Text preview & study summary

ISACA CISM - Certified Information Security Manager - Governance Risk Management Security Program Incident Management

A free sample of 5 questions from this quiz, shown in full with answer choices and explanations. No interactivity — everything is visible on this page for study and review.

Want to test your knowledge? Launch the Interactive Exam Simulator

Question 1

An information security manager is presenting the security program's value to the board of directors. Which METRICS are most meaningful to board-level stakeholders?

Answer choices

  • A. Number of security incidents, firewall rules reviewed, and vulnerability scan completion rates

  • B. Risk reduction trends, percentage of compliance requirements met, security investment ROI, and business impact of security incidents (Correct)

  • C. Mean time to detect (MTTD), mean time to respond (MTTR), and number of security patches applied

  • D. Number of phishing emails blocked, malware detections per month, and IDS/IPS alerts triggered

Explanation

Board members are concerned with business outcomes, risk, and value — not technical metrics. Relevant board metrics include: risk reduction over time (alignment with risk appetite), compliance posture (regulatory/legal exposure), ROI of security investments (business value), and business impact of incidents (financial, reputational). Technical metrics (options A, C, D) are valuable for operational security teams and middle management but are too granular for board-level discussions. The CISM domain emphasizes translating security into business language.

Question 2

A security manager is working with the legal team to negotiate a cloud services agreement. Which security consideration is MOST important to address in the contract?

Answer choices

  • A. The cloud provider's employee headcount and office locations

  • B. Data ownership, jurisdiction, breach notification timelines, right-to-audit clauses, data deletion upon termination, and security standards compliance (SOC 2, ISO 27001) (Correct)

  • C. The cloud provider's marketing claims about security features

  • D. Discount pricing for multi-year security services commitments

Explanation

Cloud services agreements must address key security provisions: (1) data ownership — you own your data, not the provider, (2) jurisdiction — where data is stored and processed (GDPR, data sovereignty), (3) breach notification — contractual obligation to notify within specific timeframes, (4) right-to-audit — ability to verify security controls, (5) data deletion — certified deletion upon contract termination, (6) security standards — SLAs and compliance certifications. These contractual requirements protect the organization when using third-party cloud services and define accountability.

Question 3

An information security manager is developing business continuity and disaster recovery plans. What is the PRIMARY purpose of defining Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO)?

Answer choices

  • A. To measure the security team's performance during disaster recovery exercises

  • B. To establish business-driven requirements that determine acceptable downtime and data loss, which drive technical recovery solution selection and investment decisions (Correct)

  • C. To comply with regulatory requirements for documented recovery procedures

  • D. To set expectations with customers about service availability during disasters

Explanation

RTO (maximum acceptable downtime) and RPO (maximum acceptable data loss) are business requirements derived from business impact analysis (BIA). They quantify what the organization can tolerate in terms of downtime and data loss, which directly drives technical decisions: backup frequency, replication strategies, failover technology, and budget allocation. An RTO of 4 hours requires different (and more expensive) solutions than an RTO of 24 hours. These are business decisions, not IT decisions — the business owns the risk and the recovery requirements.

Question 4

A newly appointed CISO is tasked with establishing an information security governance framework. The organization has no formal security program. What is the MOST important first step?

Answer choices

  • A. Purchase and deploy a SIEM solution to begin monitoring for threats

  • B. Conduct a comprehensive risk assessment to identify and prioritize security risks relative to business objectives

  • C. Develop an information security strategy aligned with business objectives and obtain senior management commitment (Correct)

  • D. Hire additional security analysts to perform monitoring and response activities

Explanation

Information security governance begins with strategy development aligned to business objectives and obtaining senior management commitment and support. Without executive sponsorship and strategic direction, security initiatives lack authority, funding, and organizational support. The security strategy defines the program's vision, goals, and roadmap. Risk assessment (option B) is the next step after establishing strategic direction — you need to know what you're protecting and why before assessing risks.

Question 5

During an internal audit, an auditor reports that the information security policy has not been reviewed in 3 years and contains outdated references to legacy systems that no longer exist. What is the security manager's MOST appropriate response?

Answer choices

  • A. Update the policy to remove outdated references and mark it as current

  • B. Initiate a comprehensive policy review involving stakeholders, update content to reflect current environment and threats, obtain management approval, and establish an annual review cycle (Correct)

  • C. Inform the auditor that policies don't need frequent updates if the organization hasn't changed significantly

  • D. Engage a consulting firm to rewrite all security policies from scratch

Explanation

Security policies must remain current and relevant. The appropriate response: (1) initiate a full policy review (not just cosmetic updates), (2) involve key stakeholders (IT, legal, HR, business units), (3) update to reflect current systems, threats, and regulatory requirements, (4) obtain management approval and communicate changes, (5) establish an annual (or change-triggered) review cycle. Simply removing outdated references (option A) may miss substantive gaps. Policies that don't reflect current reality are both ineffective and potentially misleading to auditors and regulators.