CISM 5

Question 1

501. Which of the following is the BEST way to ensure the business continuity plan (BCP) is current?

A. Manage business process changes.
B. Update business impact analyses (BIAs) on a regular basis.
C. Conduct periodic testing.
D. Review and update emergency contact lists.

Answer 1

Answer: C

Explanation:
Conducting periodic testing is the best way to ensure the BCP is current because it can validate the
effectiveness and efficiency of the BCP, identify any gaps or weaknesses, and provide feedback and
recommendations for improvement. Testing can also verify that the BCP reflects the current business
environment, processes, and requirements, and that the BCP team members are familiar with their roles
and responsibilities.
References: The CISM Review Manual 2023 states that “testing is a critical component of the BCP
process” and that “testing can help ensure that the BCP is current, effective, and efficient, and that it meets
the business objectives and expectations” (p. 195). The CISM Review Questions, Answers & Explanations
Manual 2023 also provides the following rationale for this Answer: “Conducting periodic testing is the
correct answer because it is the best way to ensure the BCP is current, as it can evaluate the BCP against
the current business environment, processes, and requirements, and identify any areas for improvement or
update” (p. 98). Additionally, the article Business Continuity Planning: Testing an Organization’s Plan from
the ISACA Journal 2019 states that “testing is essential to ensure that the BCP is current and effective” and
that “testing can provide assurance that the BCP is aligned with the business needs and expectations, and
that the BCP team members are competent and confident in executing their tasks” (p. 1)

Question 2

502. Which of the following is MOST important to determine following the discovery and eradication of a
     malware attack?

A. The malware entry path
B. The creator of the malware
C. The type of malware involved
D. The method of detecting the malware

Answer 2

Answer: A

Question 3

503. Which of the following should be an information security manager s MOST important consideration when
     determining the priority for implementing security controls?

A. Alignment with industry benchmarks
B. Results of business impact analyses (BIAs)
C. Possibility of reputational loss due to incidents
D. Availability of security budget

Answer 3

Answer: B

Explanation: The priority for implementing security controls should be based on the results of BIAs, which
identify the criticality and recovery requirements of business processes and the supporting information
assets. BIAs help to align security controls with business needs and objectives, and to optimize the
allocation of security resources. Alignment with industry benchmarks, possibility of reputational loss due to
incidents, and availability of security budget are important factors, but they are not the most important
consideration for determining the priority for implementing security
controls. References = CISM Review Manual, 16th Edition, page 971; CISM Review Questions, Answers &
Explanations Manual, 10th Edition, page 2672

Question 4

504. Which of the following is BEST used to determine the maturity of an information security program?

A. Security budget allocation
B. Organizational risk appetite
C. Risk assessment results
D. Security metrics

Answer 4

Answer: D

Explanation:
Security metrics are the best way to determine the maturity of an information security program because
they are quantifiable indicators of the performance and effectiveness of the security controls and processes.
Security metrics help to evaluate the current state of security, identify gaps and weaknesses, measure
progress and improvement, and communicate the value and impact of security to stakeholders. Therefore,
security metrics are the correct answer.
References:
✑ https://www.isac
A.org/resources/isaca-journal/issues/2020/volume-6/keyCertify
For Sure with IT Exam Dumps
The No.1 IT Certification Dumps
384
performance-indicators-for-security-governance-part-1
✑ https://www.gartner.com/en/publications/protect-your-business-assets-withroadmap-
for-maturing-information-security

Question 5

505. During which of the following development phases is it MOST challenging to implement security controls?

A. Post-implementation phase
B. Implementation phase
C. Development phase
D. Design phase

Answer 5

Answer: C

Explanation: The development phase is the stage of the system development life cycle (SDLC) where the
system requirements, design, architecture, and implementation are performed. The development phase is
most challenging to implement security controls because it involves complex and dynamic processes that
may not be well understood or documented. Security controls are essential for ensuring the confidentiality,
integrity, and availability of the system and its data, as well as for complying with regulatory and contractual
obligations. However, security controls may also introduce additional costs, risks, and constraints to the
development process, such as:
✑ Increased complexity and overhead of testing, verification, validation, and
maintenance
✑ Reduced flexibility and agility of changing requirements or design
✑ Increased dependency on external vendors or third parties for security services or products
✑ Increased vulnerability to errors, defects, or vulnerabilities in the code or configuration
✑ Increased difficulty in measuring and reporting on security performance or effectiveness
Therefore, implementing security controls in the development phase requires careful planning, coordination,
communication, and collaboration among all stakeholders involved in the SDLC. It also requires a clear
understanding of the security objectives, scope, criteria, standards, policies, procedures, roles,
responsibilities, and resources for the system. Moreover, it requires a proactive approach to identifying and
mitigating potential threats or risks that may affect the security of the system.
References = CISM Manual1, Chapter 3: Information Security Program Development (ISPD), Section 3.1:
System Development Life Cycle (SDLC)2
1: https://store.isac
A.org/s/store#/store/browse/cat/a2D4w00000Ac6NNEAZ/tiles 2:
https://store.isac
A.org/s/store#/store/browse/cat/a2D4w00000Ac6NNEAZ/tiles

Question 6

506. Which of the following eradication methods is MOST appropriate when responding to an incident resulting
     in malware on an application server?

A. Disconnect the system from the network.
B. Change passwords on the compromised system.
C. Restore the system from a known good backup.
D. Perform operation system hardening.

Answer 6

Answer: C

Explanation:
Restoring the system from a known good backup is the most appropriate eradication method when
responding to an incident resulting in malware on an application server, as it ensures that the system is free
of any malicious code and that the data and applications are consistent with the expected state.
Disconnecting the system from the network may prevent further spread of the malware, but it does not
eradicate it from the system. Changing passwords on the compromised system may reduce the risk of
unauthorized access, but it does not remove the malware from the system. Performing operation system
hardening may improve the security configuration of the system, but it does not guarantee that the malware
is eliminated from the system.
References = CISM Review Manual 2022, page 3131; CISM Exam Content Outline, Domain 4, Task 4.4

Question 7

507. An organization provides notebook PCs, cable wire locks, smartphone access, and virtual private network
     (VPN) access to its remote employees. Which of the following is MOST important for the information
     security manager to ensure?

A. Employees use smartphone tethering when accessing from remote locations.
B. Employees physically lock PCs when leaving the immediate are
A.
C. Employees are trained on the acceptable use policy.
D. Employees use the VPN when accessing the organization’s online resources.

Answer 7

Answer: D

Explanation:
Using the VPN when accessing the organization’s online resources is the most important thing to ensure,
as it provides a secure and encrypted connection between the remote employees and the organization’s
network, and protects the data and systems from unauthorized access, interception, or tampering. VPNs
also help to comply with the organization’s security policies and standards, and to prevent data leakage or
breaches. References = CISM Review Manual 2022, page 3081; CISM Exam Content Outline, Domain 4,
Knowledge Statement 4.92; CISM 2020: Remote Access Security; How to Secure Remote Workers with
VPN

Question 8

508. A penetration test against an organization’s external web application shows several vulnerabilities. Which
     of the following presents the GREATEST concern?

A. A rules of engagement form was not signed prior to the penetration test
B. Vulnerabilities were not found by internal tests
C. Vulnerabilities were caused by insufficient user acceptance testing (UAT)
D. Exploit code for one of the vulnerabilities is publicly available

Answer 8

Answer: D

Explanation:
Exploit code for one of the vulnerabilities is publicly available presents the greatest concern because it
means that anyone can easily exploit the vulnerability and compromise the web application. This increases
the risk of data breach, denial of service, or other malicious attacks. Therefore, exploit code for one of the
vulnerabilities is publicly available is the correct answer.
References:
✑ https://www.imperv
A.com/learn/application-security/penetration-testing/
✑ https://www.netspi.com/blog/technical/web-application-penetration-testing/are-youtesting-
your-web-application-for-vulnerabilities/

Question 9

509. Which of the following provides the MOST useful information for identifying security control gaps on an
     application server?

A. Risk assessments
B. Threat models
C. Penetration testing
D. Internal audit reports

Answer 9

Answer: C

Explanation: Penetration testing is the most useful method for identifying security control gaps on an
application server because it simulates real-world attacks and exploits the vulnerabilities and weaknesses
of the application server. Penetration testing can reveal the actual impact and risk of the security control
gaps, and provide recommendations for remediation and improvement.
References: The CISM Review Manual 2023 defines penetration testing as “a method of evaluating the
security of an information system or network by simulating an attack from a malicious source” and states
that “penetration testing can help identify security control gaps and provide evidence of the potential impact
and risk of the gaps” (p. 185). The CISM Review Questions, Answers & Explanations Manual 2023 also
provides the following rationale for this Answer: “Penetration testing is the correct answer because it is the
most useful method for identifying security control gaps on an application server, as it simulates real-world
attacks and exploits the vulnerabilities and weaknesses of the application server, and provides
recommendations for remediation and improvement” (p. 95). Additionally, the web search result 4 states
that “penetration testing is a valuable tool for discovering security gaps in your application server and
network infrastructure” and that “penetration testing can help you assess the effectiveness and efficiency of
your security controls, and identify the areas that need improvement or enhancement” (p. 1).

Question 10

510. An organization is about to purchase a rival organization. The PRIMARY reason for performing information
     security due diligence prior to making the purchase is to:

A. determine the security exposures.
B. assess the ability to integrate the security department operations.
C. ensure compliance with international standards.
D. evaluate the security policy and standards.

Answer 10

Answer: A

Explanation:
Information security due diligence is the process of assessing the current state of information security in an
organization, identifying any gaps, risks, or vulnerabilities, and estimating the costs and efforts required to
remediate them. Performing information security due diligence prior to making the purchase is important to
determine the security exposures that may affect the value, reputation, or liability of the organization, as
well as the feasibility and compatibility of integrating the security systems and processes of the two
organizations.
References = CISM Review Manual 2022, page 361; CISM Exam Content Outline, Domain 1, Task 1.22;
Information Security Due Diligence Questionnair

Question 11

511. Which of the following is MOST important to have in place for an organization’s information security
     program to be effective?

A. Documented information security processes
B. A comprehensive IT strategy
C. Senior management support
D. Defined and allocated budget

Answer 11

Answer: C

Explanation: Senior management support is the most important factor to have in place for an organization’s
information security program to be effective because it helps to establish the vision, direction, and goals of
the program, as well as to allocate the necessary resources and authority to implement and maintain it.
Senior management support also helps to foster a security culture within the organization, where security is
seen as a shared responsibility and a business enabler. Senior management support also helps to ensure
compliance with internal and external security policies and standards, as well as to communicate the value
and impact of security to stakeholders. Therefore, senior management support is the correct answer.
References:
✑ https://www.isac
A.org/resources/isaca-journal/issues/2020/volume-6/keyperformance-
indicators-for-security-governance-part-1
✑ https://www.ffiec.gov/press/PDF/FFIEC_IT_Handbook_Information_Security_Book let.pdf
✑ https://www.cdse.edu/Portals/124/Documents/student-guides/IF011-
guide.pdf?ver=UA7IDZRN_y066rLB8oAW_w%3d%3d

Question 12

512. An information security program is BEST positioned for success when it is closely aligned with:

A. information security best practices.
B. recognized industry frameworks.
C. information security policies.
D. the information security strategy.

Answer 12

Answer: D

Explanation: An information security program is best positioned for success when it is closely aligned with
the information security strategy, which defines the organization’s vision, mission, goals, objectives, and
risk appetite for information security. The information security strategy provides the direction and guidance
for developing and implementing the information security program, ensuring that it supports the
organization’s business processes and objectives. The information security strategy also helps to establish
the scope, boundaries, roles, responsibilities, and resources for the information security program.
References = CISM Manual, Chapter 3: Information Security Program Development (ISPD), Section 3.1:
Information Security Strategy1
1: https://store.isac
A.org/s/store#/store/browse/cat/a2D4w00000Ac6NNEAZ/tiles

Question 13

513. Which of the following is the MOST effective way to detect security incidents?

A. Analyze recent security risk assessments.
B. Analyze security anomalies.
C. Analyze penetration test results.
D. Analyze vulnerability assessments.

Answer 13

Answer: B

Explanation: Analyzing security anomalies is the most effective way to detect security incidents, as it
involves comparing the current state of the information system and network with the expected or normal
state, and identifying any deviations or irregularities that may
indicate a security breach or compromise. Security anomalies can be detected by using various tools and
techniques, such as security information and event management (SIEM) systems, intrusion detection and
prevention systems (IDS/IPS), log analysis, network traffic analysis, and behavioral analysis. (From CISM
Review Manual 15th Edition)
References: CISM Review Manual 15th Edition, page 181, section 4.3.2.4; CISM: Information Security
Incident Management Part 11, section recognize security anomalies.

Question 14

514. Which of the following should include contact information for representatives of equipment and software
     vendors?

A. Information security program charter
B. Business impact analysis (BIA)
C. Service level agreements (SLAs)
D. Business continuity plan (BCP)

Answer 14

Answer: D

Explanation: The document that should include contact information for representatives of equipment and
software vendors is the business continuity plan (BCP) because it provides the guidance and procedures
for restoring the organization’s critical business functions and operations in the event of a disruption or
disaster, and may require contacting external parties such as vendors for assistance or support.
Information security program charter is not a good document for this purpose because it does not provide
any guidance or procedures for business continuity or disaster recovery. Business impact analysis (BIA) is
not a good document for this purpose because it does not provide any guidance or procedures for business
continuity or disaster recovery. Service level agreements (SLAs) are not good documents for this purpose
because they do not provide any guidance or procedures for business continuity or disaster recovery.
References: https://www.isac
A.org/resources/isaca-journal/issues/2017/volume-2/business-continuitymanagement-
lifecycle https://www.isac
A.org/resources/isaca-journal/issues/2016/volume-
4/business-impact-analysis

Question 15

515. The PRIMARY advantage of performing black-box control tests as opposed to white-box control tests is
     that they:

A. cause fewer potential production issues.
B. require less IT staff preparation.
C. simulate real-world attacks.
D. identify more threats.

Answer 15

Answer: C

Explanation: The primary advantage of performing black-box control tests as opposed to white-box control
tests is that they simulate real-world attacks. Black-box control tests are a software testing methodology in
which the tester analyzes the functionality of an application without a thorough knowledge of its internal
design. Conversely, in white-box control tests, the tester is knowledgeable of the internal design of the
application and analyzes it during testing. By performing black-box control tests, the tester can mimic the
perspective and behavior of an external attacker who does not have access to the source code or the
implementation details of the application. This way, the tester can evaluate how the application responds to
different inputs and scenarios, and identify any vulnerabilities or errors that may affect its functionality or
security. The other options are not the primary advantage of performing black-box control tests, although
they may be some benefits or drawbacks depending on the context. Causing fewer potential production
issues is not necessarily true, as black-box control tests may still introduce errors or disruptions to the
application if not performed carefully. Requiring less IT staff preparation is not always true, as black-box
control tests may still require a lot of planning and documentation to ensure adequate test coverage and
quality. Identifying more threats is not necessarily true, as black-box control tests may miss some threats
that are hidden in the internal logic or structure of the application.

Question 16

516. An organization implemented a number of technical and administrative controls to mitigate risk associated
     with ransomware. Which of the following is MOST important to present to senior management when
     reporting on the performance of this initiative?

A. The total cost of the investment
B. The cost and associated risk reduction
C. The number and severity of ransomware incidents
D. Benchmarks of industry peers impacted by ransomware

Answer 16

Answer: B

Explanation:
The most important information to present to senior management when reporting on the performance of the
initiative to mitigate risk associated with ransomware is the cost and associated risk reduction, which
means showing the value and effectiveness of the technical and administrative controls in terms of reducing
the likelihood and impact of ransomware incidents and data extortion, and comparing them with the
investment and resources required to implement and maintain them. The cost and associated risk reduction
can help senior management to evaluate the return on investment (ROI) and the alignment with the
business objectives and risk appetite of the initiative.
References = Ransomware Risk Management - NIST, #StopRansomware Guide | CISA

Question 17

517. An incident response team has established that an application has been breached. Which of the following
     should be done NEXT?

A. Maintain the affected systems in a forensically acceptable state
B. Conduct a risk assessment on the affected application
C. Inform senior management of the breach.
D. Isolate the impacted systems from the rest of the network

Answer 17

Answer: D

Explanation:
The next thing an incident response team should do after establishing that an application has been
breached is to isolate the impacted systems from the rest of the network, which means disconnecting them
from the internet or other network connections to prevent further spread of the attack or data exfiltration.
Isolating the impacted systems can help to contain the breach and limit its impact on the organization. The
other options, such as maintaining the affected systems in a forensically acceptable state, conducting a risk
assessment, or informing senior management, may be done later in the incident response process, after
isolating the impacted systems. References:
✑ https://www.crowdstrike.com/cybersecurity-101/incident-response/
✑ https://learn.microsoft.com/en-us/security/operations/incident-response-playbooks
✑ https://www.invicti.com/blog/web-security/incident-response-steps-web- application-security/

Question 18

518. Which type of plan is PRIMARILY intended to reduce the potential impact of security events that may
     occur?

A. Security awareness plan
B. Business continuity plan (BCP)
C. Disaster recovery plan (DRP)
D. Incident response plan

Answer 18

Answer: D

Question 19

519. Which of the following is the BEST defense against a brute force attack?

A. Time-of-day restrictions
B. Mandatory access control
C. Discretionary access control
D. Multi-factor authentication (MFA)

Answer 19

Answer: D

Question 20

520. The ULTIMATE responsibility for ensuring the objectives of an information security framework are being
     met belongs to:

A. the internal audit manager.
B. the information security officer.
C. the steering committee.
D. the board of directors.

Answer 20

Answer: D

Explanation: The board of directors is the ultimate authority and accountability for ensuring the objectives of
an information security framework are being met, as they are responsible for setting the strategic direction,
approving the policies, overseeing the performance, and ensuring the compliance of the organization. The
board of directors also delegates the authority and resources to the information security officer, the steering
committee, and the internal audit manager, who are involved in the design, implementation, monitoring, and
improvement of the information security framework.
References = CISM Review Manual, 27th Edition, Chapter 4, Section 4.1.1, page 2131; CISM Online
Review Course, Module 4, Lesson 1, Topic 12; CISM domain 1: Information security governance
Updated 2022

Question 21

521. An organization’s research department plans to apply machine learning algorithms on a large data set
     containing customer names and purchase history. The risk of personal data leakage is considered high
     impact. Which of the following is the BEST risk treatment option in this situation?

A. Accept the risk, as the benefits exceed the potential consequences.
B. Mitigate the risk by applying anonymization on the data set.
C. Transfer the risk by purchasing insurance.
D. Mitigate the risk by encrypting the customer names in the data set.

Answer 21

Answer: B

Question 22

522. Which of the following is MOST important to consider when choosing a shared alternate location for
     computing facilities?

A. The organization’s risk tolerance
B. Resource availability
C. The organization’s mission
D. Incident response team training

Answer 22

Answer: A

Explanation: The organization’s risk tolerance is the most important factor to consider when choosing a
shared alternate location for computing facilities, because it determines
the acceptable level of risk exposure and the required recovery time objectives (RTOs) and recovery point
objectives (RPOs) for the organization’s critical business processes and information assets. Resource
availability, the organization’s mission, and incident response team training are also important
considerations, but they are secondary to the risk tolerance.
References = CISM Review Manual, 16th Edition, page 290

Question 23

523. Communicating which of the following would be MOST helpful to gain senior management support for risk
     treatment options?

A. Quantitative loss
B. Industry benchmarks
C. Threat analysis
D. Root cause analysis

Answer 23

Answer: A

Explanation: communicating the quantitative loss associated with the risk scenarios and the risk treatment
options would be the most helpful to gain senior management support, as it helps to demonstrate the value
and effectiveness of the risk treatment options in terms of reducing the likelihood and impact of the risk.
Quantitative loss also helps to compare the cost and benefit of the risk treatment options and to prioritize
the most critical risks. Industry benchmarks, threat analysis, and root cause analysis may be useful for
understanding and assessing the risk, but they do not directly measure the performance of the risk
treatment options.
References = Five Key Considerations When Developing Information Security Risk Treatment Plans,
CISM Domain 2: Information Risk Management (IRM) [2022 update]

Question 24

524. Which of the following is MOST important when designing security controls for new cloud- based services?

A. Evaluating different types of deployment models according to the associated risks
B. Understanding the business and IT strategy for moving resources to the cloud
C. Defining an incident response policy to protect data moving between onsite and cloud applications
D. Performing a business impact analysis (BIA) to gather information needed to develop recovery
strategies

Answer 24

Answer: B

Explanation:
The most important factor when designing security controls for new cloud-based services is to understand
the business and IT strategy for moving resources to the cloud. This will help to align the security controls
with the business objectives, requirements, and risks, and to select the appropriate cloud service delivery
and deployment models. The security controls should also be based on the shared responsibility model,
which defines the roles and responsibilities of the cloud service provider and the cloud customer in ensuring
the security of the cloud environment. Evaluating different types of deployment models, defining an incident
response policy, and performing a business impact analysis are also important activities, but they should be
done after understanding the business and IT strategy.
References = CISM Review Manual, 16th Edition eBook1, Chapter 3: Information Security Program
Development and Management, Section: Information Security Program Management, Subsection: Cloud
Computing, Page 141-142.

Question 25

525. When implementing a security policy for an organization handling personally identifiable information (Pll);
     the MOST important objective should be:

A. strong encryption
B. regulatory compliance.
C. data availability.
D. security awareness training

Answer 25

Answer: B

Explanation: Regulatory compliance is the most important objective when implementing a security policy for
an organization handling personally identifiable information (PII) because it helps to ensure that the
organization meets the legal and ethical obligations to protect the privacy and security of PII. PII is any
information that can be used to identify, contact, or locate an individual, such as name, address, email,
phone number, social security number, etc. PII is subject to various laws and regulations in different
jurisdictions, such as the General Data Protection Regulation (GDPR) in the European Union, the California
Consumer Privacy Act (CCPA) in the United States, or the Personal Information Protection and Electronic
Documents Act (PIPEDA) in Canad
A. Failing to comply with these regulations can result in fines, lawsuits,
reputational damage, or loss of trust. Therefore, regulatory compliance is the correct answer.
References:
✑ https://www.iso.org/obp/ui/en/#iso:std:iso-iec:27018:ed-2:v1:en
✑ https://www.digitalguardian.com/blog/how-secure-personally-identifiableinformation-
against-loss-or-compromise
✑ https://blog.rsisecurity.com/how-to-make-a-personally-identifiable-information- policy/

Question 26

526. Which of the following would provide the MOST effective security outcome in an organizations contract
     management process?

A. Performing vendor security benchmark analyses at the request-for-proposal (RFP) stage
B. Ensuring security requirements are defined at the request-for-proposal (RFP) stage
C. Extending security assessment to cover asset disposal on contract termination
D. Extending security assessment to include random penetration testing

Answer 26

Answer: B

Explanation: Ensuring security requirements are defined at the request-for-proposal (RFP) stage is the
most effective security outcome in an organization’s contract management process because it establishes
and communicates the security expectations and obligations for both parties, and enables the organization
to evaluate and select the most suitable and secure vendor or service provider. Performing vendor security
benchmark analyses at the RFP stage is not an effective security outcome, but rather a possible security
activity that involves comparing and ranking different vendors or service providers based on their security
capabilities or performance. Extending security assessment to cover asset disposal on contract termination
is not an effective security outcome, but rather a possible security activity that involves verifying and
validating that any assets or data belonging to the organization are securely disposed of by the vendor or
service provider at the end of the contract. Extending security assessment to include random penetration
testing is not an effective security outcome, but rather a possible security activity that involves testing and
auditing the vendor’s or service provider’s security controls or systems at random intervals during the
contract. References: https://www.isac
A.org/resources/isacajournal/
issues/2017/volume-1/data-ownership-and-custodianship-in-the-cloud
https://www.isac
A.org/resources/isaca-journal/issues/2016/volume-4/integrating-assurance- functions

Question 27

527. Which is following should be an information security manager’s PRIMARY focus during the development of
     a critical system storing highly confidential data?

A. Reducing the number of vulnerabilities detected
B. Ensuring the amount of residual risk is acceptable
C. Avoiding identified system threats
D. Complying with regulatory requirements

Answer 27

Answer: B

Explanation: The information security manager’s primary focus during the development of a critical system
storing highly confidential data should be ensuring the amount of residual risk is acceptable. Residual risk is
the level of cyber risk remaining after all the security controls are accounted for, any threats have been
addressed and the organization is meeting security standards. It’s the risk that slips through the cracks of
the system. For a critical system storing highly confidential data, the residual risk should be as low as
possible, and within the organization’s risk appetite and tolerance. The information security manager should
monitor and review the residual risk throughout the system development life cycle, and ensure that it is
communicated and approved by the appropriate stakeholders. The other options are not the primary focus,
although they may be part of the security objectives and activities. Reducing the number of vulnerabilities
detected is a desirable outcome, but it does not necessarily mean that the residual risk is acceptable, as
some vulnerabilities may have a higher impact or likelihood than others. Avoiding identified system threats
is a preventive measure, but it does not account for unknown or emerging threats that may pose a residual
risk to the system. Complying with regulatory requirements is a mandatory obligation, but it does not
guarantee that the residual risk is acceptable, as regulations may not cover all aspects of security or reflect
the specific context and needs of the organization.

Question 28

528. After the occurrence of a major information security incident, which of the following will BEST help an
     information security manager determine corrective actions?

A. Calculating cost of the incident
B. Conducting a postmortem assessment
C. Performing an impact analysis
D. Preserving the evidence

Answer 28

Answer: B

Explanation: The best way to determine corrective actions after a major information security incident is to
conduct a postmortem assessment, which is a systematic and structured review of the incident, its causes,
its impacts, and its lessons learned. A postmortem assessment can help to identify the root causes of the
incident, the strengths and weaknesses of the incident response process, the gaps and deficiencies in the
security controls, and the opportunities for improvement and remediation. A postmortem assessment can
also help to document the recommendations and action plans for preventing or minimizing the recurrence
of similar incidents in the future.
References = CISM Review Manual, 16th Edition eBook1, Chapter 4: Information Security Incident
Management, Section: Incident Response, Subsection: Postincident Activities, Page 211.

Question 29

529. Regular vulnerability scanning on an organization’s internal network has identified that many user
     workstations have unpatched versions of software. What is the BEST way for the information security
     manager to help senior management understand the related risk?

A. Include the impact of the risk as part of regular metrics.
B. Recommend the security steering committee conduct a review.
C. Update the risk assessment at regular intervals
D. Send regular notifications directly to senior managers

Answer 29

Answer: A

Explanation: Including the impact of the risk as part of regular metrics is the best way for the information
security manager to help senior management understand the related risk of
having many user workstations with unpatched versions of software because it quantifies and
communicates the potential consequences and likelihood of such a risk in terms of business objectives and
performance indicators. Recommending the security steering committee conduct a review is not a good
way because it does not provide any specific information or analysis about the risk or its impact. Updating
the risk assessment at regular intervals is not a good way because it does not ensure that senior
management is aware or informed about the risk or its impact. Sending regular notifications directly to
senior managers is not a good way because it may be perceived as intrusive or annoying, and may not
convey the severity or urgency of the risk or its impact. References:
https://www.isac
A.org/resources/isaca-journal/issues/2015/volume-6/measuring-the-valueCertify
For Sure with IT Exam Dumps
The No.1 IT Certification Dumps
400
of-information-security-investments
https://www.isac
A.org/resources/isaca-journal/issues/2017/volume-3/how-to-measure-the-effectiveness-ofyour-
information-security-management-system

Question 30

530. Which of the following is MOST important when defining how an information security budget should be
     allocated?

A. Regulatory compliance standards
B. Information security strategy
C. Information security policy
D. Business impact assessment

Answer 30

Answer: B

Explanation: Information security strategy is the most important factor when defining how an information
security budget should be allocated because it helps to align the security objectives and initiatives with the
business goals and priorities. An information security strategy is a high-level plan that defines the vision,
mission, scope, and direction of the security program, as well as the roles and responsibilities, governance
structures, policies and standards, risk management approaches, and performance measurement methods.
An information security strategy helps to identify and prioritize the security needs and requirements of the
organization, as well as to allocate the resources and funding accordingly. An information security strategy
also helps to communicate the value and benefits of security to the stakeholders and justify the security
investments. Therefore, information security strategy is the correct answer.
References:
✑ https://www.techtarget.com/searchsecurity/tip/Cybersecurity-budget-breakdown- and-best-practices
✑ https://www.csoonline.com/article/3671108/how-2023-cybersecurity-budgetallocations-
are-shaping-up.html
✑ https://www.statist
A.com/statistics/1319677/companies-it-budget-allocated-to- security-worldwide/

Question 31

531. Which of the following should be done FIRST when implementing a security program?

A. Perform a risk analysis
B. Implement data encryption.
C. Create an information asset inventory.
D. Determine the value of information assets.

Answer 31

Answer: A

Explanation: Performing a risk analysis is the first step when implementing a security program because it
helps to identify and prioritize the potential threats and vulnerabilities that may affect the organization’s
assets, processes, or objectives, and determine their impact and likelihood. Implementing data encryption
is not the first step, but rather a possible subsequent step that involves applying a specific security control
or technique to protect data from unauthorized access or modification. Creating an information asset
inventory is not the first step, but rather a possible subsequent step that involves identifying and classifying
the organization’s assets based on their value and sensitivity. Determining the value of information assets
is not the first step, but rather a possible subsequent step that involves estimating and quantifying the worth
of information assets to the organization. References:
https://www.isac
A.org/resources/isaca-journal/issues/2015/volume-
6/measuring-the-value-of-information-security-investments
https://www.isac
A.org/resources/isaca-journal/issues/2017/volume-3/how-to-measure-theeffectiveness-
of-your-information-security-management-system

Question 32

532. Which of the following would be MOST effective in reducing the impact of a distributed denial of service
     (DDoS) attack?

A. Impose state limits on servers.
B. Spread a site across multiple ISPs.
C. Block the attack at the source.
D. Harden network security.

Answer 32

Answer: B

Explanation:
The answer to the question is B. Spread a site across multiple ISPs. This is because spreading a site
across multiple Internet service providers (ISPs) can help to reduce the impact of a distributed denial of
service (DDoS) attack by increasing the bandwidth and redundancy of the site, and making it harder for the
attacker to target and overwhelm a single point of failure. Spreading a site across multiple ISPs can also
help to distribute the traffic load and balance the performance of the site, and to mitigate the effects of
regional or network-specific outages or disruptions. Spreading a site across multiple ISPs can be done by
using various techniques, such as anycast routing, content delivery networks (CDNs), or cloud-based
services12.
Spreading a site across multiple ISPs can help to reduce the impact of a DDoS attack by increasing the
bandwidth and redundancy of the site, and making it harder for the attacker to target and overwhelm a
single point of failure. (From CISM Manual or related resources) References = CISM Review Manual 15th
Edition, Chapter 4, Section 4.2.1, page 2091; DDoS Attacks—A Cyberthreat and Possible Solutions2

Question 33

533. A recent audit found that an organization’s new user accounts are not set up uniformly. Which of the
     following is MOST important for the information security manager to review?

A. Automated controls
B. Security policies
C. Guidelines
D. Standards

Answer 33

Answer: D

Explanation:
Standards are the most important thing to review, as they define the specific and mandatory requirements
for setting up new user accounts, such as the naming conventions, access rights, password policies, and
expiration dates. Standards help to ensure consistency, security, and compliance across the organization’s
information systems and users. If the standards are not followed, the organization may face increased
risks of unauthorized access, data breaches, or audit failures.
References = CISM Review Manual 2022, page 341; CISM Exam Content Outline, Domain 1, Knowledge
Statement 1.32; CISM 2020: IT Security Policies; Information Security Policy, Standards, and Guidelines

Question 34

534. To help users apply appropriate controls related to data privacy regulation, what is MOST important to
     communicate to the users?

A. Data storage procedures
B. Data classification policy
C. Results of penetration testing
D. Features of data protection products

Answer 34

Answer: B

Question 35

535. Which of the following is MOST important to include in an information security strategy?

A. Stakeholder requirements
B. Risk register
C. Industry benchmarks
D. Regulatory requirements

Answer 35

Answer: A

Explanation:
Stakeholder requirements are the most important to include in an information security strategy, as they
reflect the business needs, objectives, and expectations of the organization and its key stakeholders.
Stakeholder requirements also help to align the information security strategy with the enterprise
governance and the organizational culture. Risk register, industry benchmarks, and regulatory
requirements are important inputs for the information security strategy, but they are not the most important
to include.
References = CISM Review Manual 2022, page 321; CISM Exam Content Outline, Domain 1, Task 1.12

Question 36

536. While responding to a high-profile security incident, an information security manager observed several
     deficiencies in the current incident response plan. When would be the BEST time to update the plan?

A. While responding to the incident
B. During a tabletop exercise
C. During post-incident review
D. After a risk reassessment

Answer 36

Answer: C

Explanation:
During post-incident review is the best time to update the incident response plan after observing several
deficiencies in the current plan while responding to a high-profile security incident. A post-incident review is
a process of analyzing and evaluating the incident response activities, identifying the lessons learned, and
documenting the recommendations and action items for improvement. Updating the incident response plan
during post-incident review helps to ensure that the plan reflects the current best practices, addresses the
gaps and weaknesses, and incorporates the feedback and suggestions from the incident response team
and other stakeholders. Therefore, during post-incident review is the correct answer.
References:
✑ https://www.cis
A.gov/sites/default/files/publications/Incident-Response-Plan- Basics_508c.pdf
✑ https://www.techtarget.com/searchsecurity/feature/5-critical-steps-to-creating-aneffective-
incident-response-plan
✑ https://www.integrify.com/blog/posts/incident-response-plan-need-an-update/

Question 37

537. Which of the following would provide the BEST evidence to senior management that security control
     performance has improved?

A. Demonstrated return on security investment
B. Reduction in inherent risk
C. Results of an emerging threat analysis
D. Review of security metrics trends

Answer 37

Answer: D

Explanation:
Review of security metrics trends is the best evidence to senior management that security control
performance has improved because it helps to measure and demonstrate the effectiveness and efficiency
of the security controls over time. Security metrics are quantitative or qualitative indicators that provide
information about the security status or performance of an organization, system, process, or activity.
Security metrics can be used to evaluate the implementation, operation, and outcome of security controls,
such as the number of vulnerabilities detected and remediated, the time to respond and recover from
incidents, the compliance level with security policies and standards, or the return on security investment.
Review of security metrics trends helps to identify and communicate the progress, achievements, and
challenges of the security program, as well as to support decision making and continuous improvement.
Therefore, review of security metrics trends is the correct answer.
References:
✑ https://www.bitsight.com/blog/importance-continuous-improvement-security- performance-management
✑ https://www.isac
A.org/resources/isaca-journal/issues/2020/volume-6/keyperformance-
indicators-for-security-governance-part-2
✑ https://www.nist.gov/news-events/news/2021/09/dhs-nist-coordinate-releasingpreliminary-
cybersecurity-performance-goals.

Question 38

538. The PRIMARY goal of a post-incident review should be to:

A. establish the cost of the incident to the business.
B. determine why the incident occurred.
C. identify policy changes to prevent a recurrence.
D. determine how to improve the incident handling process.

Answer 38

Answer: D

Question 39

539. After updating password standards, an information security manager is alerted by various application
     administrators that the applications they support are incapable of enforcing these standards. The
     information security manager’s FIRST course of action should be to:

A. determine the potential impact.
B. reevaluate the standards.
C. implement compensating controls.
D. evaluate the cost of replacing the applications.

Answer 39

Answer: A

Question 40

540. An organization’s information security team presented the risk register at a recent information security
     steering committee meeting. Which of the following should be of MOST concern to the committee?

A. No owners were identified for some risks.
B. Business applications had the highest number of risks.
C. Risk mitigation action plans had no timelines.
D. Risk mitigation action plan milestones were delayed.

Answer 40

Answer: A

Explanation: The most concerning issue for the information security steering committee should be that no
owners were identified for some risks in the risk register. This means that there is no clear accountability
and responsibility for managing and mitigating those risks, and that the risks may not be properly
addressed or monitored. The risk owners are the persons who have the authority and ability to implement
the risk treatment options and to accept the residual risk. The risk owners should be identified and assigned
for each risk in the risk register, and they should report the status and progress of the risk management
activities to the information security steering committee.
References = CISM Review Manual, 16th Edition eBook1, Chapter 2: Information Risk Management,
Section: Risk Management, Subsection: Risk Register, Page 104.

Question 41

541. An international organization with remote branches is implementing a corporate security policy for
     managing personally identifiable information (PII). Which of the following should be the information security
     manager’s MAIN concern?

A. Local regulations
B. Data backup strategy
C. Consistency in awareness programs
D. Organizational reporting structure

Answer 41

Answer: A

Explanation: Local regulations are the main concern for the information security manager when
implementing a corporate security policy for managing PII, as different countries or regions may have
different legal, regulatory or contractual requirements for the protection, processing, storage and transfer of
PII. The information security manager should ensure that the policy complies with the applicable local
regulations and respects the rights and preferences of the data subjects. The policy should also address
the risks and challenges of cross-border data transfers and the use of cloud services.
References = CISM Review Manual, 27th Edition, Chapter 4, Section 4.2.1, page 2191; CISM Online
Review Course, Module 4, Lesson 2, Topic 12; Comparitech, PII Compliance: What is it and How to
Implement it3

Question 42

542. An information security manager has been asked to provide both one-year and five-year plans for the
     information security program. What is the PRIMARY purpose for the long-term plan?

A. To facilitate the continuous improvement of the IT organization
B. To ensure controls align with security needs
C. To create and document required IT capabilities
D. To prioritize security risks on a longer scale than the one-year plan

Answer 42

Answer: B

Explanation:
The primary purpose for the long-term plan for the information security program is to ensure controls align
with security needs. This is because the long-term plan provides a strategic vision and direction for the
information security program, and defines the goals, objectives, and initiatives that support the
organization’s mission, vision, and values. The long-term plan also helps to identify and prioritize the
security risks and opportunities that may arise in the future, and to align the information security controls
with the changing business and technology environment. The long-term plan also facilitates the allocation
and optimization of the resources and budget for the information security program, and enables the
measurement and evaluation of the program’s performance and value.
The long-term plan provides a strategic vision and direction for the information security program, and
defines the goals, objectives, and initiatives that support the organization’s mission, vision, and values. The
long-term plan also helps to identify and prioritize the security risks and opportunities that may arise in the
future, and to align the information security controls with the changing business and technology
environment. (From CISM Manual or related resources)
References = CISM Review Manual 15th Edition, Chapter 3, Section 3.1.1, page 1261; CISM domain 3:
Information security program development and management [2022 update] | Infosec2; CISM: Information
Security Program Development and Management Part 1 Online, Self-Paced3

Question 43

543. In the context of developing an information security strategy, which of the following provides the MOST
     useful input to determine the or

A. Security budget
B. Risk register
C. Risk score
D. Laws and regulations

Answer 43

Answer: D

Explanation: Laws and regulations provide the most useful input to determine the organization’s information
security strategy because they define the legal and compliance requirements and obligations that the
organization must adhere to, and guide the development and implementation of the security policies and
controls that support them. Security budget is not a useful input to determine the organization’s information
security strategy because it does not reflect the organization’s security needs or goals, but rather a
resource to enable the security activities and initiatives. Risk register is not a useful input to determine the
organization’s information security strategy because it does not reflect the organization’s security vision or
mission, but rather a tool to identify and manage the security risks. Risk score is not a useful input to
determine the organization’s information
security strategy because it does not reflect the organization’s security priorities or objectives, but rather a
measure of the level of risk exposure or performance. References:
https://www.isac
A.org/resources/isaca-journal/issues/2016/volume-4/technical-securitystandards-
for-information-systems https://www.isac
A.org/resources/isacajournal/
issues/2017/volume-2/how-to-align-security-initiatives-with-business-goals-and- objectives

Question 44

544. During the selection of a Software as a Service (SaaS) vendor for a business process, the vendor provides
     evidence of a globally accepted information security certification. Which of the following is the MOST
     important consideration?

A. The certification includes industry-recognized security controls.
B. The certification was issued within the last five years.
C. The certification is issued for the specific scope.
D. The certification is easily verified.

Answer 44

Answer: C

Explanation:
The most important consideration when selecting a SaaS vendor for a business process is whether the
vendor’s information security certification is issued for the specific scope of the service that the organization
needs. A certification that covers the entire vendor organization or a different service may not be relevant or
sufficient for the organization’s security requirements. The certification should also include
industry-recognized security controls, be issued within a reasonable time frame, and be easily verified, but
these are not as critical as the scope.
References = CISM Review Manual, 16th Edition, page 1841; 5 Top SaaS Security Certifications for SaaS
Providers

Question 45

545. Senior management has just accepted the risk of noncompliance with a new regulation
     What should the information security manager do NEX*P

A. Report the decision to the compliance officer
B. Update details within the risk register.
C. Reassess the organization’s risk tolerance.
D. Assess the impact of the regulation.

Answer 45

Answer: B

Explanation: Updating details within the risk register is the next step for the information security manager to
do after senior management has accepted the risk of noncompliance with a new regulation because it
records and communicates the risk status, impact, and response strategy to the relevant stakeholders.
Reporting the decision to the compliance officer is not the next step, but rather a possible subsequent step
that involves informing and consulting with the compliance officer about the risk acceptance and its
implications. Reassessing the organization’s risk tolerance is not the next step, but rather a possible
subsequent step that involves reviewing and adjusting the organization’s risk appetite and thresholds based
on the risk acceptance and its implications. Assessing the impact of the regulation is not the next step, but
rather a previous step that involves analyzing and evaluating the potential consequences and likelihood of
noncompliance with the regulation. References:
https://www.isac
A.org/resources/isaca-journal/issues/2016/volume-6/how-tomeasure-
the-effectiveness-of-information-security-using-iso-27004
https://www.isac
A.org/resources/isaca-journal/issues/2017/volume-3/how-to-measure-theeffectiveness-
of-your-information-security-management-system

Question 46

546. The PRIMARY purpose of implementing information security governance metrics is to:

A. measure alignment with best practices.
B. assess operational and program metrics.
C. guide security towards the desired state.
D. refine control operations.

Answer 46

Answer: C

Question 47

547. An information security manager has been tasked with developing materials to update the board, regulatory
     agencies, and the media about a security incident. Which of the following should the information security
     manager do FIRST?

A. Set up communication channels for the target audience.
B. Determine the needs and requirements of each audience.
C. Create a comprehensive singular communication
D. Invoke the organization’s incident response plan.

Answer 47

Answer: D

Explanation: The information security manager should do FIRST invoke the organization’s incident
response plan, which is a predefined set of procedures and guidelines for handling security incidents in a
timely and effective manner. The incident response plan should include the roles and responsibilities of the
incident response team, the communication protocols and channels, the escalation and reporting
procedures, and the documentation and evidence collection requirements. By invoking the incident
response plan, the information security manager can ensure that the incident is properly contained,
analyzed, resolved, and reported, and that the appropriate stakeholders are informed and involved. The
other options are not the first actions that the information security manager should take, as they are part of
the communication process that follows the incident response plan. Setting up communication channels for
the target audience, determining the needs and requirements of each audience, and creating a
comprehensive singular communication are all important steps for communicating effectively with the board,
regulatory agencies, and the media, but they are not the first priority in the event of a security incident. The
information security manager should first follow the incident response plan to manage the incident and its
impact, and then communicate the relevant information to the target audience according to the plan.
References = CISM Review Manual, 16th Edition, page 2261; CISM Review Questions, Answers &
Explanations Manual, 10th Edition, page 1012 Determining the needs and requirements of each audience
should be the FIRST step in developing materials to update the board, regulatory agencies, and the media
about a security incident. This is because different audiences have different expectations, interests, and
concerns regarding the incident and its impact. By understanding the needs and requirements of each
audience, the information security manager can tailor the communication materials to address them
effectively and appropriately. This will also help to avoid confusion, misinformation, or misinterpretation of
the incident details and response actions

Question 48

548. Which of the following is MOST useful to an information security manager when determining the need to
     escalate an incident to senior?

A. Incident management procedures
B. Incident management policy
C. System risk assessment
D. Organizational risk register

Answer 48

Answer: D

Explanation: The organizational risk register is the most useful for an information security manager when
determining the need to escalate an incident to senior management because it contains a list of identified
risks to the organization, their likelihood and impact, and their predefined risk thresholds or targets, which
can help the information security manager assess the severity and urgency of the incident and decide
whether it requires senior management’s attention or action. Incident management procedures are not very
useful for this purpose because they do not provide any specific criteria or guidance on when to escalate an
incident to senior management. Incident management policy is not very useful for this purpose because it
does not provide any specific criteria or guidance on when to escalate an incident to senior management.
System risk assessment is not very useful for this purpose because it does not reflect the current risk
exposure or status of the organization as a whole. References: https://www.isac
A.org/resources/isacajournal/
issues/2016/volume-6/how-to-measure-the-effectiveness-of-information-security- using-iso-27004
https://www.isac
A.org/resources/isaca-journal/issues/2017/volume- 5/incident-response-lessons-learned

Question 49

549. Which of the following should be the PRIMARY goal of information security?

A. Information management
B. Regulatory compliance
C. Data governance
D. Business alignment

Answer 49

Answer: D

Question 50

550. Unintentional behavior by an employee caused a major data loss incident. Which of the following is the
     BEST way for the information security manager to prevent recurrence within the organization?

A. Implement compensating controls.
B. Communicate consequences for future instances.
C. Enhance the data loss prevention (DLP) solution.
D. Improve the security awareness training program.

Answer 50

Answer: D

Question 51

551. An organization is performing due diligence when selecting a third party. Which of the following is MOST
     helpful to reduce the risk of unauthorized sharing of information during this process?

A. Using secure communication channels
B. Establishing mutual non-disclosure agreements (NDAs)
C. Requiring third-party privacy policies
D. Obtaining industry references

Answer 51

Answer: B

Explanation:
The best option to reduce the risk of unauthorized sharing of information during the due diligence process is
B. Establishing mutual non-disclosure agreements (NDAs). This is because NDAs are legal contracts that
bind the parties to keep confidential any information that is exchanged or disclosed during the due diligence
process. NDAs can help to protect the sensitive data, intellectual property, trade secrets, or business
strategies of both the organization and the third party from being leaked, stolen, or misused by
unauthorized parties. NDAs can also specify the terms and conditions for the use, storage, and disposal of
the information, as well as the consequences for breaching the agreement.
References = CISM Review Manual 15th Edition, Chapter 3, Section 3.2.1, page 1341; CISM Review
Questions, Answers & Explanations Manual 9th Edition, Question 70, page 18

Question 52

552. Which of the following is the MOST important outcome of effective risk treatment?

A. Elimination of risk
B. Timely reporting of incidents
C. Reduced cost of acquiring controls
D. Implementation of corrective actions

Answer 52

Answer: D

Explanation:
The most important outcome of effective risk treatment is the implementation of corrective actions that
address the root causes of the risk and reduce its likelihood and/or impact to an acceptable level. Effective
risk treatment does not necessarily eliminate the risk, but rather brings it within the organization’s risk
appetite and tolerance. Timely reporting of incidents and reduced cost of acquiring controls are desirable
benefits of effective risk treatment, but they are not the primary outcome.
References: The CISM Review Manual 2023 defines risk treatment as “the process of selecting and
implementing measures to modify risk” and states that “the objective of risk treatment is to implement
corrective actions that will reduce the risk to a level that is acceptable to the enterprise” (p. 92). The CISM
Review Questions, Answers & Explanations Manual 2023 also provides the following rationale for this
Answer “Implementation of corrective actions is the correct answer because it is the most important
outcome of effective risk treatment, as it ensures that the risk is managed in accordance with the
organization’s risk appetite and tolerance” (p. 28). Additionally, the Not All Risk Treatment Options Are the
Same article from the ISACA Journal 2021 states that “risk treatment is the process of implementing
corrective actions to address the root causes of the risk and to reduce the likelihood and/or impact of the
risk” (p. 1)1.

Question 53

553. The results of a risk assessment for a potential network reconfiguration reveal a high likelihood of sensitive
     data being compromised. What is the information security manager’s BEST course of
     action?

A. Recommend additional network segmentation.
B. Seek an independent opinion to confirm the findings.
C. Determine alignment with existing regulations.
D. Report findings to key stakeholders.

Answer 53

Answer: D

Explanation: The information security manager’s best course of action is to report the findings of the risk
assessment to the key stakeholders, such as senior management, business owners, and regulators. This
will ensure that the stakeholders are aware of the potential impact of the risk and can make informed
decisions on how to address it. The other options are possible actions to take after reporting the findings,
but they are not the best course of action in this scenario.
References = CISM Domain 2: Information Risk Management (IRM) [2022
update] (section: Information Risk Response) and CISM ITEM DEVELOPMENT GUIDE - ISACA (page 6,
item example 2)

Question 54

554. Which of the following is the MOST effective way to convey information security responsibilities across an
     organization?

A. Implementing security awareness programs
B. Documenting information security responsibilities within job descriptions
C. Developing a skills matrix
D. Defining information security responsibilities in the security policy

Answer 54

Answer: B

Explanation:
Documenting information security responsibilities within job descriptions is the most effective way to convey
information security responsibilities across an organization because it clearly defines the roles,
expectations, and accountabilities of each employee regarding information security. It also helps to align
the information security objectives with the business goals and performance indicators, and to ensure
compliance with the security policies and standards.
References = CISM Review Manual 15th Edition, What is CISM? - Digital Guardian

Question 55

555. Which of the following is necessary to ensure consistent protection for an organization’s information
     assets?

A. Data ownership
B. Classification model
C. Regulatory requirements
D. Control assessment

Answer 55

Answer: B

Explanation:
A classification model is necessary to ensure consistent protection for an organization’s information assets,
because it defines the criteria for assigning different levels of sensitivity and criticality to the information
assets, and determines the appropriate security controls and handling procedures for each level. Data
ownership, regulatory requirements, and control assessment are also important aspects of information
security management, but they are not sufficient to ensure consistent protection without a classification
model. References = CISM Review Manual, 16th Edition, page 67

Question 56

556. Which of the following would be of GREATEST assistance in determining whether to accept residual risk of
     a critical security system?

A. Available annual budget
B. Cost-benefit analysis of mitigating controls
C. Recovery time objective (RTO)
D. Maximum tolerable outage (MTO)

Answer 56

Answer: B

Explanation:
Cost-benefit analysis of mitigating controls is the BEST way to assist in determining whether to accept
residual risk of a critical security system, because it helps to compare the costs of implementing and
maintaining the controls with the benefits of reducing the risk and the potential losses. Cost-benefit analysis
can help to justify the investment in security controls and to optimize the level of residual risk that is
acceptable for the organization.
References =
CISM Review Manual, 16th Edition, ISACA, 2020, p. 50: “Cost-benefit analysis is the process of comparing
the costs of risk treatment options with the benefits of risk reduction and the potential losses from risk
events.”
CISM Review Manual, 16th Edition, ISACA, 2020, p. 51: “Cost-benefit analysis can help to justify the
investment in information security controls and to optimize the level of residual risk that is acceptable for the
enterprise.”
CISM Domain 2: Information Risk Management (IRM) [2022 update]: “Cost-benefit analysis: This is a
comparison of the costs of implementing and maintaining security controls with the benefits of reducing risk
and potential losses. It helps to justify the investment in security controls and optimize the level of residual
risk.”

Question 57

557. What type of control is being implemented when a security information and event management (SIEM)
     system is installed?

A. Preventive
B. Deterrent
C. Detective
D. Corrective

Answer 57

Answer: C

Explanation: A security information and event management (SIEM) system is a type of detective control
because it monitors and analyzes the security events or logs from different sources or systems, and detects
any anomalies or incidents that may indicate a security breach or compromise. A preventive control is a
type of control that prevents or blocks any unauthorized or malicious activity or access from occurring. A
deterrent control is a type of control that discourages or warns any potential attackers or intruders from
attempting any unauthorized or malicious activity or access. A corrective control is a type of control that
restores or repairs any damage or disruption caused by an unauthorized or malicious activity or access.
References: https://www.isac
A.org/resources/isacajournal/
issues/2017/volume-6/the-value-of-penetration-testing
https://www.isac
A.org/resources/isaca-journal/issues/2016/volume-5/security-scanningversus-
penetration-testing

Question 58

558. Company A, a cloud service provider, is in the process of acquiring Company B to gain new benefits by
     incorporating their technologies within its cloud services.
     Which of the following should be the PRIMARY focus of Company A’s information security manager?

A. The organizational structure of Company B
B. The cost to align to Company A’s security policies
C. Company A’s security architecture
D. Company B’s security policies

Answer 58

Answer: D

Explanation:
According to the CISM Review Manual, the security architecture of an organization defines the security
principles, standards, guidelines and procedures that support the information security strategy and align
with the business objectives. When acquiring another company, the information security manager of the
acquiring company should focus on ensuring that the security architecture of the acquired company is
compatible with its own, or that any gaps or conflicts are identified and resolved.
References = CISM Review Manual, 27th Edition, Chapter 2, Section 2.1.2, page 751.

Question 59

559. Which of the following metrics would BEST demonstrate the success of a newly implemented information
     security framework?

A. An increase in the number of identified security incidents
B. A decrease in the number of security audit findings
C. A decrease in the number of security policy exceptions
D. An increase in the number of compliant business processes

Answer 59

Answer: D

Question 60

560. Which of the following would be an information security managers PRIMARY challenge when deploying a
     bring your own device (BYOD) mobile program in an enterprise?

A. Mobile application control
B. Inconsistent device security
C. Configuration management
D. End user acceptance

Answer 60

Answer: B

Explanation: Inconsistent device security is the primary challenge for an information security manager when
deploying a bring your own device (BYOD) mobile program in an enterprise because it increases the risk of
data breaches and compromises. A BYOD mobile program allows employees to use their personal devices,
such as smartphones, tablets, or laptops, to access the organization’s network, applications, and dat
A.
However, personal devices may have different operating systems, versions, configurations, and security
settings than the organization’s standard devices. Moreover, personal devices may not be updated
regularly, may have unauthorized or malicious apps installed, or may not have adequate protection against
malware or theft. Inconsistent device security makes it difficult for the information security manager to
enforce and monitor the security policies and controls across all devices, as well as to ensure compliance
with the regulatory requirements for data privacy and security. Therefore, inconsistent device security is the
correct answer.
References:
✑ https://simplemdm.com/blog/challenges-of-bring-your-own-device-byod-policy/
✑ https://www.timedoctor.com/blog/byod-pros-and-cons/
✑ https://www.ncsc.gov.uk/files/NCSC-Vendor-Security-Assessment.pdf

Question 61

561. Which of the following is the MOST important consideration when determining which type of failover site to
     employ?

A. Reciprocal agreements
B. Disaster recovery test results
C. Recovery time objectives (RTOs)
D. Data retention requirements

Answer 61

Answer: C

Explanation: The most important consideration when determining which type of failover site to employ is the
recovery time objectives (RTOs). A failover site is a backup site that
can be used to restore the functionality and operations of an organization’s primary site in the event of a
disaster or disruption. There are different types of failover sites, such as hot sites, warm sites, and cold
sites, that vary in terms of availability, cost, and complexity. A recovery time objective (RTO) is a metric that
defines the maximum acceptable amount of time that an organization can tolerate to restore a system or an
application after a disaster or disruption. By determining the RTOs for each system or application, the
organization can choose the most suitable type of failover site that can meet its recovery needs and
expectations. For example, if the RTO for a critical system is very low, the organization may opt for a hot
site that can provide immediate failover and minimal downtime. However, if the RTO for a non-critical
system is high, the organization may choose a cold site that requires manual setup and activation, but has
lower cost and maintenance. The other options are not the most important consideration when determining
which type of failover site to employ, although they may be some factors or constraints that affect the
decision. Reciprocal agreements are arrangements between two or more organizations that agree to
provide backup facilities or resources to each other in case of a disaster or disruption. Reciprocal
agreements can help reduce the cost and complexity of setting up and maintaining a failover site, but they
may not guarantee the availability or compatibility of the backup facilities or resources. Disaster recovery
test results are outcomes of testing and validating the functionality and performance of a failover site.
Disaster recovery test results can help evaluate and improve the effectiveness and efficiency of a failover
site, but they do not determine which type of failover site to employ. Data retention requirements are
policies and regulations that define how long and in what format an organization must store its dat
A. Data
retention requirements can affect the design and configuration of a failover site, but they do not dictate
which type of failover site to employ

Question 62

562. A PRIMARY benefit of adopting an information security framework is that it provides:

A. credible emerging threat intelligence.
B. security and vulnerability reporting guidelines.
C. common exploitability indices.
D. standardized security controls.

Answer 62

Answer: D

Explanation:
A standardized security control is a set of rules, guidelines, or best practices that are designed to protect
the confidentiality, integrity, and availability of information assets and
systems. An information security framework is a collection of standardized security controls that are aligned
with the organization’s objectives, strategy, and risk appetite. Adopting an information security framework
provides a primary benefit of ensuring consistency, efficiency, and effectiveness in the implementation and
management of information security across the organization.
References = CISM Review Manual 2022, page 321; CISM Exam Content Outline, Domain 1, Knowledge
Statement 1.22; What is an Information Security Framework?; Information Security Frameworks: What Are
They and Why Do You Need One?

Question 63

563. Which of the following is the BEST way to enhance training for incident response teams?

A. Perform post-incident reviews.
B. Establish incident key performance indicators (KPIs).
C. Conduct interviews with organizational units.
D. Participate in emergency response activities.

Answer 63

Answer: A

Explanation:
Performing post-incident reviews is the best way to enhance training for incident response teams because it
allows them to identify the strengths and weaknesses of their response, learn from the lessons and best
practices, and implement corrective actions and improvement plans for future incidents. Post-incident
reviews also help to evaluate the effectiveness and efficiency of the incident response process and
procedures, and to update them as needed.
References: The CISM Review Manual 2023 states that “post-incident reviews are an essential part of the
incident response process” and that “they provide an opportunity to assess the performance of the incident
response team, identify areas for improvement, and document lessons learned and best practices” (p. 191).
The CISM Review Questions, Answers & Explanations Manual 2023 also provides the following rationale
for this Answer: “Performing post-incident reviews is the best way to enhance training for incident response
teams, as it enables them to learn from their experience and improve their skills and knowledge” (p. 97).

Question 64

564. Which of the following is the BEST way to build a risk-aware culture?

A. Periodically change risk awareness messages.
B. Ensure that threats are documented and communicated in a timely manner.
C. Establish a channel for staff to report risks.
D. Periodically test compliance with security controls.

Answer 64

Answer: C

Question 65

565. A small organization has a contract with a multinational cloud computing vendor. Which of the following
     would present the GREATEST concern to an information security manager if omitted from the contract?

A. Right of the subscriber to conduct onsite audits of the vendor
B. Escrow of software code with conditions for code release
C. Authority of the subscriber to approve access to its data
D. Commingling of subscribers’ data on the same physical server

Answer 65

Answer: C

Explanation: The greatest concern to an information security manager if omitted from the contract with a
multinational cloud computing vendor would be the authority of the subscriber to approve access to its dat
A.
This is because the subscriber’s data may be subject to different legal and regulatory requirements in
different jurisdictions, and the subscriber may lose control over who can access, process, or disclose its
dat
A. The subscriber should have the right to approve or deny access to its data by the vendor or any third
parties, and to ensure that the vendor complies with the applicable data protection laws and standards. The
authority of the subscriber to approve access to its data is also one of the key elements of the ISACA Cloud
Computing Management Audit/Assurance Program1.
References = CISM Review Manual, 16th Edition eBook2, Chapter 3: Information Security Program
Development and Management, Section: Information Security Program Management, Subsection: Cloud
Computing, Page 142.

Question 66

566. Which of the following is the MOST important characteristic of an effective information security metric?

A. The metric expresses residual risk relative to risk tolerance.
B. The metric is frequently reported to senior management.
C. The metric directly maps to an industry risk management framework.
D. The metric compares the organization’s inherent risk against its risk appetite.

Answer 66

Answer: A

Question 67

567. When establishing metrics for an information security program, the BEST approach is to identify indicators
     that:

A. reduce information security program spending.
B. support major information security initiatives.
C. reflect the corporate risk culture.
D. demonstrate the effectiveness of the security program.

Answer 67

Answer: D

Explanation:
Metrics for an information security program should be aligned with the security objectives and strategy, and
should demonstrate how well the program is performing in terms of reducing risk, enhancing security
posture, and supporting business goals. Metrics that support major information security initiatives, reflect
the corporate risk culture, or reduce information security program spending may be useful, but they are not
the best approach for establishing metrics for the entire program.
References = CISM Review Manual 2022, page 3171; CISM Exam Content Outline, Domain 4, Knowledge
Statement 4.112

Question 68

568. Which or the following is MOST important to consider when determining backup frequency?

A. Recovery point objective (RPO)
B. Recovery time objective (RTO)
C. Allowable interruption window
D. Maximum tolerable outage (MTO)

Answer 68

Answer: A

Question 69

569. Which of the following BEST enables an organization to identify and contain security incidents?

A. Risk assessments
B. Threat modeling
C. Continuous monitoring
D. Tabletop exercises

Answer 69

Answer: C

Explanation: = Continuous monitoring is the process of collecting, analyzing, and reporting on the security
status of an organization’s information systems and networks. Continuous monitoring enables an
organization to identify and contain security incidents by providing timely and accurate information on the
security events, alerts, incidents, and threats that may affect the organization. Continuous monitoring also
helps to measure the effectiveness and compliance of the security controls, policies, and procedures that
are implemented to protect the organization’s information assets. Continuous monitoring can be performed
using various tools and methods, such as security information and event management (SIEM) tools,
intrusion detection and prevention systems (IDS/IPS), vulnerability scanners, log analyzers, and audit trails.
References = CISM Manual1, Chapter 6: Incident Response Planning (IRP), Section 6.2: Continuous
Monitoring2
1: https://store.isac
A.org/s/store#/store/browse/cat/a2D4w00000Ac6NNEAZ/tiles 2: 3

Question 70

570. Which of the following should an information security manager do FIRST when creating an organization’s
     disaster recovery plan (DRP)?

A. Conduct a business impact analysis (BIA)
B. Identify the response and recovery learns.
C. Review the communications plan.
D. Develop response and recovery strategies.

Answer 70

Answer: A

Explanation: Conducting a business impact analysis (BIA) is the first step when creating an organization’s
disaster recovery plan (DRP) because it helps to identify and prioritize the critical business functions or
processes that need to be restored after a disruption, and determine their recovery time objectives (RTOs)
and recovery point objectives (RPOs)2. Identifying the response and recovery teams is not the first step,
but rather a subsequent step that involves assigning roles and responsibilities for executing the DRP.
Reviewing the communications plan is not the first step, but rather a subsequent step that involves defining
the communication channels and protocols for notifying and updating the
stakeholders during and after a disruption. Developing response and recovery strategies is not the first step,
but rather a subsequent step that involves selecting and implementing the appropriate solutions and
procedures for restoring the critical business functions or processes. References: 2
https://www.isac
A.org/resources/isaca-journal/issues/2018/volume-3/business-impact-analysis-bia-and-dis
aster-recovery-planning-drp

Question 71

571. Following an unsuccessful denial of service (DoS) attack, identified weaknesses should be:

A. quickly resolved and eliminated regardless of cost.
B. tracked and reported on until their final resolution.
C. documented in security awareness programs.
D. noted and re-examined later if similar weaknesses are found.

Answer 71

Answer: D

Question 72

572. An employee clicked on a link in a phishing email, triggering a ransomware attack Which of the following
     should be the information security?

A. Wipe the affected system.
B. Notify internal legal counsel.
C. Notify senior management.
D. Isolate the impacted endpoints.

Answer 72

Answer: D

Explanation: Isolating the impacted endpoints is the best course of action for the information security
manager after an employee clicked on a link in a phishing email, triggering a ransomware attack because it
prevents the ransomware from spreading to other systems or devices on the network, and minimizes the
damage or disruption caused by the attack. Wiping the affected system is not a good course of action
because it may destroy any evidence or data that could be used for investigation or recovery. Notifying
internal legal counsel is not a good course of action because it does not address the immediate threat or
impact of the ransomware attack. Notifying senior management is not a good course of action because it
does not address the immediate threat or impact of the ransomware attack. References:
https://www.isac
A.org/resources/isaca- journal/issues/2017/volume-5/incident-response-lessons-learned
https://www.isac
A.org/resources/isaca-journal/issues/2018/volume-3/incident-response- lessons-learned

Question 73

573. When building support for an information security program, which of the following elements is MOST
     important?

A. Identification of existing vulnerabilities
B. Information risk assessment
C. Business impact analysis (BIA)
D. Threat analysis

Answer 73

Answer: B

Question 74

574. From an information security perspective, legal issues associated with a transborder flow of
     technology-related items are MOST often

A. website transactions and taxation.
B. software patches and corporate date.
C. encryption tools and personal dat
A.
D. lack of competition and free trade.

Answer 74

Answer: C

Explanation: Encryption tools and personal data are the most often associated with legal issues in the
context of transborder flow of technology-related items because they involve the protection of privacy and
security of individuals and organizations across different jurisdictions, and may be subject to different laws
and regulations that govern their access, use, or transfer. Website transactions and taxation are not very
often associated with legal issues in this context because they involve the exchange of goods and services
and the collection of taxes across different jurisdictions, which may not be directly related to technology
transfer or data flow. Software patches and corporate data are not very often associated with legal issues in
this context because they involve the maintenance and improvement of software functionality and the
management and sharing of business information, which may not be directly related to technology transfer
or data flow. Lack of competition and free trade are not very often associated with legal issues in this
context because they involve the market structure and trade policies of different jurisdictions, which may not
be directly related to technology transfer or data flow. References:
https://www.oecd-ilibrary.org/science-and-technology/oecd-declaration-on-transborderdata-
flows_230240624407 https://legalinstruments.oecd.org/public/doc/108/108.en.pdf

Question 75

575. What should be an information security manager’s FIRST step when developing a business case for a new
     intrusion detection system (IDS) solution?

A. Define the issues to be addressed.
B. Perform a cost-benefit analysis.
C. Calculate the total cost of ownership (TCO).
D. Conduct a feasibility study.

Answer 75

Answer: A

Explanation: The first step when developing a business case for a new intrusion detection system (IDS)
solution is to define the issues to be addressed. A business case is a
document that provides the rationale and justification for initiating a project or investment. It typically
includes information such as the problem statement, the objectives, the alternatives, the costs and benefits,
the risks and assumptions, and the expected outcomes. The first step in developing a business case is to
define the issues to be addressed, which means identifying and describing the current situation, the
problems or challenges faced by the organization, and the needs or opportunities for improvement. By
defining the issues to be addressed, the information security manager can establish the scope and purpose
of the business case, and provide a clear and compelling problem statement that explains why a new IDS
solution is needed. The other options are not the first step when developing a business case for a new IDS
solution, although they may be part of the subsequent steps. Performing a cost-benefit analysis is a step
that involves comparing the costs and benefits of different alternatives, including the new IDS solution and
the status quo. A cost-benefit analysis can help evaluate and justify the feasibility and desirability of each
alternative, and support the decision-making process. Calculating the total cost of ownership (TCO) is a
step that involves estimating the direct and indirect costs associated with acquiring, operating, maintaining,
and disposing of an asset or a system over its entire life cycle. A TCO calculation can help determine the
long-term financial implications of investing in a new IDS solution, and compare it with other alternatives.
Conducting a feasibility study is a step that involves assessing the technical, operational, legal, and
economic aspects of implementing a project or an investment. A feasibility study can help identify and
mitigate any potential issues or risks that may affect the success of the project or investment, and provide
recommendations for improvement

Question 76

576. Which of the following is the PRIMARY preventive method to mitigate risks associated with privileged
     accounts?

A. Eliminate privileged accounts.
B. Perform periodic certification of access to privileged accounts.
C. Frequently monitor activities on privileged accounts.
D. Provide privileged account access only to users who need it.

Answer 76

Answer: D

Question 77

577. The PRIMARY objective of timely declaration of a disaster is to:

A. ensure the continuity of the organization’s essential services.
B. protect critical physical assets from further loss.
C. assess and correct disaster recovery process deficiencies.
D. ensure engagement of business management in the recovery process.

Answer 77

Answer: A

Explanation: The primary objective of timely declaration of a disaster is to ensure the continuity of the
organization’s essential services, as it enables the activation of the business continuity plan (BCP) and the
disaster recovery plan (DRP) that outline the processes and procedures to maintain or resume the critical
business functions and minimize the impact of the disruption. A timely declaration of a disaster also helps to
communicate the situation to the stakeholders, mobilize the resources, and request external assistance if
needed.
References = CISM Review Manual, 27th Edition, Chapter 4, Section 4.3.1, page 2271; FEMA, How a
Disaster Gets Declared2; CISM Online Review Course, Module 4, Lesson 3, Topic 13

Question 78

578. Determining the risk for a particular threat/vulnerability pair before controls are applied can be expressed
     as:

A. a function of the likelihood and impact, should a threat exploit a vulnerability.
B. the magnitude of the impact, should a threat exploit a vulnerability.
C. a function of the cost and effectiveness of controls over a vulnerability.
D. the likelihood of a given threat attempting to exploit a vulnerability

Answer 78

Answer: A

Explanation: = According to the CISM Manual1, risk is defined as the combination of the probability of an
event and its consequence. Therefore, determining the risk for a particular threat/vulnerability pair before
controls are applied can be expressed as a function of the likelihood and impact, should a threat exploit a
vulnerability. Likelihood is the probability or frequency of a threat occurring, while impact is the magnitude
or severity of the harm or loss that would result from a threat exploiting a vulnerability. The higher the
likelihood and impact, the higher the risk. The lower the likelihood and impact, the lower the risk.
The other options are not correct because they do not capture the full expression of risk. Option B only
considers the impact, but not the likelihood, of a threat exploiting a vulnerability. Option C confuses the risk
with the risk response, which is the action taken to reduce or mitigate the risk. Option D only considers the
likelihood, but not the impact, of a threat attempting to exploit a vulnerability.
References = CISM Manual1, Chapter 2: Information Risk Management (IRM), Section 2.1: Risk
Concepts2
1: https://store.isac
A.org/s/store#/store/browse/cat/a2D4w00000Ac6NNEAZ/tiles 2: 2

Question 79

579. Which of the following roles is MOST appropriate to determine access rights for specific users of an
     application?

A. Data owner
B. Data custodian
C. System administrator
D. Senior management

Answer 79

Answer: A

Explanation: The data owner is the most appropriate role to determine access rights for specific users of an
application because they have legal rights and complete control over data elements4. They are also
responsible for approving data glossaries and definitions, ensuring the accuracy of information, and
supervising operations related to data quality5. The data custodian is responsible for the safe custody,
transport, and storage of the data and implementation of business rules, but not for determining access
rights4. The system administrator is responsible for managing the security and storage infrastructure of
data sets according to the organization’s data governance policies, but not for determining access rights5.
Senior management is responsible for setting the strategic direction and priorities for data governance, but
not for determining access rights5. References: 5
https://www.cpomagazine.com/cyber-security/data-owners-vs-data-stewards-vs-datacustodians-
the-3-types-of-data-masters-and-why-you-should-employ-them/ 4
https://cloudgal42.com/data-privacy-difference-between-data-owner-controller-and-dataCertify
For Sure with IT Exam Dumps
The No.1 IT Certification Dumps
430
custodian-processor/

Question 80

580. Which of the following should an information security manager do FIRST to address the risk associated
     with a new third-party cloud application that will not meet organizational security requirements?

A. Include security requirements in the contract.
B. Update the risk register.
C. Consult with the business owner.
D. Restrict application network access temporarily.

Answer 80

Answer: C

Explanation: Consulting with the business owner is the FIRST course of action that the information security
manager should take to address the risk associated with a new third- party cloud application that will not
meet organizational security requirements, because it helps to understand the business needs and
expectations for using the application, and to communicate the security risks and implications. The
information security manager and the business owner should work together to evaluate the trade-offs
between the benefits and the risks of the application, and to determine the best course of action, such as
modifying the requirements, finding an alternative solution, or accepting the risk.
References =
CISM Review Manual, 16th Edition, ISACA, 2020, p. 41: “The information security manager should consult
with the business owners to understand their needs and expectations for using third-party services, and to
communicate the security risks and implications.”
CISM Review Manual, 16th Edition, ISACA, 2020, p. 42: “The information security manager and the
business owners should collaborate to evaluate the trade-offs between the benefits and the risks of using
third-party services, and to determine the best course of action, such as modifying the requirements, finding
an alternative solution, or accepting the risk.”
Best Practices to Manage Risks in the Cloud - ISACA: “The information security manager should work with
the business owner to define the security requirements for the cloud service, such as data protection,
access control, incident response, and compliance.”

Question 81

581. What should a global information security manager do FIRST when informed that a new regulation with
     significant impact will go into effect soon?

A. Perform a privacy impact assessment (PIA).
B. Perform a vulnerability assessment.
C. Perform a gap analysis.
D. Perform a business impact analysis (BIA).

Answer 81

Answer: C

Question 82

582. Which of the following functions is MOST critical when initiating the removal of system access for
     terminated employees?

A. Legal
B. Information security
C. Help desk
D. Human resources (HR)

Answer 82

Answer: B

Explanation: Information security is the most critical function when initiating the removal of system access
for terminated employees, as it is responsible for ensuring that the access rights of the employees are
revoked in a timely and effective manner, and that the security of the organization’s data and systems is
maintained. Information security should coordinate with other functions, such as HR, legal, and help desk,
to implement the access removal process, but it is the primary function that has the authority and capability
to disable or delete the access credentials of the terminated employees. The other options are not as
critical as information security, as they may have different roles or responsibilities in the access removal
process, or they may not have direct access to the systems or tools that control the access rights of the
employees. References =
CISM Review Manual 15th Edition, page 114: “Information security is responsible for ensuring that access
rights are revoked in a timely and effective manner.”
SOC 2 Controls: Access Removal for Terminated or Transferred Users, snippets: “Systems access that is
no longer required for terminated or transferred users is removed within one business day. For terminated
employees, access to key IT systems is revoked in a timely manner. A termination checklist and ticket are
completed, and access is revoked for employees as a component of the employee termination process.”
IT Involvement in Employee Termination, A Checklist, snippets: “Disable all network access. If your
company uses a master access list of active passwords, tell the system to deny any passcodes associated
with the user being terminated. If your system doesn’t have a deny function, delete the user and their
associated passwords. Monitor employee access.”
Human resources (HR) is the most critical function when initiating the removal of system access for
terminated employees because it is responsible for notifying the relevant parties, such as information
security, help desk, and legal, of the employee’s termination status and date. HR also ensures that the
employee’s exit process is completed and documented, and that the employee returns any
company-owned devices or assets. HR also coordinates with the employee’s manager and team to ensure
a smooth transition of work and responsibilities.

Question 83

583. Predetermined containment methods to be used in a cybersecurity incident response should be based
     PRIMARILY on the:

A. number of impacted users.
B. capability of incident handlers.
C. type of confirmed incident.
D. predicted incident duration.

Answer 83

Answer: C

Explanation: According to the NIST SP 800-61 Computer Security Incident Handling Guide, the type of
confirmed incident is one of the most important criteria for choosing a containment strategy, as different
types of incidents may require different levels of urgency, scope, and impact1. For example, a
denial-of-service attack may require a different containment strategy than a ransomware attack or a data
breach.
References = 1: NIST SP 800-61: 3.1. Choosing a Containment Strategy2

Question 84

584. Which of the following is the MOST important role of the information security manager when the
     organization is in the process of adopting emerging technologies?

A. Assessing how peer organizations using the same technologies have been impacted
B. Understanding the impact on existing resources
C. Reviewing vendor contracts and service level agreements (SLAs)
D. Developing training for end users to familiarize them with the new technology

Answer 84

Answer: B

Question 85

585. Which of the following would be the GREATEST threat posed by a distributed denial of service (DDoS)
     attack on a public-facing web server?

A. Execution of unauthorized commands
B. Prevention of authorized access
C. Defacement of website content
D. Unauthorized access to resources

Answer 85

Answer: B

Explanation: Prevention of authorized access is the greatest threat posed by a distributed denial of service
(DDoS) attack on a public-facing web server because it prevents legitimate users or customers from
accessing the web services or resources, causing disruption, dissatisfaction, and potential loss of revenue
or reputation. Execution of unauthorized commands is not a threat posed by a DDoS attack, but rather by a
remote code execution (RCE) attack. Defacement of website content is not a threat posed by a DDoS
attack, but rather by a web application attack. Unauthorized access to resources is not a threat posed by a
DDoS attack, but rather by a brute force attack or an authentication bypass attack. References:
https://www.isac
A.org/resources/isaca- journal/issues/2017/volume-6/the-value-of-penetration-testing
https://www.isac
A.org/resources/isaca-journal/issues/2016/volume-5/security-scanningversus-
penetration-testing

Question 86

586. Which of the following is the PRIMARY objective of a cyber resilience strategy?

A. Business continuity
B. Regulatory compliance
C. Employee awareness
D. Executive support

Answer 86

Answer: A

Explanation:
Business continuity is the primary objective of a cyber resilience strategy, as it aims to ensure that the
organization can continue to deliver its essential products and services in the face of cyber disruptions, and
recover to normal operations as quickly and effectively as possible. A cyber resilience strategy should align
with the business continuity plan and support the organization’s mission, vision, and values. (From CISM
Review Manual 15th Edition)
References: CISM Review Manual 15th Edition, page 178, section 4.3.2.1.

Question 87

587. Which of the following processes is MOST important for the success of a business continuity plan (BCP)?

A. Involving all stakeholders in testing and training
B. Scheduling periodic internal and external audits
C. Including the board and senior management in plan reviews
D. Maintaining copies of the plan at the primary and recovery sites

Answer 87

Answer: A

Question 88

588. The PRIMARY objective of timely declaration of a disaster is to:

A. ensure engagement of business management in the recovery process.
B. assess and correct disaster recovery process deficiencies.
C. protect critical physical assets from further loss.
D. ensure the continuity of the organization’s essential services.

Answer 88

Answer: D

Explanation:
The primary objective of timely declaration of a disaster is to ensure the continuity of the
organization’s essential services, which are the services that are critical for the survival and operation of the
organization, and that cannot be interrupted or delayed without causing severe consequences. By declaring
a disaster, the organization can activate its disaster recovery plan (DRP), which is a set of documented
procedures and resources to recover the essential services in the event of a disaster. The DRP should
include the roles and responsibilities, the communication channels, the recovery strategies, the backup and
restoration procedures, and the testing and maintenance activities for the disaster recovery process1.
References = CISM Review Manual, 16th Edition eBook2, Chapter 9: Business Continuity and Disaster
Recovery, Section: Disaster Recovery Planning, Subsection: Disaster Declaration, Page 372.

Question 89

589. An organization implemented a number of technical and administrative controls to mitigate risk associated
     with ransomware. Which of the following is MOST
     important to present to senior management when reporting on the performance of this initiative?

A. The cost and associated risk reduction
B. Benchmarks of industry peers impacted by ransomware
C. The number and severity of ransomware incidents
D. The total cost of the investment

Answer 89

Answer: A

Explanation:
According to the CISM Review Manual, the most important metric to present to senior management when
reporting on the performance of a risk mitigation initiative is the cost and associated risk reduction, as it
demonstrates the value and effectiveness of the initiative in terms of reducing the likelihood and impact of
the risk. The other metrics may be useful for comparison or analysis, but they do not directly measure the
performance of the initiative.
References = CISM Review Manual, 27th Edition, Chapter 4, Section 4.3.2, page 2091.

Question 90

590. How does an organization PRIMARILY benefit from the creation of an information security steering
     committee?

A. An increase in information security risk awareness
B. An increased alignment with industry security trends that impact the business
C. An increased focus on information security resource management
D. An increased alignment of information security with the business

Answer 90

Answer: D

Question 91

591. Which of the following should be the FIRST step when performing triage of a malware incident?

A. Containing the affected system
B. Preserving the forensic image
C. Comparing backup against production
D. Removing the malware

Answer 91

Answer: A

Explanation: The first step when performing triage of a malware incident is to contain the affected system,
which means isolating it from the network and preventing any further communication or data transfer with
the attacker or other compromised systems. Containing the affected system helps to limit the scope and
impact of the incident, preserve the evidence, and prevent the spread of the malware to other systems.
References = NIST SP 800-61 Revision 2, CISM Review Manual 15th Edition

Question 92

592. Which of the following is the BEST way to help ensure alignment of the information security
     program with organizational objectives?

A. Establish an information security steering committee.
B. Employ a process-based approach for information asset classification.
C. Utilize an industry-recognized risk management framework.
D. Provide security awareness training to board executives.

Answer 92

Answer: A

Explanation: The best way to help ensure alignment of the information security program with organizational
objectives is
A. Establish an information security steering committee. This is because an information
security steering committee is a cross-functional group of senior executives and managers who provide
strategic direction, oversight, and support for the information security program. An information security
steering committee can help to ensure that the information security program is aligned with the
organizational objectives by:
Communicating and promoting the vision, mission, and value of information security to the organization and
its stakeholders
Defining and approving the information security policies, standards, and procedures Establishing and
monitoring the information security goals, metrics, and performance indicators
Allocating and prioritizing the resources and budget for information security initiatives and projects
Resolving any conflicts or issues that may arise between the information security function and the business
units
Reviewing and endorsing the information security risk assessment and treatment plans Ensuring
compliance with the legal, regulatory, and contractual obligations regarding information security
An information security steering committee is a cross-functional group of senior executives and managers
who provide strategic direction, oversight, and support for the information security program. (From CISM
Manual or related resources)
References = CISM Review Manual 15th Edition, Chapter 1, Section 1.2.2, page 20; CISM Review
Questions, Answers & Explanations Manual 9th Edition, Question 9, page 3; Information Security
Governance: Guidance for Boards of Directors and Executive Management, 2nd Edition

Question 93

593. A multinational organization is introducing a security governance framework. The information security
     manager’s concern is that regional security practices differ. Which of the following should be evaluated
     FIRST?

A. Local regulatory requirements
B. Global framework standards
C. Cross-border data mobility
D. Training requirements of the framework

Answer 93

Answer: A

Question 94

594. Which of the following provides the BEST input to determine the level of protection needed for an IT
     system?

A. Vulnerability assessment
B. Asset classification
C. Threat analysis
D. Internal audit findings

Answer 94

Answer: B

Question 95

595. For the information security manager, integrating the various assurance functions of an organization is
     important PRIMARILY to enable:

A. consistent security.
B. comprehensive audits
C. a security-aware culture
D. compliance with policy

Answer 95

Answer: A

Explanation: Consistent security is the primary reason for integrating the various assurance functions of an
organization for the information security manager because it ensures that the security policies and
standards are applied uniformly and effectively across different domains, processes, and systems of the
organization. Comprehensive audits are not the primary reason for integrating the various assurance
functions, but rather
a possible outcome or benefit of doing so. A security-aware culture is not the primary reason for integrating
the various assurance functions, but rather a desirable state or goal of the organization. Compliance with
policy is not the primary reason for integrating the various assurance functions, but rather a basic
requirement or expectation of the organization. References: https://www.isac
A.org/resources/isacajournal/
issues/2016/volume-4/integrating-assurance-functions
https://www.isac
A.org/resources/isaca-journal/issues/2017/volume-3/how-to-measure-theeffectiveness-
of-your-information-security-management-system

Question 96

596. Which of the following should an information security manager do FIRST after discovering that a business
     unit has implemented a newly purchased application and bypassed the change management process?

A. Revise the procurement process.
B. Update the change management process.
C. Discuss the issue with senior leadership.
D. Remove the application from production.

Answer 96

Answer: C

Explanation:
An information security manager should first discuss the issue with senior leadership to escalate the
problem and seek their support and guidance. Bypassing the change management process can introduce
significant risks to the organization, such as unauthorized access, data loss, system instability, or
compliance violations. The information security manager should explain the potential impact and
consequences of the incident, and recommend corrective actions to remediate the situation. The
information security manager should also review the root cause of the incident and identify any gaps or
weaknesses in the existing policies, procedures, or controls that allowed the business unit to implement the
new application without proper authorization, testing, or documentation. The information security manager
should then revise the procurement process, update the change management process, or implement other
measures to prevent similar incidents
from occurring in the future. Removing the application from production may not be feasible or desirable,
depending on the business needs and the severity of the risks
involved. References = CISM Review Manual, 16th Edition, pages 100-1011; CISM Review Questions,
Answers & Explanations Manual, 10th Edition, page 2692
Learn more: 1. isac
A.org2. amazon.com3. gov.uk

Question 97

597. Which of the following should be updated FIRST when aligning the incident response plan with the
     corporate strategy?

A. Disaster recovery plan (DRP)
B. Incident notification plan
C. Risk response scenarios
D. Security procedures

Answer 97

Answer: C

Explanation:
The answer to the question is C. Risk response scenarios. This is because risk response scenarios are the
predefined plans and actions that the organization will take to respond to specific types of incidents, such
as cyberattacks, natural disasters, or data breaches. Risk response scenarios should be aligned with the
corporate strategy, which defines the vision, mission, goals, and objectives of the organization, and guides
the decision-making and resource allocation processes. By aligning the risk response scenarios with the
corporate strategy, the organization can ensure that the incident response plan supports the achievement
of the desired outcomes and benefits, and minimizes the impact and disruption to the business operations
and performance.
Risk response scenarios are the predefined plans and actions that the organization will take to respond to
specific types of incidents. Risk response scenarios should be aligned with the corporate strategy, which
defines the vision, mission, goals, and objectives of the organization. (From CISM Manual or related
resources)
References = CISM Review Manual 15th Edition, Chapter 4, Section 4.2.2, page 2111; CISM domain 4:
Information security incident management [2022 update] | Infosec2; A Guide to Effective Incident
Management Communications3

Question 98

598. An organization has remediated a security flaw in a system. Which of the following should be done NEXT?

A. Assess the residual risk.
B. Share lessons learned with the organization.
C. Update the system’s documentation.
D. Allocate budget for penetration testing.

Answer 98

Answer: A

Explanation:
Residual risk is the risk that remains after applying controls to mitigate the original risk. It is important to
assess the residual risk after remediation to ensure that it is within the acceptable level and tolerance of the
organization. (From CISM Review Manual 15th Edition)
References: CISM Review Manual 15th Edition, page 181, section 4.3.2.4.

Question 99

599. Company A, a cloud service provider, is in the process of acquiring Company B to gain new benefits by
     incorporating their technologies within its cloud services.
     Which of the following should be the PRIMARY focus of Company A’s information security manager?

A. Company B’s security policies
B. The cost to align to Company A’s security policies
C. Company A’s security architecture
D. The organizational structure of Company B

Answer 99

Answer: C

Explanation: Company A’s security architecture is the PRIMARY focus of Company A’s information security
manager, because it defines the overall security design and controls for the cloud services that Company A
provides to its customers. The information security manager should ensure that the security architecture is
aligned with the business objectives and requirements of Company A, and that it can accommodate the
integration of Company B’s technologies without compromising the security, performance, and availability
of the cloud services.
References =
CISM Review Manual, 16th Edition, ISACA, 2020, p. 67: “Security architecture is the design of the security
controls that are applied to the information assets and the relationships among those assets.”
CISM Review Manual, 16th Edition, ISACA, 2020, p. 68: “The information security manager should ensure
that the security architecture is aligned with the enterprise’s business objectives and requirements and
supports the information security strategy and program.” CISM Review Manual, 16th Edition, ISACA, 2020,
p. 69: “The information security manager should consider the impact of changes in the enterprise
environment, such as mergers and acquisitions, on the security architecture and identify the necessary
modifications or enhancements to maintain the security posture of the enterprise.”

Question 100

600. Which of the following is the BEST control to protect customer personal information that is stored in the
     cloud?

A. Timely deletion of digital records
B. Appropriate data anonymization
C. Strong encryption methods
D. Strong physical access controls

Answer 100

“Answer: C

Explanation:
Strong encryption methods are the BEST control to protect customer personal information that is stored in
the cloud, because they help to prevent unauthorized access, disclosure, modification, or deletion of the
data by encrypting it at rest and in transit. Encryption is the process of transforming data into an unreadable
format using a secret key or algorithm, so that only authorized parties can decrypt and access the dat
A.
Encryption can help to protect the confidentiality, integrity, and availability of the data, as well as to comply
with legal and regulatory requirements.
References =
CISM Review Manual, 16th Edition, ISACA, 2020, p. 72: “Encryption is the process of transforming data
into an unreadable format using a secret key or algorithm.”
CISM Review Manual, 16th Edition, ISACA, 2020, p. 73: “Encryption can help to protect the confidentiality,
integrity, and availability of data, as well as to comply with legal and
regulatory requirements for data protection.”
Saas Data Security: Protecting Your Customers’ Information In The Cloud - Fresent’s Blog: “Encryption and
Data Protection: One of the most effective ways to protect sensitive data in the cloud is to encrypt it both at
rest and in transit. Encryption is the process of transforming data into an unreadable format using a secret
key or algorithm, so that only authorized parties can decrypt and access the dat
A.”