it has to protect the confidentiality,
integrity, and availability of its own assets and information in the cloud environment.
In contrast, in the other cloud models, the CSP takes over more security responsibility from the CSB, as it
provides more layers of the service stack. In Disaster Recovery as a Service (DRaaS), the CSP offers the
replication and recovery of the CSB’s data and applications in the event of a disaster. In Platform as a
Service (PaaS), the CSP offers the development and deployment tools, such as programming languages,
frameworks, libraries, and databases, as a service. In Software as a Service (SaaS), the CSP offers the
complete software applications, such as email, CRM, or ERP, as a service. In these models, the CSB has
less control and visibility over the underlying infrastructure, platform, or software, and has to rely on the
CSP’s security measures and contractual agreements.
References = CISM Review Manual, 16th Edition, Chapter 3: Information Security Program Development
and Management, Section: Information Security Program Management, Subsection: Cloud Computing,
page 140-1411
- What is the BEST way to reduce the impact of a successful ransomware attack?
A. Perform frequent backups and store them offline.
B. Purchase or renew cyber insurance policies.
C. Include provisions to pay ransoms ih the information security budget.
D. Monitor the network and provide alerts on intrusions.
Answer: A
Explanation: Performing frequent backups and storing them offline is the best way to reduce the impact of a
successful ransomware attack, as this allows the organization to restore its data and systems without
paying the ransom or losing valuable information. Purchasing or renewing cyber insurance policies may
help cover some of the costs and losses associated with a ransomware attack, but it does not prevent or
mitigate the attack itself. Including provisions to pay ransoms in the information security budget may
encourage more attacks and does not guarantee the recovery of the data or the removal of the malware.
Monitoring the network and providing alerts on intrusions may help detect and respond to a ransomware
attack, but it does not reduce the impact of a successful attack that has already encrypted or exfiltrated the
dat
A. References = CISM Review Manual 2023, page 1661; CISM Review Questions, Answers &
Explanations Manual 2023, page 312; CISM Exam Overview - Vinsys3
- An incident management team is alerted ta a suspected security event. Before classifying the suspected
event as a security incident, it is MOST important for the security manager to:
A. notify the business process owner.
B. follow the business continuity plan (BCP).
C. conduct an incident forensic analysis.
D. follow the incident response plan.
Answer: D
Explanation: = Following the incident response plan is the most important step for the security manager
before classifying the suspected event as a security incident, as it provides the guidance and procedures
for the incident management team to follow in order to identify, contain, analyze, and resolve security
incidents. The incident response plan should define the roles and responsibilities of the incident
management team, the criteria and process for incident classification and prioritization, the communication
and escalation protocols, the tools and resources for incident handling, and the post-incident review and
improvement activities123. References =
✑ 1: CISM Review Manual 15th Edition, page 199-2004
✑ 2: CISM Practice Quiz, question 1011
✑ 3: Computer Security Incident Handling Guide5, page 2-3
- The MOST appropriate time to conduct a disaster recovery test would be after:
A. major business processes have been redesigned.
B. the business continuity plan (BCP) has been updated.
C. the security risk profile has been reviewed
D. noncompliance incidents have been filed.
Answer: B
Explanation: The most appropriate time to conduct a disaster recovery test would be after the business
continuity plan (BCP) has been updated, as it ensures that the disaster recovery plan (DRP) is aligned with
the current business requirements, objectives, and priorities. The BCP should be updated regularly to
reflect any changes in the business environment, such as new threats, risks, processes, technologies, or
regulations. The disaster recovery test should validate the effectiveness and efficiency of the DRP, as well
as identify any gaps, issues, or improvement opportunities123. References =
✑ 1: CISM Review Manual 15th Edition, page 2114
✑ 2: CISM Practice Quiz, question 1042
✑ 3: Business Continuity Planning and Disaster Recovery Testing, section “Testing the Plan”
- Information security controls should be designed PRIMARILY based on:
A. a business impact analysis (BIA).
B. regulatory requirements.
C. business risk scenarios,
D. a vulnerability assessment.
Answer: C
Explanation: Information security controls should be designed primarily based on business risk scenarios,
because they help to identify and prioritize the most relevant and significant threats and vulnerabilities that
may affect the organization’s information assets and business objectives. Business risk scenarios are
hypothetical situations that describe the possible sources, events, and consequences of a security breach,
as well as the likelihood and impact of the occurrence. Business risk scenarios can help to:
✑ Align the information security controls with the business needs and requirements,
and ensure that they support the achievement of the strategic goals and the mission and vision of the
organization
✑ Assess the effectiveness and efficiency of the existing information security controls, and identify the
gaps and weaknesses that need to be addressed or improved
✑ Select and implement the appropriate information security controls that can prevent, detect, or mitigate
the risks, and that can provide the optimal level of protection and performance for the information assets
✑ Evaluate and measure the return on investment and the value proposition of the
information security controls, and communicate and justify the rationale and benefits of the controls to the
stakeholders and management
Information security controls should not be designed primarily based on a business impact analysis (BIA),
regulatory requirements, or a vulnerability assessment, because these are secondary or complementary
factors that influence the design of the controls, but they do not provide the main basis or criteria for the
design. A BIA is a method of estimating and comparing the potential effects of a disruption or a disaster on
the critical business functions and processes, in terms of financial, operational, and reputational aspects. A
BIA can help to determine the recovery objectives and priorities for the information assets, but it does not
identify or address the specific risks and threats that may cause the disruption or the disaster. Regulatory
requirements are the legal, contractual, or industry standards and obligations that the organization must
comply with regarding information security. Regulatory requirements can help to establish the minimum or
baseline level of information security controls that the organization must implement, but they do not reflect
the specific or unique needs and challenges of the organization. A vulnerability assessment is a method of
identifying and analyzing the weaknesses and flaws in the information systems and assets that may expose
them to exploitation or compromise. A vulnerability assessment can help to discover and remediate the
existing or potential security issues, but it does not consider the business context or impact of the issues.
References = CISM Review Manual, 16th Edition, ISACA, 2021, pages 119-120, 122-123, 125-126,
129-130.
- An information security manager learns that a risk owner has approved exceptions to replace key controls
with weaker compensating controls to improve process efficiency. Which of the following should be the
GREATEST concern?
A. Risk levels may be elevated beyond acceptable limits.
B. Security audits may report more high-risk findings.
C. The compensating controls may not be cost efficient.
D. Noncompliance with industry best practices may result.
Answer: A
Explanation: Replacing key controls with weaker compensating controls may introduce new vulnerabilities
or increase the likelihood or impact of existing threats, thus raising the risk levels beyond the acceptable
limits defined by the risk appetite and tolerance of the organization. This may expose the organization to
unacceptable losses or damages, such as financial, reputational, legal, or operational. Therefore, the
information security manager should be most concerned about the potential elevation of risk levels and
ensure that the risk owner is aware of the consequences and accountable for the decision.
References = CISM Review Manual, 16th Edition, Chapter 2: Information Risk Management, Section: Risk
Treatment, page 941.
- Which of the following BEST ensures information security governance is aligned with corporate
governance?
A. A security steering committee including IT representation
B. A consistent risk management approach
C. An information security risk register
D. Integration of security reporting into corporate reporting
Answer: D
Explanation: The best way to ensure information security governance is aligned with corporate
governance is to integrate security reporting into corporate reporting. This will enable the board and senior
management to oversee and monitor the performance and effectiveness of the information security
program, as well as the alignment of information security objectives and strategies with business goals and
risk appetite. Security reporting should provide relevant, timely, accurate, and actionable information to
support decision making and accountability. The other options are important components of information
security governance, but they do not ensure alignment with corporate governance by themselves.
References = CISM Review Manual 15th Edition, page 411; CISM Review Questions, Answers &
Explanations Database - 12 Month Subscription, Question ID: 1027
