Text preview & study summary
ISACA CISM - Certified Information Security Manager - Governance Risk Management Security Program Incident Management
A free sample of 5 questions from this quiz, shown in full with answer choices and explanations. No interactivity — everything is visible on this page for study and review.
Want to test your knowledge? Launch the Interactive Exam Simulator
Question 1
An information security manager is presenting the security program's value to the board of directors. Which METRICS are most meaningful to board-level stakeholders?
Explanation
Board members are concerned with business outcomes, risk, and value — not technical metrics. Relevant board metrics include: risk reduction over time (alignment with risk appetite), compliance posture (regulatory/legal exposure), ROI of security investments (business value), and business impact of incidents (financial, reputational). Technical metrics (options A, C, D) are valuable for operational security teams and middle management but are too granular for board-level discussions. The CISM domain emphasizes translating security into business language.
Question 2
A security manager is working with the legal team to negotiate a cloud services agreement. Which security consideration is MOST important to address in the contract?
Explanation
Cloud services agreements must address key security provisions: (1) data ownership — you own your data, not the provider, (2) jurisdiction — where data is stored and processed (GDPR, data sovereignty), (3) breach notification — contractual obligation to notify within specific timeframes, (4) right-to-audit — ability to verify security controls, (5) data deletion — certified deletion upon contract termination, (6) security standards — SLAs and compliance certifications. These contractual requirements protect the organization when using third-party cloud services and define accountability.
Question 3
An information security manager is developing business continuity and disaster recovery plans. What is the PRIMARY purpose of defining Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO)?
Explanation
RTO (maximum acceptable downtime) and RPO (maximum acceptable data loss) are business requirements derived from business impact analysis (BIA). They quantify what the organization can tolerate in terms of downtime and data loss, which directly drives technical decisions: backup frequency, replication strategies, failover technology, and budget allocation. An RTO of 4 hours requires different (and more expensive) solutions than an RTO of 24 hours. These are business decisions, not IT decisions — the business owns the risk and the recovery requirements.
Question 4
A newly appointed CISO is tasked with establishing an information security governance framework. The organization has no formal security program. What is the MOST important first step?
Explanation
Information security governance begins with strategy development aligned to business objectives and obtaining senior management commitment and support. Without executive sponsorship and strategic direction, security initiatives lack authority, funding, and organizational support. The security strategy defines the program's vision, goals, and roadmap. Risk assessment (option B) is the next step after establishing strategic direction — you need to know what you're protecting and why before assessing risks.
Question 5
During an internal audit, an auditor reports that the information security policy has not been reviewed in 3 years and contains outdated references to legacy systems that no longer exist. What is the security manager's MOST appropriate response?
Explanation
Security policies must remain current and relevant. The appropriate response: (1) initiate a full policy review (not just cosmetic updates), (2) involve key stakeholders (IT, legal, HR, business units), (3) update to reflect current systems, threats, and regulatory requirements, (4) obtain management approval and communicate changes, (5) establish an annual (or change-triggered) review cycle. Simply removing outdated references (option A) may miss substantive gaps. Policies that don't reflect current reality are both ineffective and potentially misleading to auditors and regulators.
