
[Sep-2025] Get 100% Real Free Isaca Certification CISM Sample Questions
Accurate CISM Questions with Free and Fast Updates
ISACA CISM Exam Syllabus Topics:
| Topic | Details |
|---|---|
| Topic 1 |
|
| Topic 2 |
|
| Topic 3 |
|
| Topic 4 |
|
NEW QUESTION # 417
Which of the following is the MOST important element of an information security strategy?
- A. Time frames for delivery
- B. Defined objectives
- C. Complete policies
- D. Adoption of a control framework
Answer: B
Explanation:
Section: INFORMATION SECURITY GOVERNANCE
Explanation:
Without defined objectives, a strategy - the plan to achieve objectives - cannot be developed. Time frames for delivery are important but not critical for inclusion in the strategy document. Similarly, the adoption of a control framework is not critical to having a successful information security strategy. Policies are developed subsequent to, and as a part of, implementing a strategy.
NEW QUESTION # 418
Which of the following provides the BEST means of ensuring business units outside of IT have their information security concerns addressed?
- A. A comprehensive list of business processes performed by each business unit
- B. Involvement of senior management in information security policy development
- C. Targeted user security awareness programs for business units outside of IT
- D. Inclusion of business unit management In the Information security steering committee
Answer: A
NEW QUESTION # 419
A penetration test against an organization's external web application shows several vulnerabilities. Which of the following presents the GREATEST concern?
- A. Vulnerabilities were not found by internal tests
- B. A rules of engagement form was not signed prior to the penetration test
- C. Exploit code for one of the vulnerabilities is publicly available
- D. Vulnerabilities were caused by insufficient user acceptance testing (UAT)
Answer: C
Explanation:
Exploit code for one of the vulnerabilities is publicly available presents the greatest concern because it means that anyone can easily exploit the vulnerability and compromise the web application. This increases the risk of data breach, denial of service, or other malicious attacks. Therefore, exploit code for one of the vulnerabilities is publicly available is the correct answer.
References:
* https://www.imperva.com/learn/application-security/penetration-testing/
* https://www.netspi.com/blog/technical/web-application-penetration-testing/are-you-testing-your-web- application-for-vulnerabilities/
NEW QUESTION # 420
Which of the following is a step in establishing a security policy?
- A. Developing platform-level security baselines
- B. Creating a RACI matrix
- C. Implementing a process for developing and maintaining the policy
- D. Developing configuration parameters for the network
Answer: C
NEW QUESTION # 421
An organization has learned of a security breach at another company that utilizes similar technology. The FIRST thing the information security manager should do is:
- A. discontinue the use of the vulnerable technology.
- B. report to senior management that the organization is not affected.
- C. assess the likelihood of incidents from the reported cause.
- D. remind staff that no similar security breaches have taken place.
Answer: C
Explanation:
The security manager should first assess the likelihood of a similar incident occurring, based on available information. Discontinuing the use of the vulnerable technology would not necessarily be practical since it would likely be needed to support the business. Reporting to senior management that the organization is not affected due to controls already in place would be premature until the information security manager can first assess the impact of the incident. Until this has been researched, it is not certain that no similar security breaches have taken place.
NEW QUESTION # 422
An organization is entering into an agreement with a new business partner to conduct customer mailings. What is the MOST important action that the information security manager needs to perform?
- A. Ensuring that the third party is contractually obligated to all relevant security requirements
- B. Ensuring that the business partner has an effective business continuity program
- C. A due diligence security review of the business partner's security controls
- D. Talking to other clients of the business partner to check references for performance
Answer: A
Explanation:
Section: INFORMATION SECURITY PROGRAM MANAGEMENT
Explanation:
The key requirement is that the information security manager ensures that the third party is contractually bound to follow the appropriate security requirements for the process being outsourced. This protects both organizations. All other steps are contributory to the contractual agreement, but are not key.
NEW QUESTION # 423
In violation of a policy prohibiting the use of cameras at the office, employees have been issued smartphones and tablet computers with enabled web cameras. Which of the following should be the information security manager's FIRST course of action?
- A. Communicate the acceptable use policy.
- B. Revise the policy.
- C. Conduct a risk assessment,
- D. Perform a root cause analysis.
Answer: C
NEW QUESTION # 424
An organization's research department plans to apply machine learning algorithms on a large data set containing customer names and purchase history. The risk of personal data leakage is considered high impact. Which of the following is the BEST risk treatment option in this situation?
- A. Mitigate the risk by encrypting the customer names in the data set.
- B. Accept the risk, as the benefits exceed the potential consequences.
- C. Mitigate the risk by applying anonymization on the data set.
- D. Transfer the risk by purchasing insurance.
Answer: C
NEW QUESTION # 425
Information security awareness programs are MOST effective when they are:
- A. sponsored by senior management.
- B. conducted at employee orientation
- C. reinforced by computer-based training.
- D. customized for each target audience.
Answer: D
Explanation:
Section: INFORMATION SECURITY PROGRAM DEVELOPMENT
NEW QUESTION # 426
An information security manager has been asked to develop a change control process. What is the FIRST thing the information security manager should do?
- A. Meet with stakeholders
- B. Establish change control procedures
- C. Identify critical systems
- D. Research best practices
Answer: A
Explanation:
Explanation
No new process will be successful unless it is adhered to by all stakeholders; to the extent stakeholders have input, they can be expected to follow the process. Without consensus agreement from the stakeholders, the scope of the research is too wide; input on the current environment is necessary to focus research effectively. It is premature to implement procedures without stakeholder consensus and research. Without knowing what the process will be the parameters to baseline are unknown as well.
NEW QUESTION # 427
Which of the following is the PRIMARY objective of implementing an information security strategy?
- A. To manage risk to an acceptable level
- B. To maintain adherence to information security policies
- C. To demonstrate compliance with legal requirements
- D. To align with industry best practices
Answer: A
NEW QUESTION # 428
Network isolation techniques are immediately implemented after a security breach to:
- A. reduce the extent of further damage.
- B. enforce zero trust architecture principles.
- C. preserve evidence as required for forensics
- D. allow time for key stakeholder decision making.
Answer: A
NEW QUESTION # 429
Which of the following is the BEST way to ensure the organization's security objectives are embedded in business operations?
- A. Define penalties for information security noncompliance.
- B. Perform annual information security compliance reviews.
- C. Implement an information security governance framework.
- D. Publish adopted information security standards.
Answer: C
Explanation:
The best way to ensure the organization's security objectives are embedded in business operations is to implement an information security governance framework. An information security governance framework is a set of policies, procedures, standards, guidelines, roles, and responsibilities that define and direct how the organization manages and measures its information security activities. An information security governance framework helps to align the information security strategy with the business strategy and the organizational culture, and to ensure that the information security objectives are consistent with the business objectives and the stakeholder expectations. An information security governance framework also helps to establish the authority, accountability, and communication channels for the information security function, and to provide the necessary resources, tools, and controls to implement and monitor the information security program. By implementing an information security governance framework, the organization can embed the information security objectives in business operations, and ensure that the information security function supports and enables the business processes and functions, rather than hinders or restricts them.
References = CISM Review Manual, 16th Edition, Chapter 1: Information Security Governance, Section:
Information Security Governance Framework, page 181; CISM Review Questions, Answers & Explanations Manual, 10th Edition, Question 75, page 702.
NEW QUESTION # 430
For the information security manager, integrating the various assurance functions of an organization is important PRIMARILY to enable:
- A. compliance with policy
- B. a security-aware culture
- C. consistent security.
- D. comprehensive audits
Answer: C
Explanation:
Consistent security is the primary reason for integrating the various assurance functions of an organization for the information security manager because it ensures that the security policies and standards are applied uniformly and effectively across different domains, processes, and systems of the organization.
Comprehensive audits are not the primary reason for integrating the various assurance functions, but rather a possible outcome or benefit of doing so. A security-aware culture is not the primary reason for integrating the various assurance functions, but rather a desirable state or goal of the organization. Compliance with policy is not the primary reason for integrating the various assurance functions, but rather a basic requirement or expectation of the organization. References: https://www.isaca.org/resources/isaca-journal/issues/2016
/volume-4/integrating-assurance-functions https://www.isaca.org/resources/isaca-journal/issues/2017/volume-
3/how-to-measure-the-effectiveness-of-your-information-security-management-system
NEW QUESTION # 431
Which of the following BEST facilitates the effectiveness of cybersecurity incident response?
- A. Increasing communication with all incident response stakeholders
- B. Continuously updating signatures of the anti-malware solution
- C. Utilizing a security information and event management (SIEM) tool
- D. Utilizing industry-leading network penetration testing tools
Answer: A
NEW QUESTION # 432
Which of the following BEST describes a buffer overflow?
- A. A type of covert channel that captures data
- B. A function is carried out with more data than the function can handle
- C. Malicious code designed to interfere with normal operations
- D. A program contains a hidden and unintended function that presents a security risk
Answer: B
Explanation:
A buffer overflow is a software coding error or vulnerability that occurs when a function is carried out with more data than the function can handle, resulting in adjacent memory locations being overwritten or corrupted by the excess data1. A program contains a hidden and unintended function that presents a security risk is not a buffer overflow, but rather a backdoor2. Malicious code designed to interfere with normal operations is not a buffer overflow, but rather malware3. A type of covert channel that captures data is not a buffer overflow, but rather a keylogger. References: 1 https://www.fortinet.com/resources/cyberglossary/buffer-overflow 2
https://www.fortinet.com/resources/cyberglossary/backdoor 3 https://www.fortinet.com/resources
/cyberglossary/malware https://www.fortinet.com/resources/cyberglossary/keylogger
NEW QUESTION # 433
Risk management is MOST cost-effective:
- A. while developing the business case for the security program.
- B. when performed on a continuous basis.
- C. when integrated into other corporate assurance functions.
- D. at the beginning of security program development.
Answer: C
Explanation:
Section: INFORMATION RISK MANAGEMENT
NEW QUESTION # 434
Which of the following should an information security manager do FIRST upon confirming a privileged user's unauthorized modifications to a security application?
- A. Enforce the security configuration and require the change to be reverted.
- B. Implement compensating controls to address the risk.
- C. Implement a privileged access management system.
- D. Report the risk associated with the policy breach.
Answer: A
Explanation:
The first thing that an information security manager should do upon confirming a privileged user's unauthorized modifications to a security application is to enforce the security configuration and require the change to be reverted. This is because the unauthorized modification may have compromised the security of the application and the data it protects, and may have violated the security policies and standards of the organization. By enforcing the security configuration and requiring the change to be reverted, the information security manager can restore the security posture of the application and prevent further unauthorized modifications.
NEW QUESTION # 435
Which of the following is MOST important for an information security manager to verify before conducting full-functional continuity testing?
- A. Copies of recovery and incident response plans are kept offsite
- B. Risk acceptance by the business has been documented
- C. Teams and individuals responsible for recovery have been identified
- D. Incident response and recovery plans are documented in simple language
Answer: C
Explanation:
Explanation
Before conducting full-functional continuity testing, an information security manager should verify that teams and individuals responsible for recovery have been identified and trained on their roles and responsibilities.
This will ensure that the testing can be executed effectively and efficiently, as well as identify any gaps or issues in the recovery process. Risk acceptance by the business, copies of plans kept offsite and plans documented in simple language are all good practices for continuity management, but they are not as important as having clear roles and responsibilities defined before testing.
NEW QUESTION # 436
Which of the following is the MOST important reason for an organization to develop an information security governance program?
- A. Establishment of accountability
- B. Compliance with audit requirements
- C. Creation of tactical solutions
- D. Monitoring of security incidents
Answer: B
NEW QUESTION # 437
Which of the following would be the BEST way for a company to reduce the risk of data loss resulting from employee-owned devices accessing the corporate email system?
- A. Require employees to install a reputable mobile anti-virus solution on their personal devices.
- B. Use a mobile device management (MDM) solution to isolate the local corporate email storage.
- C. Require employees to undergo training before permitting access to the corporate email service.
- D. Link the bring-your-own-device (BYOD) policy to the existing staff disciplinary policy.
Answer: B
Explanation:
Section: INFORMATION SECURITY PROGRAM MANAGEMENT
NEW QUESTION # 438
Which of the following should be reviewed to obtain a structured overview of relevant information about an information security investment?
- A. Security balanced scorecard
- B. Business case
- C. Quantitative risk analysis report
- D. Information security strategy
Answer: B
NEW QUESTION # 439
Which of the following is the BEST way to compete for funding for an information security program in an organization with limited resources?
- A. Provide evidence of increased security events at peer organizations.
- B. Report key performance indicator (KPI) trends.
- C. Demonstrate the effectiveness of business continuity plans (BCPs).
- D. Demonstrate that the program enables business activities.
Answer: D
Explanation:
Comprehensive and Detailed Step-by-Step Explanation:The goal of securing funding for an information security program often requires aligning the program with business goals and demonstrating its value to the organization. Here's an analysis of each option:
* A. Demonstrate the effectiveness of business continuity plans (BCPs): While important, this focuses on continuity rather than the overall value of the information security program to business objectives.
This is not the strongest method to justify funding.
* B. Report key performance indicator (KPI) trends: KPI trends are useful for tracking performance but may not directly demonstrate how the program supports business activities or adds value.
* C. Demonstrate that the program enables business activities: This is the BEST option because it ties the information security program directly to business operations. When security is seen as an enabler (e.
g., reducing risks in critical areas like customer data protection), stakeholders are more likely to allocate resources.
* D. Provide evidence of increased security events at peer organizations: This may indicate a general threat landscape but does not provide concrete evidence of the program's value or relevance to the organization's specific goals.
Reference: CISM Job Practice Area 1 (Information Security Governance) emphasizes aligning information security strategies with organizational objectives to gain stakeholder support.
NEW QUESTION # 440
......
CISM Study Guide Realistic Verified Dumps: https://quizmaterials.dumpsreview.com/CISM-exam-dumps-review.html

