Free CISM Exam Questions

ISACA CISM Free Exam Questions

Disclaimer

Please keep a note that the demo questions are not frequently updated. You may as well find them in open communities around the web. However, this demo is only to depict what sort of questions you may find in our original files.

Nonetheless, the premium exam dumps files are frequently updated and are based on the latest exam syllabus and real exam questions.

1 / 30

Which of the following is the BEST way to build a risk-aware culture?

Periodically change risk awareness messages

Establish incentives and a channel for staff to report risks

Periodically test compliance with security controls and post results

Ensure that threats are communicated organization-wide in a timely manner

2 / 30

When management changes the enterprise business strategy, which of the following processes should be used to evaluate the existing information security controls as well as to select new information security controls?

Risk management

Change management

Access control management

Configuration management

3 / 30

What would be an information security manager's BEST recommendation upon learning that an existing contract with a third party does not clearly identify requirements for safeguarding the organization's critical data?

Transfer the risk to the provider

Cancel the outsourcing contract

Create an addendum to the existing contract

Initiate an external audit of the provider's data center

4 / 30

Which of the following should an information security manager do FIRST when a legacy application is not compliant with a regulatory requirement, but the business unit does not have the budget for remediation?

Develop a business case for funding remediation efforts

Advise senior management to accept the risk of noncompliance

Notify legal and internal audit of the noncompliant legacy application

Assess the consequences of noncompliance against the cost of remediation

5 / 30

Threat and vulnerability assessments are important PRIMARILY because they are:

Needed to estimate risk

The basis for setting control objectives

Used to establish security investments

Elements of the organization's security posture

6 / 30

Which of the following is the BEST way to ensure that organizational security policies comply with data security regulatory requirements?

Outsource compliance activities

Send the policies to stakeholders for review

Obtain annual sign-off from executive management

Align the policies to the most stringent global regulations

7 / 30

Which of the following is the BEST method to protect consumer private information for an online public website?

Use secure encrypted transport layer

Encrypt consumer data in transit and at rest

Apply a masking policy to the consumer data

Apply strong authentication to online accounts

8 / 30

Risk scenarios simplify the risk assessment process by:

Ensuring business risk is mitigated

Focusing on important and relevant risk

Covering the full range of possible risk

Reducing the need for subsequent risk evaluation

9 / 30

A legacy application does not comply with new regulatory requirements to encrypt sensitive data at rest, and remediating this issue would require significant investment. What should the information security manager do FIRST?

Determine the cost to remediate the noncompliance

Assess the business impact to the organization

Present the noncompliance risk to senior management

Investigate alternative options to remediate the noncompliance

10 / 30

What should be an information security manager's FIRST step when developing a business case for a new intrusion detection system (IDS) solution?

Conduct a feasibility study

Perform a cost-benefit analysis

Define the issues to be addressed

Calculate the total cost of ownership (TCO)

11 / 30

Which of the following is MOST likely to be included in an enterprise security policy?

Retention schedules

Definitions of responsibilities

Organizational risk

System access specifications

12 / 30

In a multinational organization, local security regulations should be implemented over global security policy because:

Requirements of local regulations take precedence

Business objectives are defined by local business unit managers

Global security policies include unnecessary controls for local businesses

Deploying awareness of local regulations is more practical than of global policy

13 / 30

Which of the following is the MOST important consideration in a bring your own device (BYOD) program to protect company data in the event of a loss?

The ability to remotely locate devices

The ability to classify types of devices

The ability to centrally manage devices

The ability to restrict unapproved applications

14 / 30

The PRIMARY reason for defining the information security roles and responsibilities of staff throughout an organization is to:

Reinforce the need for training

Comply with security policy

Enforce individual accountability

Increase corporate accountability

15 / 30

An information security team is investigating an alleged breach of an organization's network. Which of the following would be the BEST single source of evidence to review?

Antivirus software

Intrusion detection system (IDS)

File integrity monitoring (FIM) software

Security information and event management (SIEM) tool

16 / 30

Application data integrity risk is MOST directly addressed by a design that includes.

Strict application of an authorized data dictionary

Access control technologies such as role-based entitlements

Reconciliation routines such as checksums, hash totals, and record counts

Application log requirements such as field-level audit trails and user activity logs

17 / 30

Executive leadership has decided to engage a consulting firm to develop and implement a comprehensive security framework for the organization to allow senior management to remain focused on business priorities. Which of the following poses the GREATEST challenge to the successful implementation of the new security governance framework?

Executive leadership becomes involved in decisions about information security governance

Information security staff has little or no experience with the practice of information security governance

Information security management does not fully accept the responsibility for information security governance

Executive leadership views information security governance primarily as a concern of the information security management team

18 / 30

To gain a clear understanding of the impact that a new regulatory requirement will have on an organization's information security controls, an information security manager should FIRST:

Perform a gap analysis

Conduct a risk assessment

Interview senior management

Conduct a cost-benefit analysis

19 / 30

An organization has purchased a security information and event management (SIEM) tool. Which of the following is MOST important to consider before implementation?

Reporting capabilities

Controls to be monitored

Available technical support

The contract with the SIEM vendor

20 / 30

Which of the following is the MOST effective way to address an organization's security concerns during contract negotiations with a third party?

Ensure security is involved in the procurement process

Communicate security policy with the third-party vendor

Conduct an information security audit on the third-party vendor

Review the third-party contract with the organization's legal department

21 / 30

Which of the following should be an information security managers PRIMARY focus during the development of a critical system storing highly confidential data?

Avoiding identified system threats

Complying with regulatory requirements

Reducing the number of vulnerabilities detected

Ensuring the amount of residual risk is acceptable

22 / 30

An information security manager has been asked to determine whether an information security initiative has reduced risk to an acceptable level. Which of the following activities would provide the BEST information for the information security manager to draw a conclusion?

Reviewing the risk register

Performing a risk assessment

Conducting a business impact analysis (BIA)

Initiating a cost-benefit analysis of the implemented controls

23 / 30

Which of the following is the MOST important security consideration when developing an incident response strategy with a cloud provider?

Escalation processes

Security audit reports

Technological capabilities

Recovery time objective (RTO)

24 / 30

Which of the following BEST enables effective information security governance?

Advanced security technologies

Periodic vulnerability assessments

Security-aware corporate culture

Established information security metrics

25 / 30

An information security risk analysis BEST assists an organization in ensuring that:

Cost-effective decisions are made with regard to which assets need protection

The infrastructure has the appropriate level of access control

An appropriate level of funding is applied to security processes

The organization implements appropriate security technologies

26 / 30

An organization that uses external cloud services extensively is concerned with risk monitoring and timely response. The BEST way to address this concern is to ensure:

Internal security standards are in place

The availability of continuous technical support

A right-to-audit clause is included in contracts

Appropriate service level agreements (SLAs) are in place

27 / 30

When evaluating vendors for sensitive data processing, which of the following should be the FIRST step to ensure the correct level of information security is provided?

Develop metrics for vendor performance

Review third-party reports of potential vendors

Include information security clauses in the vendor contract

Include information security criteria as part of vendor selection

28 / 30

Over the last year, an information security manager has performed risk assessments on multiple third-party vendors. Which of the following criteria would be MOST helpful in determining the associated level of risk applied to each vendor?

Criticality of the service to the organization

Corresponding breaches associated with each vendor

Compliance requirements associated with the regulation

Compensating controls in place to protect information security

29 / 30

Which of the following is the MOST important consideration when developing information security objectives?

They are approved by the IT governance function

They are clear and can be understood by stakeholders

They are regularly reassessed and reported to stakeholders

They are identified using global security frameworks and standards

30 / 30

Deciding the level of protection a particular asset should be given is BEST determined by:

A risk analysis

A threat assessment

The corporate risk appetite

A vulnerability assessment

Your score is

The average score is 78%

By Wordpress Quiz plugin

Free CISM Exam Questions – 2025 Updated

Disclaimer

[email protected]

Helpful links

top Vendors

Contact Us

[email protected]

FLASH OFFER

avail $6 DISCOUNT on YOUR PURCHASE