CISM 7 Flashcards

Question 1

Q

Which of the following is MOST appropriate to communicate to senior management regarding information
risk?

A. Defined risk appetite
B. Emerging security technologies
C. Vulnerability scanning progress
D. Risk profile changes

Answer

A

Answer: D

Explanation:
The most appropriate information to communicate to senior management regarding information risk is the
risk profile changes, which reflect the current level and nature of the risks that the organization faces. The
risk profile changes can help senior management to understand the impact of the risks on the business
objectives, the effectiveness of the risk management strategy, and the need for any adjustments or
improvements. The risk profile changes can also help senior management to prioritize the allocation of
resources and to make informed decisions.
References = CISM Review Manual, 16th Edition eBook1, Chapter 2: Information Risk Management,
Section: Risk Communication, Subsection: Risk Reporting, Page 97.

Question 2

Q

Which of the following is the PRIMARY purpose of a business impact analysis (BIA)?

A. To define security roles and responsibilities
B. To determine return on investment (ROI)
C. To establish incident severity levels
D. To determine the criticality of information assets

Answer

A

Answer: D

Explanation:
A business impact analysis (BIA) is a process that identifies and evaluates the potential effects of
disruptions to critical business operations as a result of a disaster, accident or emergency. The primary
purpose of a BIA is to determine the criticality of information assets and the impact of their unavailability on
the organization’s mission, objectives and reputation. (From CISM Review Manual 15th Edition)
References: CISM Review Manual 15th Edition, page 178, section 4.3.2.1.

Question 3

Q

Which of the following should an information security manager do FIRST to address the risk associated
with a new third-party cloud application that will not meet organizational security requirements?

A. Update the risk register.
B. Consult with the business owner.
C. Restrict application network access temporarily.
D. Include security requirements in the contract.

Answer

A

Answer: B

Explanation: The information security manager should first consult with the business owner to understand
the business needs and objectives for using the new cloud application, and to discuss the possible
alternatives or compensating controls that can mitigate the risk. Updating the risk register, restricting
application network access, or including security requirements in the contract are possible actions to take
after consulting with the business owner.
References = CISM Review Manual, 16th Edition eBook1, Chapter 1: Information Security Governance,
Section: Risk Management, Subsection: Risk Treatment, Page 49.

Question 4

Q

Which of the following is the BEST indication of a mature information security program?

A. Security incidents are managed properly.
B. Security spending is below budget.
C. Security resources are optimized.
D. Security audit findings are reduced.

Answer

A

Answer: C

Explanation:
A mature information security program is one that is aligned with the business strategy, objectives, and
culture, and that delivers value to the organization by effectively managing the information security risks
and enhancing the security posture. Optimizing the security resources means that the program uses the
available human, financial, and technical resources in the most efficient and effective way, and that it
continuously monitors and improves the performance and maturity of the security processes and controls.
References = CISM Review Manual 2022, page 331; CISM Exam Content Outline, Domain 1, Knowledge
Statement 1.22; What is a Mature Information Security Program?; How to Measure the Maturity of Your
Cybersecurity Program

Question 5

Q

Meeting which of the following security objectives BEST ensures that information is protected against
unauthorized disclosure?

A. Integrity
B. Authenticity
C. Confidentiality
D. Nonrepudiation

Answer

A

Answer: C

Explanation: Confidentiality is the security objective that best ensures that information is
protected against unauthorized disclosure. Confidentiality means that only authorized parties can access or
view sensitive or classified information. Integrity means that information is accurate and consistent and has
not been tampered with or modified by unauthorized parties. Authenticity means that information is genuine
and trustworthy and has not been forged or misrepresented by unauthorized parties. Nonrepudiation
means that information can be verified and proven to be sent or received by a specific party without any
possibility of denial. References:
https://www.csoonline.com/article/3513899/the-cia-triad-definition-components-and- examples.html

Question 6

Q

Which of the following BEST describes a buffer overflow?

A. A function is carried out with more data than the function can handle
B. A program contains a hidden and unintended function that presents a security risk
C. Malicious code designed to interfere with normal operations
D. A type of covert channel that captures data

Answer

A

Answer: A

Explanation: A buffer overflow is a software coding error or vulnerability that occurs when a function is
carried out with more data than the function can handle, resulting in adjacent memory locations being
overwritten or corrupted by the excess data1. A program contains a hidden and unintended function that
presents a security risk is not a buffer overflow, but rather a backdoor2. Malicious code designed to
interfere with normal operations is not a buffer overflow, but rather malware3. A type of covert channel that
captures data is not a buffer overflow, but rather a keylogger. References: 1
https://www.fortinet.com/resources/cyberglossary/buffer-overflow2
https://www.fortinet.com/resources/cyberglossary/backdoo3r
https://www.fortinet.com/resources/cyberglossary/malware
https://www.fortinet.com/resources/cyberglossary/keylogger

Question 7

Q

Which of the following is the MOST important function of an information security steering committee?

A. Assigning data classifications to organizational assets
B. Developing organizational risk assessment processes
C. Obtaining multiple perspectives from the business
D. Defining security standards for logical access controls

Answer

A

Answer: C

Explanation:
An information security steering committee is a group of senior executives and managers from different
business units and functions who provide strategic direction, oversight, and support for the information
security program. The most important function of the committee is to obtain multiple perspectives from the
business, as this helps to ensure that the information security program aligns with the business goals,
needs, and culture, and that the security decisions reflect the interests and expectations of the
stakeholders.
References = CISM Review Manual 2022, page 331; CISM Exam Content Outline, Domain 1, Knowledge
Statement 1.22; Improve Security Governance With a Security Steering Committee2; The Role of the
Corporate Information Security Steering Committee3

Question 8

Q

Which of the following is the GREATEST challenge with assessing emerging risk in an organization?

A. Lack of a risk framework
B. Ineffective security controls
C. Presence of known vulnerabilities
D. Incomplete identification of threats

Answer

A

Answer: D

Explanation: The greatest challenge with assessing emerging risk in an organization is the incomplete
identification of threats, as emerging risks are often new, unknown, or unfamiliar, and may not be fully
understood or assessed. Incomplete identification of threats can lead to gaps in risk analysis and
management, and expose the organization to unexpected or unprepared scenarios. The other options,
such as lack of a risk framework, ineffective security controls, or presence of known vulnerabilities, are not
specific to emerging risks, and may apply to any type of risk assessment. References:
✑ https://committee.iso.org/sites/tc262/home/projects/ongoing/iso-31022-guidelinesfor-
impl-2.html
✑ https://www.isac
A.org/resources/news-andtrends/
newsletters/atisaca/2023/volume-6/emerging-risk-analysis
✑ https://projectriskcoach.com/emerging-risks/

Question 9

Q

An organization is leveraging tablets to replace desktop computers shared by shift-based staff These
tablets contain critical business data and are inherently at increased risk of theft Which of the following will
BEST help to mitigate this risk’’

A. Deploy mobile device management (MDM)
B. Implement remote wipe capability.
C. Create an acceptable use policy.
D. Conduct a mobile device risk assessment

Answer

A

Answer: D

Explanation: A key risk indicator (KRI) is a metric that provides an early warning of potential exposure to a
risk. A KRI should be relevant, measurable, timely, and actionable. The most important factor in an
organization’s selection of a KRI is the criticality of information, which means that the KRI should reflect the
value and sensitivity of the information assets that are exposed to the risk. For example, a KRI for data
breach risk could be the number of unauthorized access attempts to a database that contains confidential
customer dat
A. The criticality of information helps to prioritize the risks and focus on the most significant
ones. References: https://www.isac
A.org/credentialing/cism https://www.wiley.com/enus/
CISM+Certified+Information+Security+Manager+Study+Guide-p-9781119801948

Question 10

Q

Which of the following BEST illustrates residual risk within an organization?

A. Heat map
B. Risk management framework
C. Business impact analysis (BIA)
D. Balanced scorecard

Answer

A

Answer: A

Question 11

Q

Which of the following roles is BEST suited to validate user access requirements during an annual user
access review?

A. Access manager
B. IT director
C. System administrator
D. Business owner

Answer

A

Answer: D

Explanation:
The business owner is the best suited role to validate user access requirements during an annual user
access review, because the business owner is responsible for determining the business needs and
objectives of the users, as well as defining the appropriate access rights and privileges for each user role.
The business owner is also accountable for ensuring that the user access is aligned with the organization’s
policies and standards, and that the user access review is conducted effectively and efficiently1. The
access manager, the IT director, and the system administrator are not as suitable as the business owner,
because they are more involved in the technical and operational aspects of user access management,
rather than the business aspects.
References = Effective User Access Reviews

Question 12

Q

Of the following, who is BEST suited to own the risk discovered in an application?

A. Information security manager
B. Senior management
C. System owner
D. Control owner

Answer

A

Answer: C

Question 13

Q

Which of the following is a function of the information security steering committee?

A. Deliver external communication during incident response.
B. Align the security framework with security standards.
C. Align security strategy with business objectives.
D. Monitor regulatory requirements.

Answer

A

Answer: C

Question 14

Q

An organization has been penalized by regulatory authorities for failing to notify them of a major security
breach that may have compromised customer dat
A. Which of the following is MOST likely in need of review
and updating to prevent similar penalties in the future?

A. Information security policies and procedures
B. Business continuity plan (BCP)
C. Incident communication plan
D. Incident response training program

Answer

A

Answer: C

Question 15

Q

Which of the following is MOST helpful in the development of a cost-effective information security strategy
that is aligned with business requirements?

A. Enforcing data retention
B. Developing policy standards
C. Benchmarking against industry peers
D. Categorizing information assets

Answer

A

Answer: C

Question 16

Q

An information security manager is MOST likely to obtain approval for a new security project when the
business case provides evidence of:

A. organizational alignment
B. IT strategy alignment
C. threats to the organization
D. existing control costs

Answer

A

Answer: A

Explanation:
A new security project is more likely to be approved if it aligns with the organization’s goals, objectives, and
strategies. This shows that the project supports the business needs and adds value to the organization. Or
ganizational alignment is one of the key elements of a business case for information security, as stated in
the CISM Review Manual, 16th Edition1, page 41. IT strategy alignment, threats to the organization, and
existing control costs are also important factors to consider, but they are not as persuasive as
organizational alignment in obtaining approval for a new security project. References = 1:
CISM Review Manual, 16th Edition by Isaca (Author)
Learn more: 1. isac
A.org2. amazon.com3. gov.uk

Question 17

Q

Which of the following will BEST enable an effective information asset classification process?

A. Including security requirements in the classification process
B. Analyzing audit findings
C. Reviewing the recovery time objective (RTO) requirements of the asset
D. Assigning ownership

Answer

A

Answer: D

Explanation:
Assigning ownership is the best way to enable an effective information asset classification process, as it
establishes the authority and responsibility for the information asset and its protection. The owner of the
information asset should be involved in the classification process, as they have the best knowledge of the
value, sensitivity, and criticality of the asset, as well as the impact of its loss or compromise. The owner
should also ensure that the asset is properly labeled, handled, and secured according to its classification
level. (From CISM Review Manual 15th Edition)
References: CISM Review Manual 15th Edition, page 64, section 2.2.1.2; Information Asset and Security
Classification Procedure1, section 3.1.

Question 18

Q

Which of the following is the BEST indicator of an emerging incident?

A. A weakness identified within an organization’s information systems
B. Customer complaints about lack of website availability
C. A recent security incident at an industry competitor
D. Attempted patching of systems resulting in errors

Answer

A

Answer: B

Question 19

Q

Which of the following BEST provides an information security manager with sufficient assurance that a
service provider complies with the organization’s information security requirements?

A. Alive demonstration of the third-party supplier’s security capabilities
B. The ability to i third-party supplier’s IT systems and processes
C. Third-party security control self-assessment (CSA) results
D. An independent review report indicating compliance with industry standards

Answer

A

Answer: B

Explanation: A service provider is a third-party supplier that provides IT services or products to an
organization. A service provider should comply with the organization’s information security requirements,
such as policies, standards, procedures, and controls, to ensure the confidentiality, integrity, and availability
of the organization’s data and systems. The best way to provide an information security manager with
sufficient assurance that a service provider complies with the organization’s information security
requirements is to have the ability to audit the third-party supplier’s IT systems and processes. An audit is a
systematic and independent examination of evidence to determine the degree of conformity to
predetermined criteri
A. An audit can verify the effectiveness and efficiency of the service provider’s security
controls, identify any gaps or weaknesses, and provide recommendations for improvement. An audit can
also ensure that the service provider
adheres to the contractual obligations and service level agreements (SLAs) with the organization.
Therefore, option B is the most appropriate answer.
Option A is not the best answer because a live demonstration of the third-party supplier’s security
capabilities may not be comprehensive, objective, or reliable. A live demonstration may only show the
positive aspects of the service provider’s security, but not reveal any hidden or potential issues. A live
demonstration may also be subject to manipulation or deception by the service provider.
Option C is not the best answer because third-party security control self-assessment (CSA) results may not
be accurate, complete, or consistent. A self-assessment is a process where the service provider evaluates
its own security controls against a set of criteria or standards. A self-assessment may be biased, subjective,
or incomplete, as the service provider may not disclose or report all the relevant information or issues. A
self-assessment may also vary in quality and scope depending on the service provider’s expertise,
resources, and methodology.
Option D is not the best answer because an independent review report indicating compliance with industry
standards may not be sufficient or specific for the organization’s information security requirements. An
independent review is a process where an external party evaluates the service provider’s security controls
against a set of industry standards or best practices, such as ISO/IEC 27001, NIST CSF, PCI DSS, etc. An
independent review report may provide a general overview of the service provider’s security posture, but
not address the organization’s unique or specific security needs, risks, or expectations. An independent
review report may also be outdated, limited, or generic, as the industry standards or best practices may not
reflect the current or emerging security threats or trends. References = CISM Review Manual 15th Edition1,
pages 257-258; CISM Review Questions, Answers & Explanations Database - 12 Month Subscription, QID
301.
An independent review report indicating compliance with industry standards BEST provides an information
security manager with sufficient assurance that a service provider complies with the organization’s
information security requirements. This is because an independent review report is an objective and
reliable source of evidence that the service provider has implemented and maintained effective security
controls that meet the industry standards and best practices. An independent review report can also
provide assurance that the service provider has addressed any gaps or weaknesses identified in previous
audits or assessments.

Question 20

Q

Which of the following incident response phases involves actions to help safeguard critical systems while
maintaining business operations?

A. Recovery
B. Identification
C. Containment
D. Preparation

Answer

A

Answer: C

Question 21

Q

Which of the following is the MOST important outcome of a post-incident review?

A. The impact of the incident is reported to senior management.
B. The system affected by the incident is restored to its prior state.
C. The person responsible for the incident is identified.
D. The root cause of the incident is determined.

Answer

A

Answer: D

Explanation:
Determining the root cause of the incident is essential for preventing or minimizing the recurrence of similar
incidents, as well as for identifying and implementing corrective actions to improve the security posture of
the organization.
References = CISM Review Manual 2022, page 3121; CISM Exam Content Outline, Domain 4, Task 4.3

Question 22

Q

Which of the following should be done FIRST when establishing an information security governance
framework?

A. Evaluate information security tools and skills relevant for the environment.
B. Gain an understanding of the business and cultural attributes.
C. Contract a third party to conduct an independent review of the program.
D. Conduct a cost-benefit analysis of the framework.

Answer

A

Answer: B

Question 23

Q

After logging in to a web application, additional authentication is checked at various application points.
Which of the following is the PRIMARY reason for such an approach?

A. To ensure access rights meet classification requirements
B. To facilitate the analysis of application logs
C. To ensure web application availability
D. To support strong two-factor authentication protocols

Answer

A

Answer: A

Question 24

Q

An organization has updated its business goals in the middle of the fiscal year to respond to changes in
market conditions. Which of the following is MOST important for the information security manager to update
in support of the new goals?

A. Information security threat profile
B. Information security policy
C. Information security objectives
D. Information security strategy

Answer

A

Answer: D

Question 25

Q

Which of the following is the PRIMARY objective of information asset classification?

A. Vulnerability reduction
B. Compliance management
C. Risk management
D. Threat minimization

Answer

A

Answer: C

Explanation:
The primary objective of information asset classification is C. Risk management. This is because
information asset classification is a process of assigning labels or categories to information assets based
on their value, sensitivity, and criticality to the organization. Information asset classification helps the
organization to identify, assess, and treat the risks associated with the information assets, and to apply the
appropriate level of protection and controls to them. Information asset classification also helps the
organization to comply with the legal, regulatory, and contractual obligations regarding the information
assets, and to optimize the use of resources and costs for information security.
Information asset classification is a process of assigning labels or categories to information assets based
on their value, sensitivity, and criticality to the organization. Information asset classification helps the
organization to identify, assess, and treat the risks associated with the information assets, and to apply the
appropriate level of protection and controls to them. (From CISM Manual or related resources)
References = CISM Review Manual 15th Edition, Chapter 2, Section 2.2.1, page 751; CISM Review
Questions, Answers & Explanations Manual 9th Edition, Question 7, page 3; Certified Information Security
Manager Exam Prep Guide - Packt Subscription2

Question 26

Q

Which of the following is the MOST important objective when planning an incident response program?

A. Managing resources
B. Ensuring IT resiliency
C. Recovering from a disaster
D. Minimizing business impact

Answer

A

Answer: D

Question 27

Q

Which of the following would be the GREATEST obstacle to implementing incident
notification and escalation processes in an organization with high turnover?

A. Lack of knowledgeable personnel
B. Lack of communication processes
C. Lack of process documentation
D. Lack of alignment with organizational goals

Answer

A

Answer: A

Question 28

Q

An employee clicked on a malicious link in an email that resulted in compromising company dat
A. What is
the BEST way to mitigate this risk in the future?

A. Conduct phishing awareness training.
B. Implement disciplinary procedures.
C. Establish an acceptable use policy.
D. Assess and update spam filtering rules.

Answer

A

Answer: A

Explanation:
Phishing awareness training is the best way to mitigate the risk of employees clicking on malicious links in
emails, as it educates them on how to recognize and avoid phishing attempts. (From CISM Review Manual
15th Edition)
References: CISM Review Manual 15th Edition, page 179, section 4.3.2.2.

Question 29

Q

An organization’s information security manager is performing a post-incident review of a security incident in
which the following events occurred:
• A bad actor broke into a business-critical FTP server by brute forcing an administrative password
• The third-party service provider hosting the server sent an automated alert message to the help desk, but
was ignored
• The bad actor could not access the administrator console, but was exposed to encrypted
data transferred to the server
• After three hours, the bad actor deleted the FTP directory, causing incoming FTP attempts by legitimate
customers to fail
Which of the following could have been prevented by conducting regular incident response testing?

A. Ignored alert messages
B. The server being compromised
C. The brute force attack
D. Stolen data

Answer

A

Answer: A

Explanation: Ignored alert messages could have been prevented by conducting regular incident response
testing because it would have ensured that the help desk staff are familiar with and trained on how to
handle different types of alert messages from different sources, and how to escalate them appropriately.
The server being compromised could not have been prevented by conducting regular incident response
testing because it is related to security vulnerabilities or weaknesses in the server configuration or
authentication mechanisms. The brute force attack could not have been prevented by conducting regular
incident response testing because it is related to security threats or attacks from external sources. Stolen
data could not have been prevented by conducting regular incident response testing because it is related to
security breaches or incidents that may occur despite the incident response plan or process. References:
https://www.isac
A.org/resources/isaca-journal/issues/2017/volume-5/incident-response- lessons-learned
https://www.isac
A.org/resources/isaca-journal/issues/2018/volume- 3/incident-response-lessons-learned

Question 30

Q

Which of the following would be MOST helpful when creating information security policies?

A. The information security framework
B. Business impact analysis (BIA)
C. Information security metrics
D. Risk assessment results

Answer

A

Answer: A

Explanation:
The information security framework is a set of principles, standards, guidelines, and best
practices that define the scope, objectives, and requirements for information security in an organization.
The information security framework is most helpful when creating information security policies because it
provides a consistent and coherent approach to managing information security risks, aligning with business
goals and strategy, and complying with relevant laws and regulations. The information security framework
also helps to establish the roles, responsibilities, and accountability of all stakeholders involved in
information security governance, management, and operations.
References = CISM Manual1, Chapter 3: Information Security Program Development (ISPD), Section 3.1:
Information Security Framework2
1: https://store.isac
A.org/s/store#/store/browse/cat/a2D4w00000Ac6NNEAZ/tiles 2: 1

Question 31

Q

An organization wants to integrate information security into its HR management processes. Which of the
following should be the FIRST step?

A. Benchmark the processes with best practice to identify gaps.
B. Calculate the return on investment (ROI).
C. Provide security awareness training to HR.
D. Assess the business objectives of the processes.

Answer

A

Answer: D

Explanation: The first step when integrating information security into HR management processes is to
assess the business objectives of the processes, which means understanding the purpose, scope, and
expected outcomes of the HR functions and activities, and how they relate to the organization’s strategy
and goals. The assessment will help to identify the information security requirements, risks, and controls
that are relevant and applicable to the HR processes, and to align the information security objectives with
the business objectives.
References = CISM Review Manual 15th Edition, CISM: Overview of domains [updated 2022]

Question 32

Q

Which of the following BEST helps to enable the desired information security culture within an
organization?

A. Information security awareness training and campaigns
B. Effective information security policies and procedures
C. Delegation of information security roles and responsibilities
D. Incentives for appropriate information security-related behavior

Answer

A

Answer: A

Explanation: Information security awareness training and campaigns are the best way to enable the desired
information security culture within an organization because they help to educate, motivate and influence the
behavior and attitude of the employees towards information security. They also help to raise the awareness
of the risks, threats and best practices of information security among the staff and stakeholders.
References = Organizational Culture for Information Security: A Systemic Perspective on the Articulation of
Human, Cultural and Social Systems, CISM Exam Content Outline

Question 33

Q

What is the PRIMARY objective of implementing standard security configurations?

A. Maintain a flexible approach to mitigate potential risk to unsupported systems.
B. Minimize the operational burden of managing and monitoring unsupported systems.
C. Control vulnerabilities and reduce threats from changed configurations.
D. Compare configurations between supported and unsupported systems.

Answer

A

Answer: C

Explanation: The primary objective of implementing standard security configurations is to control
vulnerabilities and reduce threats from changed configurations. Standard security configurations are the
baseline settings and parameters that define the desired security level and functionality of information
systems and devices. By implementing standard security configurations, the organization can ensure that
the information systems and devices are configured in a consistent and secure manner, and that any
deviations or changes from the standard are detected and corrected. This can help to prevent or mitigate
potential security incidents caused by misconfigurations, unauthorized modifications, or malicious attacks.
References: The CISM Review Manual 2023 states that “the information security manager is responsible
for ensuring that the security configuration of information systems is in compliance with the security policies
and standards of the organization” and that “the information security manager should establish and
implement standard security configurations for information systems and devices, and monitor and review
the security configuration on a regular basis and take corrective actions when deviations or violations are
detected” (p. 138). The CISM Review Questions, Answers & Explanations Manual 2023 also provides the
following rationale for this Answer: “Control vulnerabilities and reduce threats from changed configurations
is the correct answer because it is the primary objective of implementing standard security configurations,
as it helps to maintain the security posture and functionality of information systems and devices, and to
prevent or mitigate potential security incidents caused by misconfigurations, unauthorized modifications, or
malicious attacks” (p. 63). Additionally, the article Standard Security Configurations from the ISACA Journal
2017 states that “standard security configurations are the baseline settings and parameters that define the
desired security level and functionality of information systems and devices” and that “standard security
configurations can help to control vulnerabilities and reduce threats from changed configurations by
ensuring that the information systems and devices are configured in a consistent and secure manner, and
that any deviations or changes from the standard are detected and corrected” (p. 1)

Question 34

Q

Which of the following should an information security manager do NEXT after creating a roadmap to
execute the strategy for an information security program?

A. Obtain consensus on the strategy from the executive board.
B. Review alignment with business goals.
C. Define organizational risk tolerance.
D. Develop a project plan to implement the strategy.

Answer

A

Answer: D

Explanation:
The next thing that an information security manager should do after creating a roadmap to execute the
strategy for an information security program is D. Develop a project plan to
implement the strategy. This is because a project plan is a detailed document that outlines the scope,
objectives, deliverables, milestones, tasks, resources, roles, responsibilities, risks, and dependencies of the
implementation process. A project plan can help the information security manager to organize, coordinate,
monitor, and control the activities and resources required to execute the strategy and achieve the desired
outcomes. A project plan can also facilitate communication, collaboration, and reporting among the project
team, stakeholders, and sponsors.
A project plan is a detailed document that outlines the scope, objectives, deliverables, milestones, tasks,
resources, roles, responsibilities, risks, and dependencies of the implementation process. (From CISM
Manual or related resources)
References = CISM Review Manual 15th Edition, Chapter 3, Section 3.1.2, page 1281; CISM Review
Questions, Answers & Explanations Manual 9th Edition, Question 74, page 19

Question 35

Q

The effectiveness of an incident response team will be GREATEST when:

A. the incident response team members are trained security personnel.
B. the incident response process is updated based on lessons learned.
C. incidents are identified using a security information and event monitoring {SIEM) system.

Answer

A

Answer: C

Question 36

Q

Which of the following should be the PRIMARY focus of a lessons learned exercise following a successful
response to a cybersecurity incident?

A. Establishing the root cause of the incident
B. Identifying attack vectors utilized in the incident
C. When business operations were restored after the incident
D. How incident management processes were executed

Answer

A

Answer: D

Explanation:
The primary focus of a lessons learned exercise following a successful response to a cybersecurity incident
is to evaluate how the incident management processes were executed, and to identify the strengths,
weaknesses, best practices, and improvement opportunities for future incidents. A lessons learned
exercise is not meant to determine the root cause, the attack vectors, or the recovery time of the incident,
but rather to assess the performance and effectiveness of the incident response team and the incident
response plan.
References: The CISM Review Manual 2023 states that “post-incident reviews are an essential part of the
incident response process” and that “they provide an opportunity to assess the performance of the incident
response team, identify areas for improvement, and document lessons learned and best practices” (p. 191).
The CISM Review Questions, Answers & Explanations Manual 2023 also provides the following rationale
for this Answer: “How incident management processes were executed is the correct answer because it is
the primary focus of a lessons learned exercise, which aims to evaluate the incident response capability
and to implement corrective actions and improvement plans” (p. 97). Additionally, the Cybersecurity
Incident Response Exercise Guidance article from the ISACA Journal 2022 states that “The AAR
[after-action review] should include the date and time of the exercise, a list of participants, scenario
descriptions, findings (generic and specific), observations with recommendations, lessons learned and an
evaluation of the exercise (strengths, weaknesses, lessons learned)” (p. 3)1

Question 37

Q

How would the information security program BEST support the adoption of emerging technologies?

A. Conducting a control assessment
B. Developing an emerging technology roadmap
C. Providing effective risk governance
D. Developing an acceptable use policy

Answer

A

Answer: B

Explanation: An emerging technology roadmap is a strategic plan that identifies the potential benefits, risks,
and challenges of adopting new technologies in alignment with the organization’s goals and objectives. It
also defines the roles and responsibilities, processes, and controls for managing the technology lifecycle,
from evaluation to implementation to maintenance. An emerging technology roadmap can help the
information security program support the adoption of emerging technologies by ensuring that security
requirements are considered and addressed at every stage, and that the technologies are aligned with the
organization’s risk appetite and compliance obligations.
References = CISM Review Manual, 15th Edition, page 97; Privacy, Security and Bias in Emerging
Technologies; The Impact of Emerging Technology on the Future of Cybersecurity

Question 38

Q

Which is MOST important to identify when developing an effective information security strategy?

A. Security awareness training needs
B. Potential savings resulting from security governance
C. Business assets to be secured
D. Residual risk levels

Answer

A

Answer: C

Explanation:
Business assets are the resources that enable the organization to achieve its objectives and create value.
Identifying the business assets to be secured is the most important step in developing an effective
information security strategy, as it helps to align the security goals with the business goals, prioritize the
security efforts and resources, and define the scope and boundaries of the security program. (From CISM
Review Manual 15th Edition) References: CISM Review Manual 15th Edition, page 27, section 1.2.1.

Question 39

Q

An organization has introduced a new bring your own device (BYOD) program. The security manager has
determined that a small number of employees are utilizing free cloud storage services to store company
data through their mobile devices. Which of the following is the MOST effective course of action?

A. Allow the practice to continue temporarily for monitoring purposes.
B. Disable the employees’ remote access to company email and data
C. Initiate remote wipe of the devices
D. Assess the business need to provide a secure solution

Answer

A

Answer: D

Explanation: The most effective course of action when employees are using free cloud storage services to
store company data through their mobile devices is to assess the business need to provide a secure
solution, such as a corporate-approved cloud service or a virtual desktop environment. Assessing the
business need can help understand why employees are using free cloud storage services, what kind of
data they are storing, and what are the security risks and requirements. Based on the assessment, the
security manager can propose a secure solution that meets the business needs and complies with the
BYOD policy. The other options, such as allowing the practice to continue, disabling remote access, or
initiating remote wipe, may not address the underlying business need or may cause disruption or data loss.
References:
✑
https://www.digitalguardian.com/blog/byod-security-expert-tips-policy-mitigating-risks-preventing-breach
✑ https://news.microsoft.com/en-xm/2021/03/18/how-to-have-secure-remote- working-with-a-byod-policy/
✑ https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/-
infosec-guide-bring-your-own-device-byod

Question 40

Q

Which of the following is BEST to include in a business case when the return on investment (ROI) for an
information security initiative is difficult to calculate?

A. Projected Increase in maturity level
B. Estimated reduction in risk
C. Projected costs over time
D. Estimated increase in efficiency

Answer

A

Answer: B

Explanation: The best thing to include in a business case when the return on investment (ROI) for an
information security initiative is difficult to calculate is an estimated reduction in risk. Risk reduction is the
expected benefit of implementing an information security initiative, as it reduces the likelihood and impact of
threats and vulnerabilities that may
affect the organization’s information assets and systems. By estimating the reduction in risk, the information
security manager can demonstrate the value and benefits of the information security initiative to the
organization’s performance, reputation, and competitiveness. The information security manager can also
compare the estimated reduction in risk with the estimated cost of the information security initiative to
determine its cost-effectiveness and feasibility. The other options are not the best thing to include in a
business case, although they may be some inputs or outputs of the risk assessment process. A projected
increase in maturity level is a potential outcome of implementing an information security initiative, as it
improves the organization’s capabilities and processes for managing information security risks. However, it
does not necessarily reflect the actual reduction in risk or the ROI of the information security initiative. A
projected cost over time is a component of calculating the ROI of an information security initiative, as it
reflects the total cost of ownership and maintenance of the initiative. However, it does not indicate the
expected benefit or value of the initiative. An estimated increase in efficiency is a possible benefit of
implementing an information security initiative, as it may enhance the organization’s productivity and
performance. However, it may not be directly related to the reduction in risk or the ROI of the information
security initiative.

Question 41

Q

Which of the following is the PRIMARY reason for executive management to be involved in establishing an
enterprise’s security management framework?

A. To ensure industry best practices for enterprise security are followed
B. To establish the minimum level of controls needed
C. To determine the desired state of enterprise security
D. To satisfy auditors’ recommendations for enterprise security

Answer

A

Answer: C

Question 42

Q

Which of the following considerations is MOST important when selecting a third-party intrusion detection
system (IDS) vendor?

A. The vendor’s proposal allows for contract modification during technology refresh cycles.
B. The vendor’s proposal aligns with the objectives of the organization.
C. The vendor’s proposal requires the provider to have a business continuity plan (BCP).
D. The vendor’s proposal allows for escrow in the event the third party goes out of business.

Answer

A

Answer: B

Question 43

Q

An information security manager has identified that security risks are not being treated in a timely manner.
Which of the following

A. Provide regular updates about the current state of the risks.
B. Re-perform risk analysis at regular intervals.
C. Assign a risk owner to each risk
D. Create mitigating controls to manage the risks.

Answer

A

Answer: B

Explanation: An email digital signature will verify to recipient the integrity of an email message because it
ensures that the message has not been altered or tampered with during transit, and confirms that the
message originated from the sender and not an imposter. An email digital signature will not protect the
confidentiality of an email message because it does not encrypt or hide the message content from
unauthorized parties. An email digital signature will not automatically correct unauthorized modification of
an email message because it does not change or restore the message content if it has been altered or
tampered with. An email digital signature will not prevent unauthorized modification of an email message
because it does not block or stop any attempts to alter or tamper with the message content. References:
https://support.microsoft.com/en-us/office/secureCertify
For Sure with IT Exam Dumps
The No.1 IT Certification Dumps
526
messages-by-using-a-digital-signature-549ca2f1-a68f-4366-85fa-b3f4b5856fc6
https://www.techtarget.com/searchsecurity/definition/digital-signature

Question 44

Q

After a recovery from a successful malware attack, instances of the malware continue to be discovered.
Which phase of incident response was not successful?

A. Eradication B Recovery
B. Lessons learned review
C. Incident declaration

Answer

A

Answer: A

Explanation: Eradication is the phase of incident response where the incident team removes the threat from
the affected systems and restores them to a secure state. If this phase is not successful, the malware may
persist or reappear on the systems, causing further damage or compromise. Therefore, eradication is the
correct answer. References:
✑ https://www.securitymetrics.com/blog/6-phases-incident-response-plan
✑ https://www.atlassian.com/incident-management/incident-response
✑ https://eccouncil.org/cybersecurity-exchange/incident-handling/what-is-incident- response-life-cycle/

Question 45

Q

To prepare for a third-party forensics investigation following an incident involving malware, the incident
response team should:

A. isolate the infected systems.
B. preserve the evidence.
C. image the infected systems.
D. clean the malware.

Answer

A

Answer: B

Explanation:
According to the CISM Review Manual, the incident response team should preserve the evidence as the
first step to prepare for a third-party forensics investigation, as it helps to maintain the integrity and
admissibility of the evidence in a court of law. Preserving the evidence may include isolating and imaging
the infected systems, but these are not the only actions required. Cleaning the malware may destroy or
alter the evidence and should be avoided until the investigation is completed.
References = CISM Review Manual, 27th Edition, Chapter 3, Section 3.6.2, page 165

Question 46

Q

Of the following, who is accountable for data loss in the event of an information security
incident at a third-party provider?

A. The information security manager
B. The service provider that hosts the data
C. The incident response team
D. The business data owner

Answer

A

Answer: D

Explanation: The business data owner is accountable for data loss in the event of an information security
incident at a third-party provider because they are ultimately responsible for the protection and use of their
data, regardless of where it is stored or processed. The information security manager is not accountable for
data loss at a third- party provider, but rather responsible for implementing and enforcing the security
policies and standards that govern the relationship with the provider. The service provider that hosts the
data is not accountable for data loss at their site, but rather liable for any breach of contract or service level
agreement that may result from such an incident. The incident response team is not accountable for data
loss at a third-party provider, but rather responsible for responding to and managing the incident according
to the incident response plan. References:
https://www.isac
A.org/resources/isaca-journal/issues/2017/volume-
1/data-ownership-and-custodianship-in-the-cloud https://www.isac
A.org/resources/isacajournal/
issues/2018/volume-3/incident-response-lessons-learned

Question 47

Q

Which of the following should an information security manager do FIRST after a new cybersecunty
regulation has been introduced?

A. Conduct a cost-benefit analysis.
B. Consult corporate legal counsel
C. Update the information security policy.
D. Perform a gap analysis.

Answer

A

Answer: D

Explanation: When a new cybersecurity regulation has been introduced, an information security manager
should first consult corporate legal counsel to understand the scope, applicability, and implications of the
regulation for the organization. Legal counsel can also advise on the compliance obligations and deadlines,
as well as the potential penalties or sanctions for non-compliance. Based on this information, the
information security manager can then perform a gap analysis to assess the current state of compliance
and identify any areas that need improvement. The information security policy can then be updated
accordingly to reflect the new regulatory requirements. References:
https://www.isac
A.org/credentialing/cism https://www.wiley.com/enus/
CISM+Certified+Information+Security+Manager+Study+Guide-p-9781119801948

Question 48

Q

Once a suite of security controls has been successfully implemented for an organization’s business units, it
is MOST important for the information security manager to:

A. hand over the controls to the relevant business owners.
B. ensure the controls are regularly tested for ongoing effectiveness.
C. perform testing to compare control performance against industry levels.
D. prepare to adapt the controls for future system upgrades.

Answer

A

Answer: B

Question 49

Q

Which of the following is the MOST important consideration when briefing executives about the current
state of the information security program?

A. Including a situational forecast
B. Using appropriate language for the target audience
C. Including trend charts for metrics
D. Using a rating system to demonstrate program effectiveness

Answer

A

Answer: B

Explanation: = When briefing executives about the current state of the information security program, the
most important consideration is to use appropriate language for the target audience. This means avoiding
technical jargon, acronyms, and details that may confuse or bore the executives, and instead focusing on
the business value, risks, and benefits of the information security program. The other options are not as
important or relevant as using appropriate language, although they may also be useful to include in the
briefing. For example, a situational forecast may be helpful to show the future trends and challenges, but it
is not as essential as communicating the current state clearly and concisely. Similarly, trend charts for
metrics and a rating system to demonstrate program effectiveness may be useful to support the briefing,
but they are not as critical as using language that the executives can understand and relate to. References
=
✑ Information Security Guide for Government Executives, page 7: “Reminding
employees of their responsibilities and demonstrating management’s commitment
to the security program are key to maintaining effective security within the constantly changing information
security environment.”
✑ Information security guide for government executives - NIST, page 3: “The
executive should communicate the importance of information security to the organization and its staff, using
language that is meaningful to the target audience.”
✑ Information Security Committee Charter - SecurityStudio, page 1: “The committee
also coordinates and communicates the direction, current state, and oversight of the information security
program.”

Question 50

Q

Which of the following is the BEST way to ensure data is not co-mingled or exposed when using a cloud
service provider?

A. Obtain an independent audit report.
B. Require the provider to follow stringent data classification procedures.
C. Include high penalties for security breaches in the contract.
D. Review the provider’s information security policies.

Answer

A

Answer: B

Explanation:
Requiring the provider to follow stringent data classification procedures is the BEST way to ensure data is
not co-mingled or exposed when using a cloud service provider, because it helps to define the sensitivity
and confidentiality levels of the data and the corresponding security controls and access policies that
should be applied. Data classification procedures can help to prevent unauthorized access, disclosure,
modification, or deletion of the data, as well as to segregate the data from other customers’ dat
A.
References =
CISM Review Manual, 16th Edition, ISACA, 2020, p. 72: “Data classification is the process of assigning a
level of sensitivity to data that reflects its importance and the impact of its disclosure, alteration, or
destruction.”
CISM Review Manual, 16th Edition, ISACA, 2020, p. 73: “Data classification should be based on the
business requirements for confidentiality, integrity, and availability of the data, and should consider the
legal, regulatory, and contractual obligations of the enterprise.” Best Practices to Manage Risks in the
Cloud - ISACA: “Commingling of data: A big concern many enterprises have with public cloud services is
the commingling of data with that of the
cloud provider’s other customers. One of your first questions should be: “How do you ensure that my data is
not commingled with others?” How does the cloud provider ensure that only your team has access to your
data?”

Question 51

Q

Which of the following BEST helps to ensure the effective execution of an organization’s disaster recovery
plan (DRP)?

A. The plan is reviewed by senior and IT operational management.
B. The plan is based on industry best practices.
C. Process steps are documented by the disaster recovery team.
D. Procedures are available at the primary and failover location.

Answer

A

Answer: D

Explanation:
The best way to ensure the effective execution of a disaster recovery plan (DRP) is to make sure that the
procedures are available at both the primary and the failover location, so that the staff can access them in
case of a disaster. The procedures should be clear, concise, and updated regularly to reflect the current
situation and requirements. Having the procedures available at both locations also helps to avoid confusion
and delays in the recovery process.
References = CISM Review Manual, 16th Edition eBook1, Chapter 9: Business Continuity and Disaster
Recovery, Section: Disaster Recovery Planning, Subsection: Disaster Recovery Plan Development, Page
373.

Question 52

Q

Which of the following would BEST ensure that security risk assessment is integrated into the life cycle of
major IT projects?

A. Training project managers on risk assessment
B. Having the information security manager participate on the project steering committees
C. Applying global security standards to the IT projects
D. Integrating the risk assessment into the internal audit program

Answer

A

Answer: B

Question 53

Q

An organization has multiple data repositories across different departments. The information security
manager has been tasked with creating an enterprise strategy for protecting dat
A. Which of the following
information security initiatives should be the HIGHEST priority for the organization?

A. Data masking
B. Data retention strategy
C. Data encryption standards
D. Data loss prevention (DLP)

Answer

A

Answer: C

Explanation: Data encryption standards are the best information security initiative for creating an enterprise
strategy for protecting data across multiple data repositories and different departments because they help
to ensure the confidentiality, integrity, and availability of data in transit and at rest. Data encryption is a
process of transforming data into an unreadable format using a secret key or algorithm, so that only
authorized parties can access and decrypt it. Data encryption standards are the rules or specifications that
define how data encryption should be performed, such as the type, strength, and mode of encryption, the
key management and distribution methods, and the compliance requirements. Data encryption standards
help to protect data from unauthorized access, modification, or theft, as well as to meet the regulatory
obligations for data privacy and security. Therefore, data encryption standards are the correct answer.
References:
✑ https://www.techtarget.com/searchdatabackup/tip/20-keys-to-a-successfulenterprise-
data-protection-strategy
✑ https://cloudian.com/guides/data-protection/data-protection-strategy-10-
components-of-an-effective-strategy/
✑ https://www.veritas.com/information-center/enterprise-data-protection

Question 54

Q

Which of the following roles is accountable for ensuring the impact of a new regulatory framework on a
business system is assessed?

A. Senior management
B. Application owner
C. Information security manager
D. Legal representative

Answer

A

Answer: A

Question 55

Q

When establishing classifications of security incidents for the development of an incident response plan,
which of the following provides the MOST valuable input?

A. Business impact analysis (BIA) results
B. Vulnerability assessment results
C. The business continuity plan (BCP)
D. Recommendations from senior management

Answer

A

Answer: A

Question 56

Q

When testing an incident response plan for recovery from a ransomware attack, which of the following is
MOST important to verify?

A. Digital currency is immediately available.
B. Network access requires two-factor authentication.
C. Data backups are recoverable from an offsite location.
D. An alternative network link is immediately available.

Answer

A

Answer: C

Explanation:
Data backups are recoverable from an offsite location is the most important thing to verify when testing an
incident response plan for recovery from a ransomware attack, as it ensures that the organization can
restore its data and resume its operations without paying the ransom or losing critical information. Data
backups should be performed regularly, stored securely, and tested for integrity and availability. (From
CISM Review Manual 15th Edition)
References: CISM Review Manual 15th Edition, page 191, section 4.3.4.1.

Question 57

Q

The BEST way to report to the board on the effectiveness of the information security program is to present:

A. a dashboard illustrating key performance metrics.
B. a summary of the most recent audit findings.
C. peer-group industry benchmarks.
D. a report of cost savings from process improvements.

Answer

A

Answer: A

Question 58

Q

Which of the following should an information security manager do FIRST when a vulnerability has been
disclosed?

A. Perform a patch update.
B. Conduct a risk assessment.
C. Perform a penetration test.
D. Conduct an impact assessment.

Answer

A

Answer: B

Explanation:
According to the CISM Review Manual, the first step an information security manager should take when a
vulnerability has been disclosed is to conduct a risk assessment to determine the likelihood and impact of
the vulnerability being exploited, and the appropriate response strategy. Performing a patch update, a
penetration test or an impact assessment are possible subsequent steps, but not the first one.
References = CISM Review Manual, 27th Edition, Chapter 3, Section 3.3.2, page 1331.

Question 59

Q

The PRIMARY reason for creating a business case when proposing an information security project is to:

A. articulate inherent risks.
B. provide demonstrated return on investment (ROI).
C. establish the value of the project in relation to business objectives.
D. gain key business stakeholder engagement.

Answer

A

Answer: C

Explanation: The primary reason for creating a business case when proposing an information security
project is to establish the value of the project in relation to the business objectives and to justify the
investment required. A business case should demonstrate how the project aligns with the organization’s
strategy, goals, and mission, and how it supports the business processes and functions. A business case
should also include the expected benefits, costs, risks, and alternatives of the project, and provide a clear
rationale for choosing the preferred option.
References = CISM Review Manual, 16th Edition eBook1, Chapter 1: Information Security Governance,
Section: Information Security Strategy, Subsection: Business Case Development, Page 33.

Question 60

Q

Which of the following is the BEST way to determine the effectiveness of an incident response plan?

A. Reviewing previous audit reports
B. Conducting a tabletop exercise
C. Benchmarking the plan against best practices
D. Performing a penetration test

Answer

A

Answer: B

Explanation: A tabletop exercise is a simulation of a potential incident scenario that involves the key
stakeholders and tests the roles, responsibilities, and procedures of the incident response plan. It is the
best way to determine the effectiveness of the plan because it allows the participants to identify and
address any gaps, weaknesses, or ambiguities in the plan, as well as to evaluate the communication,
coordination, and decision-making processes. A tabletop exercise can also help to raise awareness,
enhance skills, and improve teamwork among the incident response team members and other relevant
parties.

Question 61

Q

Business objectives and organizational risk appetite are MOST useful inputs to the development of
information security:

A. strategy.
B. risk assessments.
C. key performance indicators (KPIs).
D. standards.

Answer

A

Answer: A

Question 62

Q

Several months after the installation of a new firewall with intrusion prevention features to block malicious
activity, a breach was discovered that came in through the firewall shortly after installation. This breach
could have been detected earlier by implementing firewall:

A. packet filtering.
B. web surfing controls.
C. log monitoring.
D. application awareness.

Answer

A

Answer: C

Question 63

Q

Who is accountable for approving an information security governance framework?

A. The board of directors
B. The chief information security officer (ClSO)
C. The enterprise risk committee
D. The chief information officer (CIO)

Answer

A

Answer: A

Explanation:
The board of directors is ultimately responsible for the governance of the organization, including the
approval of the information security governance framework and the oversight of its implementation and
performance. References = CISM Review Manual, 16th Edition, Domain 1: Information Security
Governance, Chapter 2: Establish and Maintain an Information Security Governance Framework, Section:
Roles and Responsibilities of Senior Management and the Board of Directors1

Question 64

Q

To inform a risk treatment decision, which of the following should the information security manager
compare with the organization’s risk appetite?

A. Gap analysis results
B. Level of residual risk
C. Level of risk treatment
D. Configuration parameters

Answer

A

Answer: B

Explanation:
Level of residual risk is the amount of risk that remains after applying risk treatment options, such as
avoidance, mitigation, transfer, or acceptance. The information security manager should compare the level
of residual risk with the organization’s risk appetite, which is the amount of risk that the organization is
willing to accept in pursuit of its objectives. The comparison will help to determine whether the risk
treatment options are sufficient, excessive, or inadequate, and whether further actions are needed to align
the risk level with the risk appetite.
References =
CISM Review Manual, 16th Edition, ISACA, 2020, p. 49: “Residual risk is the risk that remains after risk
treatment.”
CISM Review Manual, 16th Edition, ISACA, 2020, p. 43: “Risk appetite is the amount of risk, on a broad
level, that an entity is willing to accept in pursuit of value.”
CISM Review Manual, 16th Edition, ISACA, 2020, p. 50: “The information security manager should
compare the residual risk with the risk appetite and determine whether the risk
treatment options are sufficient, excessive, or inadequate.”

Answer 65

A

Answer: A

Explanation:
According to the CISM Review Manual, performing a risk assessment is the most important course of
action for an information security manager during the due diligence phase of an acquisition, as it helps to
identify and evaluate the potential threats, vulnerabilities and impacts that may affect the information assets
of the target organization. A risk assessment also provides the basis for performing a gap analysis,
reviewing the information security policies and awareness, and developing a remediation plan.
References = CISM Review Manual, 27th Edition, Chapter 3, Section 3.4.1, page 1411.

Answer 66

A

Answer: A

Explanation: Information security governance is the process of establishing and maintaining a framework to
provide assurance that information security strategies are aligned with and support business objectives, are
consistent with applicable laws and regulations, and are effectively managed. By aligning information
security governance with corporate governance, the organization can ensure that information security is
integrated into the business processes and decision making, and that the information security risks and
opportunities are properly identified, assessed, and addressed. References = CISM Review Manual, 16th
Edition, Chapter 1, Section 1.1

Answer 67

A

Answer: A

Explanation:
Legal and regulatory requirements are the most important constraint to be considered when developing an
information security strategy, as they define the minimum level of security that the organization must
comply with to avoid legal sanctions, fines, or reputational damage. Legal and regulatory requirements may
vary depending on the jurisdiction, industry, and type of data that the organization handles, and they may
impose specific security controls, standards, or frameworks that the organization must
follow. References = CISM Review Manual, 16th Edition, Chapter 1, Section 1.2.1.11

Answer 68

A

Answer: C

Explanation: he greatest concern for an information security manager of a large multinational organization
when outsourcing data processing to a cloud service provider is the local laws and regulations that may
apply to the data and the cloud service provider. Local laws and regulations may vary significantly across
different jurisdictions and may impose different requirements or restrictions on the data protection, privacy,
security, sovereignty, retention, disclosure, transfer, or access. These laws and regulations may also create
potential conflicts or inconsistencies with the organization’s own policies, standards, or contractual
obligations. Therefore, an information security manager should conduct a thorough legal and regulatory
analysis before outsourcing data processing to a cloud service provider and ensure that the cloud service
provider complies with all the applicable laws and regulations in the relevant jurisdictions.
References = CISM Manual1, Chapter 3: Information Security Program Development (ISPD), Section 3.1:
Outsourcing2
1: https://store.isac
A.org/s/store#/store/browse/cat/a2D4w00000Ac6NNEAZ/tiles 2: 1
Outsourcing data processing to a cloud service provider may expose the organization to different legal and
regulatory requirements depending on the location of the data and the vendor. This could affect the
organization’s compliance and liability in case of a breach or dispute. Therefore, the information security
manager should be most concerned about the local laws and regulations that apply to the outsourcing
arrangement.

Answer 69

A

Answer: A

Explanation:
The answer to the question is
A. Classification model. This is because a classification model is a system of
assigning labels or categories to information assets based on their value, sensitivity, and criticality to the
organization. A classification model helps to ensure consistent protection for the organization’s information
assets by:
Providing a common language and criteria for defining and communicating the security requirements and
expectations for the information assets
Enabling the identification and prioritization of the information assets that need the most protection and
resources
Facilitating the implementation and enforcement of the appropriate level of security controls and measures
for the information assets, based on their classification
Supporting the compliance with the legal, regulatory, and contractual obligations regarding the information
assets, such as the General Data Protection Regulation (GDPR) or the Health Insurance Portability and
Accountability Act (HIPAA)
A classification model is a system of assigning labels or categories to information assets based on their
value, sensitivity, and criticality to the organization. A classification model helps to ensure consistent
protection for the organization’s information assets by providing a common language and criteria for
defining and communicating the security requirements and expectations for the information assets,
enabling the identification and prioritization of the information assets that need the most protection and
resources, facilitating the implementation and enforcement of the appropriate level of security controls and
measures for the information assets, based on their classification, and supporting the compliance with the
legal, regulatory, and contractual obligations regarding the information assets. (From CISM Manual or
related resources)
References = CISM Review Manual 15th Edition, Chapter 2, Section 2.2.1, page 751; CISA Domain 5 -
Protection of Information Assets2; CISM domain 3: Information security program development and
management [2022 update]3; CISM Domain 2: Information Risk Management (IRM) [2022 update]4

Answer 70

A

Answer: B

Explanation:
Security-related KRIs are metrics that measure the effectiveness of the information security profile in
achieving the business objectives and managing the risks. Reviewing security- related KRIs can help to
determine if the information security profile is aligned with business requirements, as they reflect the
security performance and outcomes that are relevant for the business. Reviewing other options, such as
KPIs, CSAs, or audits, may provide some insights into the security status, but they are not the best way to
assess the alignment with business requirements, as they may not capture the business context and goals
adequately. References:
✑ https://www.nist.gov/cyberframework/examples-framework-profiles
✑ https://www.isac
A.org/resources/isaca-journal/issues/2019/volume-
5/accountability-for-information-security-roles-and-responsibilities-part-1
✑ https://www.isac
A.org/resources/isaca-journal/issues/2017/volume-4/enterprisesecurity-
architecturea-top-down-approach

Answer 71

A

Answer: B

Explanation: Key performance indicators (KPIs) are measurable values that demonstrate how effectively an
organization is achieving its key objectives and goals. KPIs can help senior management understand the
status of information security compliance by providing quantifiable and relevant data on the performance
and progress of the information security program and processes. KPIs can also help senior management to
evaluate the effectiveness and efficiency of the information security controls and activities, identify
strengths and weaknesses, and make informed decisions and adjustments. KPIs should be aligned with the
organization’s strategy, vision, and mission, and should be SMART (specific, measurable, achievable,
relevant, and time-bound). Some examples of
information security KPIs are: percentage of compliance with policies and standards, number of security
incidents and breaches, mean time to detect and respond to incidents, percentage of systems and
applications patched, number of security awareness trainings completed, etc.
Industry benchmarks, business impact analysis (BIA) results, and risk assessment results are not the most
useful to help senior management understand the status of information security compliance, although they
may provide some useful information or insights. Industry benchmarks are comparative measures of the
performance or practices of other organizations in the same industry or sector. Industry benchmarks can
help senior management to compare and contrast their own information security performance or practices
with those of their peers or competitors, and identify gaps or opportunities for improvement. However,
industry benchmarks may not reflect the specific goals, needs, or context of the organization, and may not
be readily available or reliable. Business impact analysis (BIA) results are the outcomes of the process of
analyzing the potential impacts of disruptive events on the organization’s critical business functions and
processes. BIA results can help senior management to understand the dependencies, priorities, and
recovery objectives of the organization’s business functions and processes, and to plan for business
continuity and disaster recovery. However, BIA results do not directly measure or indicate the status of
information security compliance, and may not be updated or accurate. Risk assessment results are the
outcomes of the process of identifying, analyzing, and evaluating the information security risks that the
organization faces. Risk assessment results can help senior management to understand the sources,
causes, and consequences of information security risks, and to determine the appropriate risk responses
and controls. However, risk assessment results do not directly measure or indicate the status of information
security compliance, and may vary depending on the risk assessment methodology, criteria, and frequency.
References = CISM Review Manual, 16th Edition, pages 47-481, 54-551, 69-701, 72-731; CISM Review
Questions, Answers & Explanations Manual, 10th Edition, page 832
Key performance indicators (KPIs) are metrics that measure the effectiveness and ef- ficiency of
information security processes and activities. They help senior manage-ment understand the status of
information security compliance by providing relevant, timely and accurate information on the performance
of security controls, the level of risk exposure, the return on security investment and the progress toward
security ob-jectives. KPIs can also be used to benchmark the organization’s security performance against
industry standards or best practices. KPIs should be aligned with the organiza-tion’s strategic goals and risk
appetite, and should be reported regularly to senior man-agement and other stakeholders. References:
•1 Key Performance Indicators for Security Governance, Part 1 - ISACA
•2 Key Performance Indicators for Security Governance, Part 2 - ISACA
•3 Compliance Metrics and KPIs For Measuring Compliance Effectiveness - Reciprocity
•4 14 Cybersecurity Metrics + KPIs You Must Track in 2023 - UpGuard

Answer 72

A

Answer: D

Answer 73

A

Answer: C

Explanation: The contribution of recovery point objective (RPO) to disaster recovery is to define backup
strategy because it determines the maximum amount of data loss that is acceptable to an organization after
a disruption, and guides the frequency and type of backups needed to restore the data to a usable format1.
Minimize outage periods is not a contribution of RPO, but rather a contribution of recovery time objective
(RTO), which defines the maximum amount of time that is acceptable to restore normal operations after a
disruption2. Eliminate single points of failure is not a contribution of RPO, but rather a goal of high
availability (HA), which ensures that systems or services are continuously
operational and resilient3. Reduce mean time between failures (MTBF) is not a contribution of RPO, but
rather a measure of reliability, which indicates the average time that a system
or component operates without failure4. References: 1
https://www.druv
A.com/glossary/what-is-a-recovery-point-objective-definition-and-related- faqs 2
https://www.druv
A.com/glossary/what-is-a-recovery-time-objective-definition-andrelated-
faqs 3 https://www.fortinet.com/resources/cyberglossary/high-availability4
https://www.fortinet.com/resources/cyberglossary/mean-time-between-failures

Answer 74

A

Answer: C

Explanation: The program goals are communicated and understood by the organization is the most
important factor for the effective implementation of an information security governance program because it
ensures that the program is aligned with the business objectives and supported by the stakeholders.
Employees receive customized information security training is not the most important factor, but rather a
means to achieve the program goals and raise awareness among the staff. The program budget is
approved and monitored by senior management is not the most important factor, but rather a resource to
enable the program activities and measure its performance. Information security roles and responsibilities
are documented is not the most important factor, but rather a way to define and assign the program tasks
and accountabilities. References:
https://www.isac
A.org/resources/isaca-journal/issues/2015/volume-1/how-to-measure-theeffectiveness-
of-information-security-governance https://www.isac
A.org/resources/isacajournal/
issues/2016/volume-2/how-to-align-security-initiatives-with-business-goals-and- objectives

Answer 75

A

Answer: A

Explanation: An organization-wide social media policy is a document that defines the rules and guidelines
for using social media platforms within the organization. It covers topics such as who can use social media,
what they can post, how they should protect confidential information, and what are the consequences for
violating the policy. An organization-wide social media policy helps to mitigate the risk of confidential
information being disclosed by employees on social media by providing a clear and consistent framework
for managing social media activities12.
References = 1: CISM Review Manual (Digital Version), page 271 2: CISM Review Manual (Print Version),
page 271

Answer 76

A

Answer: C

Explanation:
The information security manager’s first course of action when one of the organization’s critical third-party
providers experiences a data breach should be to invoke the incident response plan that has been
established for such scenarios. The incident response plan should define the roles and responsibilities,
communication channels, escalation procedures, and recovery actions for dealing with a third-party data
breach. Invoking the incident response plan will help to contain the impact, assess the damage, coordinate
the response, and restore the normal operations as soon as possible.
References = CISM Review Manual, 16th Edition, page 290

Answer 77

A

Answer: B

Explanation:
Risk profile changes are the most appropriate to communicate to senior management regarding information
risk because they reflect the current level and nature of the risks that the organization faces and how they
may affect its objectives and performance. Senior management needs to be aware of any changes in the
risk profile so that they can make informed decisions and allocate resources accordingly. Risk profile
changes also help senior management monitor the effectiveness of the risk management process and
identify any gaps or weaknesses that need to be addressed.
References = Communicating Information Security Risk Simply and Effectively, Part 1, CISM Domain 2:
Information Risk Management (IRM) [2022 update]

Answer 78

A

Answer: A

Explanation: A brute force attack is a type of cyberattack that attempts to gain unauthorized access to an
account, file, or other protected information by trying different combinations of usernames and passwords
until finding the correct one. Brute force attacks can be very effective if the target system has weak or
default passwords, or if the attacker has access to a large number of potential credentials. To mitigate this
risk, an organization should implement multi-factor authentication (MFA) for its critical systems. MFA is a
security method that requires users to provide more than one piece of evidence to verify their identity before
accessing a system or service. For example, MFA can involve using a password in addition to a code sent
to a phone or email, or using a biometric factor such as a fingerprint or face scan. MFA can significantly
reduce the impact of brute force attacks by making it harder for attackers to guess or obtain valid
credentials, and by increasing the time and effort required for them to compromise the system. References
= CISM Review Manual (Digital Version), Chapter 3: Information Security Risk Management, Section 3.1:
Risk Identification, p. 115-1161. CISM Review Manual (Print Version), Chapter 3:
Information Security Risk Management, Section 3.1: Risk Identification, p. 115-1162. CISM ITEM
DEVELOPMENT GUIDE, Domain 3: Information Security Program Development and Management, Task
Statement 3.1, p. 193.

Answer 79

A

Answer: B

Explanation: To help ensure that an information security training program is MOST effective, its contents
should be based on employees’ roles, as different roles have different information security responsibilities,
needs, and risks. A role-based training program can tailor the content and delivery methods to suit the
specific learning objectives and outcomes for each role, and enhance the relevance and retention of the
information security knowledge and skills. Based on recent incidents is not the best answer, as it may not
cover all the information security topics that are important for the organization, and may not address the
root causes or preventive measures of the incidents. Based on employees’ roles is more comprehensive
and proactive than based on recent incidents. Aligned to business processes is not the best answer, as it
may not reflect the individual roles and
responsibilities of the employees, and may not cover all the information security aspects that are relevant
for the organization. Based on employees’ roles is more specific and personalized than aligned to business
processes. Focused on information security policy is not the best answer, as it may not provide sufficient
details or examples to help the employees understand and apply the information security policy in their
daily work. Based on employees’ roles is more practical and engaging than focused on information security
policy. References = CISM Review Manual, 16th Edition, page 2241; CISM Review Questions, Answers &
Explanations Manual, 10th Edition, page 1002
To help ensure that an information security training program is MOST effective, its contents should be
based on employees’ roles. This is because different roles have different responsibilities and access levels
to information and systems, and therefore face different types of threats and risks. By tailoring the training
content to the specific needs and expectations of each role, the training program can increase the
relevance and retention of the information security knowledge and skills for the employees. Role-based
training can also help employees understand their accountability and obligations for protecting information
assets in their daily tasks

Answer 80

A

Answer: C

Explanation: Ensuring encryption for data in transit is the best activity that supports the concept of
confidentiality within the CIA triad, as it protects the data from unauthorized access or interception while it is
being transmitted over a network. Encryption is a technique that transforms data into an unreadable form
using a secret key, so that only authorized parties who have the key can decrypt and access the dat
A.
Encryption standards include AES (Advanced Encryption Standard) and DES (Data Encryption Standard).
References = CISM Review Manual 2022, page 321; CISM Exam Content Outline, Domain 1, Knowledge
Statement 1.12; The CIA triad: Definition, components and examples3; CIA Triad - GeeksforGeeks4

Answer 81

A

Answer: C

Answer 82

A

Answer: C

Explanation: The first course of action when one of the organization’s critical third-party providers
experiences a data breach is to invoke the incident response plan, which means activating the incident
response team and following the predefined procedures and protocols to respond to the breach. Invoking
the incident response plan helps to coordinate the communication and collaboration with the third-party
provider, assess the scope and impact of the breach, contain and eradicate the threat, recover the affected
systems and data, and report and disclose the incident to the relevant stakeholders and authorities.
References = Cybersecurity Incident Response Exercise Guidance - ISACA, Plan for third- party
cybersecurity incident management

Answer 83

A

Answer: D

Explanation:
The first thing an information security manager should do after learning through mass media of a data
breach at the organization’s hosted payroll service provider is to validate the breach with the provider,
which means contacting the provider directly and confirming the details and scope of the breach, such as
when it occurred, what data was compromised, and what actions the provider is taking to mitigate the
impact. Validating the breach with the provider can help the information security manager assess the
situation accurately and plan the next steps accordingly. The other options, such as suspending the data
exchange, notifying regulatory authorities, or initiating the business continuity plan, may be premature or
unnecessary before validating the breach with the provider. References:
✑ https://www.wired.com/story/sequoia-hr-data-breach/
✑ https://cybernews.com/news/kronos-major-hr-and-payroll-service-provider-hit-withransomware-
warns-of-a-long-outage/
✑ https://www.afr.com/work-and-careers/workplace/pay-in-crisis-as-major-payrollcompany-
hacked-20211117-p599mr

Answer 84

A

Answer: C

Explanation:
Communication is a key factor for the effectiveness of cybersecurity incident response, as it ensures that all
relevant parties are informed, coordinated, and aligned on the incident status, impact, actions, and
responsibilities. Communication also helps to maintain trust, confidence, and transparency among the
stakeholders, such as senior management, business units, customers, regulators, law enforcement, and
medi
A. References = CISM Review Manual, 16th Edition, Chapter 5, Section 5.4.2.11

Answer 85

A

Answer: C

Answer 86

A

Answer: D

Answer 87

A

Answer: D

Explanation:
The most effective way to determine the alignment of an information security program with the business
strategy is D. Engage business process owners. This is because business process owners are the key
stakeholders who are responsible for defining, executing, and monitoring the business processes that
support the organization’s mission, vision, and goals. By engaging them, the information security manager
can understand their needs, expectations, and challenges, and ensure that the information security
program is aligned with their requirements and objectives. Engaging business process owners can also
help to establish trust, collaboration, and communication between the information security function and the
business units, and foster a culture of security awareness and accountability. Business process owners are
the key stakeholders who are responsible for defining, executing, and monitoring the business processes
that support the organization’s mission, vision, and goals. By engaging them, the information security
manager can understand their needs, expectations, and challenges, and ensure that the information
security program is aligned with their requirements and objectives. (From CISM Manual or related
resources)
References = CISM Review Manual 15th Edition, Chapter 1, Section 1.2.2, page 201; CISM Review
Questions, Answers & Explanations Manual 9th Edition, Question 78, page 20

Answer 88

A

Answer: A

Explanation: The factor that has the greatest influence on the successful integration of information security
within the business is organizational structure and culture because they determine how information security
is organized, governed, and supported within the organization, and how information security roles and
responsibilities are defined, assigned, and communicated across different levels and functions. Risk
tolerance and organizational objectives are not very influential because they do not affect how information
security is integrated within the business, but rather what information security aims to achieve or protect.
The desired state of the organization is not very influential because it does not affect how information
security is integrated within the business, but rather what the organization aspires to be or do. Information
security personnel are not very influential because they do not affect how information security is integrated
within the business, but rather who performs information security tasks or activities. References:
https://www.isac
A.org/resources/isaca-journal/issues/2016/volume-4/technical-securitystandards-
for-information-systems https://www.isac
A.org/resources/isacajournal/
issues/2017/volume-2/how-to-align-security-initiatives-with-business-goals-and- objectives

Answer 89

A

Answer: A

Explanation:
Reconciliation routines are methods to verify the integrity of data by comparing the input and output of a
process or a system. They can detect errors, omissions, duplications or
unauthorized modifications of dat
A. They are more directly related to data integrity than the
other options, which are more concerned with data definition, logging or access
control. References = CISM Review Manual, 16th Edition, Chapter 3, Section 3.4.21

Answer 90

A

Answer: C

Explanation:
The primary reason to assign a risk owner in an organization is to ensure accountability for the risk and its
treatment. A risk owner is a person or entity that has the authority and responsibility to manage a specific
risk and to implement the appropriate risk response actions. By assigning a risk owner, the organization
can ensure that the risk is monitored, reported, and controlled in accordance with the organization’s risk
appetite and tolerance. References: The CISM Review Manual 2023 defines risk owner as “the person or
entity with the accountability and authority to manage a risk” and states that “the risk owner is responsible
for ensuring that the risk is treated in a manner consistent with the enterprise’s risk appetite and tolerance”
(p. 93). The CISM Review Questions, Answers & Explanations Manual 2023 also provides the following
rationale for this Answer: “To ensure accountability is the correct answer because it is the primary reason to
assign a risk owner in an organization, as it ensures that the risk and its treatment are managed by a
person or entity that has the authority and responsibility to do so” (p. 29). Additionally, the article Risk
Ownership: The First Step of Effective Risk Management from the ISACA Journal 2019 states that “risk
ownership is the first and most important step of effective risk management” and that “risk ownership
ensures that there is clear accountability and responsibility for each risk and that risk owners are
empowered to make risk decisions and implement risk responses” (p. 1)

Answer 91

A

Answer: C

Explanation: Change control is the process of ensuring that changes to an information system are
authorized, tested, documented and implemented in a controlled manner. Inadequate change control can
result in deficient technical security controls, such as missing patches, misconfigurations, vulnerabilities or
errors in the new application. References = CISM Review Manual, 27th Edition, Chapter 4, Section 4.3.2,
page 2291

Answer 92

A

Answer: C

Explanation:
The percentage of vendors that are regularly reviewed against defined criteria is the best indicator of the
maturity level of a vendor risk management process, as it reflects the extent to which the organization has
established and implemented a consistent, repeatable, and effective process to monitor and evaluate the
security performance and compliance of its vendors. A high percentage indicates a mature process that
covers all vendors and applies clear and relevant criteria based on the organization’s risk appetite and
objectives. A low percentage indicates a less mature process that may be ad hoc, incomplete, or outdated.
(From CISM Review Manual 15th Edition)
References: CISM Review Manual 15th Edition, page 184, section 4.3.3.2.

Answer 93

A

Answer: B

Explanation: The best approach to developing an incident escalation process is to classify incidents based
on the information assets affected, because this will help to determine the impact and severity of the
incidents, as well as the appropriate response and recovery actions. The information assets affected by an
incident can indicate the potential loss of confidentiality, integrity, or availability of the information, as well
as the legal, regulatory, contractual, or reputational implications. By classifying incidents based on the
information assets affected, the organization can prioritize the incidents and escalate them to the relevant
stakeholders and authorities.
References = CISM Review Manual, 16th Edition, page 2901; A Practical Approach to Incident
Management Escalation2

Brainscape's Knowledge GenomeTM

CISM 7 Flashcards

Brainscape's Knowledge Genome^TM