View CISM Exam Questions

Q: 1

A common drawback of email software packages that provide native encryption of messages is that the encryption:

Options

Discussion

Priya P. Mar 7, 2026 7:21 pm

I don’t think it’s D. B is the issue, since proprietary encryption can't talk across platforms.

Priya K. Mar 13, 2026 4:41 am

C vs D. If we’re talking about actual crypto strength limitations, I’d say C is also super common with older packages.

SeasonedReviewer4414 Mar 10, 2026 11:26 am

Sick of these "interoperability" questions, but yeah, B is right. Different email clients rarely play nice together with built-in encryption. Seen similar on other practice sets, so pretty sure that's what ISACA wants here.

Rowan L. Mar 7, 2026 7:47 pm

Had something like this in a mock. B makes sense since each encryption method works fine inside its own platform, but you always hit issues when you try to send encrypted mail between different email software. Pretty sure that's what they're looking for here.

Sam R. Mar 8, 2026 5:13 am

B , native encryption always falls over when you mix different email products.

Noah N. Mar 10, 2026 8:53 am

Option B for me. Native encryption just doesn't play nice between different email software, so users end up locked in or unable to exchange secure emails. I think this is the most common pain, not key recovery or attachment issues. Makes sense?

Nora X. Mar 4, 2026 12:07 pm

A is wrong, B. Interoperability trips up native encryption unless both sides use matching software, which isn’t always the case with cross-vendor emails.

Sara M. Mar 5, 2026 4:29 am

I don't think it's D. B makes more sense since lack of interoperability is a constant headache with native email encryption, especially if sender and receiver use different vendors. D is more about compliance rather than being a "common" issue. Disagree?

Meera W. Mar 8, 2026 9:07 am

Why wouldn't A be right? Haven't seen native email apps struggle as much with attachments as with cross-platform issues.

Mason C. Mar 2, 2026 6:26 am

D imo

Be respectful. No spam.

Correct Answer:

Explanation

A primary and persistent drawback of native email encryption is the lack of interoperability. Email ecosystems are fragmented, with different vendors and software packages implementing various encryption standards (e.g., S/MIME, OpenPGP) or proprietary, closed-system methods. For encryption to function, both the sender and the recipient must use compatible systems. If a user on a platform using one encryption method sends a message to a user on a different, incompatible platform, they cannot communicate securely. This requirement for a shared standard or vendor "domain" severely limits the universal applicability and seamless use of email encryption, creating a significant barrier to widespread adoption.

Why Incorrect

A. Most modern email encryption standards, such as S/MIME and PGP, are specifically designed to encrypt the entire message payload, which includes any attachments.

C. Current email encryption standards and their implementations support robust, industry-accepted algorithms and key lengths (e.g., AES-256, RSA-4096), which are considered sufficient.

D. While not universal, many enterprise-focused email encryption solutions incorporate key recovery or key escrow mechanisms as a critical feature to prevent data loss.

---

References

1. National Institute of Standards and Technology (NIST) Special Publication 800-45 Version 2

Guidelines on Electronic Mail Security.

Reference: Section 3.4

"Interoperability

" page 16.

Quote: "Interoperability is a key issue for secure messaging. There are many different secure messaging standards and products available

and they are often incompatible. If two users wish to exchange secure mail

but their mail clients use different

incompatible security mechanisms

they will be unable to do so." This directly supports the chosen answer that lack of interoperability across product domains is a major drawback.

2. Ruoti

O'Neill

& Seamons

K. E. (2016). Why we need to rethink email encryption. In 2016 APWG Symposium on Electronic Crime Research (eCrime).

Reference: Section II.A

"The Network Effect".

Paraphrased Content: The paper explains that the value of a communication tool increases with the number of users. For email encryption

this "network effect" is a major hurdle. A user can only send an encrypted email to someone who also has a compatible encryption setup. This fragmentation and lack of a universal

interoperable standard means users often cannot communicate securely outside of their specific "domain" or group of users with compatible software.

3. Herzberg

A. (2017). A Threat Model for E-Mail End-to-End Encryption. Bar-Ilan University.

Reference: Section 2

"Background: E-mail and E2E Encryption

" page 3.

Paraphrased Content: The document discusses the two main standards for end-to-end email encryption

OpenPGP and S/MIME. It notes their different trust models and technical implementations

highlighting that they are not interoperable. This division in the ecosystem forces organizations and users to choose one standard

limiting their ability to communicate securely with those who have chosen the other

reinforcing the problem of non-interoperability across domains.

Q: 2

An email digital signature will:

Options

Discussion

Logan Mar 2, 2026 8:20 pm

Option B But is the question asking what it guarantees, or just what it helps with? If they want to know about confidentiality instead, that'd change the pick. Official guide covers this.

Sam C. Mar 1, 2026 12:26 pm

Tricky wording here but digital signature only lets the recipient verify integrity, so B. It doesn't actually stop or undo tampering, just detects it. Pretty sure that's what ISACA is testing for!

Sanjay I. Mar 12, 2026 5:40 pm

C vs B? I see B picked a lot but some practice exams seem to twist wording with C. Official guide is worth double-checking for this one.

PreciseMentor6161 Mar 13, 2026 3:49 am

B . D is the trap since digital signatures don't actually prevent changes, they just show if tampering happened.

Leo F. Mar 5, 2026 12:02 pm

B tbh. Digital signature doesn't actually prevent or fix unauthorized changes, just lets you verify if the content was altered. D is tempting but a common trap here.

Luna K. Mar 11, 2026 9:02 pm

Likely D. Digital signature should help prevent unauthorized modification since tampering would be detected, right?

Arjun E. Mar 12, 2026 1:51 am

C/D? Digital signature only detects if something changed, it doesn't block or fix modifications so it's gotta be B.

Ajay K. Mar 16, 2026 12:43 am

Pretty sure B is what they're looking for. Digital signatures let the recipient check if the message was altered, but don't actually stop or fix tampering. D and C both miss that point. Let me know if you see it different.

Jason I. Feb 26, 2026 10:05 pm

B . D is tempting but digital signatures don't prevent changes, just verify if something got altered.

Chris Mar 7, 2026 6:19 am

I don’t think it’s C. B is right since digital signatures only verify that the email hasn’t been altered, they don’t fix any unauthorized edits. Think some might confuse this with prevention or correction.

Be respectful. No spam.

Correct Answer:

Explanation

A digital signature's primary function is to provide assurance of data integrity, authenticity, and non-repudiation. It is created by generating a cryptographic hash of the email message and then encrypting this hash value with the sender's private key. The recipient uses the sender's public key to decrypt the hash. They then independently compute the hash of the received message. If the two hashes match, it cryptographically proves that the message has not been altered since it was signed, thus verifying its integrity. This process does not inherently encrypt the message content for confidentiality.

Why Incorrect

A. Confidentiality is achieved by encrypting the entire message content, which is a separate process from applying a digital signature.

C. A digital signature is a detective control; it can identify that a modification has occurred but has no capability to automatically correct it.

D. A digital signature is a detective, not a preventive, control. It cannot stop a message from being intercepted and modified in transit.

References

1. ISACA

CISM Review Manual

15th Edition. Domain 3: Information Security Program Development and Management. The manual explains cryptographic controls

stating that digital signatures are used to provide integrity

authentication

and non-repudiation

distinguishing this from encryption which provides confidentiality.

2. National Institute of Standards and Technology (NIST). (2013). FIPS PUB 186-4

Digital Signature Standard (DSS). Page 1

Section 1

Introduction. The standard states

"Digital signatures are used to detect unauthorized modifications to data and to authenticate the identity of the signatory. In addition

the recipient of signed data can present the data and its signature to a third party to prove that the signature was generated by the claimed signatory. This is known as non-repudiation... In summary

the use of a digital signature provides data integrity and source authentication."

3. Kurose

J. F.

& Ross

K. W. (2017). Computer Networking: A Top-Down Approach (7th ed.). Pearson. Chapter 8

"Security in Computer Networks." Section 8.3

"Principles of Cryptography

" explains that digital signatures

created by encrypting a message digest with a private key

allow a recipient to verify that the message is un-altered (integrity) and from the claimed sender (authenticity).

Q: 3

Which of the following is the MOST important detail to capture in an organization's risk register?

Options

Discussion

KaranJ Mar 11, 2026 3:09 pm

Ownership is the main thing that makes a risk register actionable, so D. If nobody's assigned, nothing gets done even if you know the severity. Seen similar in exam practice, pretty sure this is what ISACA expects but correct me if you disagree.

Rowan S. Mar 11, 2026 8:07 am

B . I get that ownership (D) matters for action, but severity (B) feels like the main thing you need to log first so you know where to focus. Unless I’m missing something from the CISM perspective.

Adam Mar 9, 2026 8:40 am

D tbh. B is tempting since severity helps sort risks but ISACA usually prioritizes clear accountability. Saw similar in practice dumps.

Jamie S. Mar 3, 2026 9:00 pm

Option D every time with ISACA, gets me how often folks overthink this. If you don’t have risk ownership documented, nobody’s accountable and nothing gets managed in practice.

Ivy N. Feb 27, 2026 6:34 pm

B tbh

Zoe B. Mar 6, 2026 9:27 pm

B , severity level is usually what I see prioritized in real risk registers on exams.

Cameron Mar 7, 2026 5:26 am

CuriousAuditor7570 Mar 14, 2026 2:51 am

B is tempting, but D is correct. Assigning ownership ensures accountability, while severity (B) mostly helps rank risks. Saw this type of wording in other ISACA practice runs-ownership always wins for 'most important'. Pretty sure about it.

Olivia K. Mar 17, 2026 12:38 am

I don’t think B is right here. D is most important since without risk ownership there’s no accountability and risks just sit unmanaged. Severity (B) is a trap since it helps with prioritizing, but doesn’t drive action by itself. Seen this asked in similar CISM sample questions-ISACA likes accountability focus.

Skyler G. Mar 3, 2026 3:24 pm

D imo. You absolutely need risk ownership recorded so someone is on the hook for action and tracking. Without that, risks fall through the cracks. Severity matters too but accountability is what makes the register useful. Pretty sure ISACA exams focus on this.

Be respectful. No spam.

Correct Answer:

Explanation

The most critical detail to capture in a risk register is risk ownership. The primary purpose of a risk register is to be an actionable tool for managing risk. Assigning an owner establishes clear accountability for monitoring the risk, ensuring that risk treatment plans are developed and implemented, and reporting on the risk's status. Without a designated owner, a risk is effectively unmanaged, regardless of its severity or the organization's appetite. Accountability is the cornerstone that transforms a risk register from a static list of problems into a dynamic management instrument.

Why Incorrect

A. Risk appetite is a high-level, strategic statement that guides the overall risk management framework; it is not a specific attribute of an individual risk in the register.

B. Risk severity level is essential for prioritizing risks, but without an owner, no action will be taken to address the risk, rendering its prioritization moot.

C. Risk acceptance criteria are the specific conditions under which a risk is acceptable, derived from risk appetite, and used to guide decisions rather than being a primary field per risk.

---

References

1. ISACA

CISM Review Manual

16th Edition. In Domain 2: Information Risk Management

the manual emphasizes that a key output of the risk identification and analysis process is the risk register. It consistently highlights that for each identified risk

an owner must be assigned to be accountable for managing the risk through its lifecycle. The concept of accountability through ownership is presented as fundamental to effective risk management. (Domain 2

Task Statement K2.5: "Knowledge of methods to monitor risk (e.g.

key risk indicators [KRIs]

key performance indicators [KPIs]

audit results

vulnerability assessments)"). Effective monitoring is impossible without an assigned owner.

2. National Institute of Standards and Technology (NIST)

Special Publication (SP) 800-37

Rev. 2

"Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy." In Appendix F

"Risk Register

" the template for a risk register explicitly includes "Risk Owner" as a fundamental data element. This underscores its importance in a structured risk management framework for tracking and accountability.

3. ISO/IEC 27005:2022

"Information security

cybersecurity and privacy protection — Guidance on managing information security risk." Clause 8.2

"Information security risk identification process

" states that the output of risk identification should include the identification of risk owners. This establishes ownership early in the process as a foundational step before subsequent assessment and treatment.

Q: 4

An organization's automated security monitoring tool generates an excessively large amount of falsq positives. Which of the following is the BEST method to optimize the monitoring process?

Options

Discussion

Luke R. Mar 11, 2026 6:11 am

Option B

Neha T. Mar 12, 2026 3:49 am

I'd pick A here. Reporting only critical alerts seems like it would cut down on noise fast, which is what the question asks. I get why B is picked a lot but still think A makes more sense if you're just trying to make monitoring easier right away. Anyone else think so?

DirectConsultant613 Mar 17, 2026 4:27 pm

B edges it for me-changing reporting thresholds actually tackles why there are so many false positives instead of just hiding them. A might be tempting but you risk ignoring useful alerts. Could also depend on how the environment is set up, but B seems safest.

Robin N. Mar 11, 2026 11:25 pm

B here, changing reporting thresholds is what actually tunes out the false positives.

Alex U. Mar 10, 2026 3:09 pm

Its B, had something like this in a mock. Adjusting thresholds is classic for too many false positives.

Nina N. Feb 28, 2026 1:56 am

I don’t think C fits since it’s more about what gets logged, not directly reducing false positives in the alerting logic. B.

Priya F. Mar 11, 2026 11:26 pm

B like the official ISACA guides say. Adjusting thresholds is a common fix for alert overload, saw similar recommendations in practice resources.

Sanjay G. Mar 16, 2026 11:53 pm

B imo. Adjusting reporting thresholds helps reduce false positives at the source, which is more effective than just filtering alerts by timeframe like D. Pretty sure C and A don’t really address the root problem.

Anita U. Mar 15, 2026 3:31 pm

B or D? I think B is better since changing thresholds directly reduces the number of false positives at the source. D only limits when you see them, doesn’t really fix the spam. Not 100% though, anyone disagree?

Priya D. Mar 2, 2026 11:38 pm

Probably D. Saw something close to this in a practice test and D seemed right to me.

Be respectful. No spam.

Correct Answer:

Explanation

An excessive number of false positives indicates that the security monitoring tool's detection rules are too sensitive for the organization's specific operational environment. The most direct and effective method to optimize the process is to tune the system by changing the reporting thresholds or adjusting the logic of the correlation rules. This process, often referred to as "baselining" or "tuning," helps the system better distinguish between normal network/system activity and actual malicious events. Adjusting thresholds reduces alert fatigue and allows security analysts to focus their efforts on investigating genuine threats, thereby improving the overall efficiency and effectiveness of the security monitoring function.

Why Incorrect

A. Report only critical alerts: This is a filtering action that masks the underlying problem of poor tuning and can lead to missing precursor events that are part of a larger attack.

C. Reconfigure log recording: This alters the data being collected, not the analysis of that data. The issue lies with the analysis rules, not necessarily the logs themselves.

D. Monitor incidents in a specific time frame: This creates significant and unacceptable security blind spots, as attackers do not adhere to a schedule.

---

References

1. ISACA

CISM Review Manual

15th Edition. Domain 4: Information Security Incident Management. The manual emphasizes that a key part of the detection and analysis phase of incident management is the continuous tuning of detection systems. It states that security events must be analyzed against predefined thresholds and baselines to determine if they constitute an incident. An excess of false positives is a clear indicator that these thresholds require adjustment. (Specifically

see the sections covering "Incident Detection and Analysis Tools and Techniques").

2. NIST Special Publication 800-137

Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations. Section 3.3

"Analyze

" discusses the analysis of security-related information. It notes that organizations define monitoring frequencies and analysis triggers/thresholds. The document states

"Analysis of the data collected may trigger an alert to the appropriate organizational officials for a response... Triggers can be event-driven

query-driven

or based on a specific time." Adjusting these thresholds is the primary mechanism for controlling alert volume. (Page 19

Section 3.3).

3. NIST Special Publication 800-92

Guide to Computer Security Log Management. Section 4.3.2

"Log Analysis Methods and Techniques

" discusses how automated analysis tools use correlation rules and thresholds. It implicitly supports the need for tuning

stating

"Organizations should test their log analysis capabilities to ensure that they can identify events of interest in a timely and accurate manner

" which includes minimizing false positives by adjusting these parameters.

Q: 5

In a cloud technology environment, which of the following would pose the GREATEST challenge to the investigation of security incidents?

Options

Discussion

SeasonedSec7672 Mar 3, 2026 1:59 am

Option C

Taylor G. Feb 28, 2026 7:12 am

C . Non-standard event logs make incident response much harder, especially in the cloud where everything is scattered across platforms. Standardizing and correlating logs is a nightmare. Not 100% sure if D could ever be worse, but inconsistent logs have tripped up teams I know.

Robin X. Mar 8, 2026 3:41 am

B , because if everything's encrypted and you don't have the keys, you're basically locked out of actual evidence. Logs could be messy but still readable or convertible, but encryption without access might totally block investigation. Not 100% sure though since C is also a hassle.

SkylerX Mar 6, 2026 12:06 am

B tbh, had something like this in a mock and encryption was flagged as a major blocker. If data is encrypted and you don’t have keys, you’re basically stuck. Not sure if C is worse than that-happy to be corrected.

Mason R. Mar 17, 2026 2:32 am

Is anyone thinking data encryption (B) could be more of a blocker for investigations than odd log formats? I'm pretty sure C is right since if the logs aren't standardized, it's almost impossible to piece together what happened. But I get why D or B might confuse people.

Ravi Mar 13, 2026 11:33 am

C every time for practical cloud forensics. If the logs are all over the place or inconsistent, you can't even start correlating events. Maybe D could hurt if it's unreadable but that's rare imo.

PracticalDev4006 Feb 26, 2026 3:00 pm

C/D? If the cloud provider's logs weren't standardized, even good access to hardware or decrypted data wouldn't help much. C has bitten teams before in IR from similar exam cases.

SkepticalLead501 Mar 14, 2026 10:02 pm

C vs B. I don’t think encryption (B) is as tough here since, in most cases, investigators can get access to keys if needed. But non-standard event logs (C) create way more confusion and slow everything down. Seen similar on practice questions, but let me know if you disagree.

Liam X. Mar 14, 2026 8:25 pm

Probably C here, seen this pop up on official practice questions before. Non-standard event logs just make incident investigations in cloud way harder to manage. Official guide covers this scenario too, but I think C fits best.

Sara Z. Mar 14, 2026 10:19 am

C , non-standard event logs can really mess with investigations since nothing lines up easily across systems. Encryption is tough but there's usually a way to decrypt if you have proper access. Pretty sure C is what they're looking for here, but open if folks think otherwise.

Be respectful. No spam.

Correct Answer:

Explanation

In a cloud environment, services and infrastructure components generate logs from numerous, disparate sources (e.g., hypervisor, network, platform services, applications). These logs often lack a standardized format, making aggregation, normalization, and correlation extremely difficult. This heterogeneity is the greatest challenge because it fundamentally hinders an investigator's ability to reconstruct a timeline of events, understand the attacker's path, and determine the scope of an incident. Without a coherent and correlated view of activities across the entire technology stack, the investigation can become prohibitively complex and time-consuming.

Why Incorrect

A. Access to the hardware is an inherent limitation of public cloud models, but cloud forensics has adapted by focusing on logical evidence like virtual machine snapshots and logs provided by the cloud service provider.

B. Data encryption is a security control, not an insurmountable challenge. With proper key management policies, authorized investigators can decrypt data as part of the forensic process.

D. Compressed customer data is a minor operational step. Decompression is a standard, computationally trivial procedure that does not pose a significant barrier to a security investigation.

---

References

1. Zawoad

& Hasan

R. (2015). Cloud Forensics: A Meta-Study of Challenges

Approaches

and Open Problems. IEEE Communications Surveys & Tutorials

17(3)

1336–1365. In Section IV-A

"Technical Challenges

" the paper explicitly identifies "Lack of standardized log formats" as a major issue

stating that different cloud services generate logs in various formats

complicating the correlation of events during an investigation. (DOI: https://doi.org/10.1109/COMST.2015.2411655)

2. Daryabar

Dehghantanha

& Choo

K. K. R. (2017). Cloud storage forensics: A comprehensive media article analysis. In Cloud Storage Forensics (pp. 19-33). Syngress. The authors discuss challenges in cloud forensics

highlighting that evidence can be distributed across multiple data centers and that the "lack of standardized logging mechanisms and formats" makes it difficult to create a unified view for investigation. (See Chapter 2

Section 2.4 Challenges).

3. National Institute of Standards and Technology (NIST). (2006). NIST Special Publication 800-92

Guide to Computer Security Log Management. Section 2.2

"Log Management Challenges

" discusses problems arising from "Inconsistent Log Content and Format." While not specific to the cloud

this foundational document establishes that non-standard logs are a primary challenge for any security investigation

a problem that is significantly amplified in complex

multi-layered cloud environments.

Q: 6

Which of the following is MOST important to have in place to help ensure an organization's cybersecurity program meets the needs of the business?

Options

Discussion

Nathan Feb 27, 2026 9:19 am

Option C

Mason Mar 6, 2026 11:15 am

Option C for me. Governance sets the foundation for aligning security with business goals, not just technical stuff. Without governance, training and metrics won’t connect to actual business priorities. Pretty sure that’s what ISACA wants here but open if someone disagrees.

FocusedAuditor2155 Mar 1, 2026 4:01 pm

Probably C, governance ties everything to business strategy. Saw a similar question in exam reports.

Noah Mar 14, 2026 5:34 pm

Why are so many picking A? Feels like C is safer unless the question asks for first step only, not overall importance.

Drew L. Feb 26, 2026 2:15 am

C imo

Alex C. Feb 26, 2026 3:03 am

C really is key for "most important" since governance is what makes sure cyber aligns with the business side. Without that, risk and awareness efforts could totally miss the mark. Pretty sure ISACA always wants you to prioritize governance for questions like this, but if someone sees it different let me know.

Robin Mar 15, 2026 1:10 am

C (not B) is the real driver. Governance ties security to business goals so everything else (risk, awareness, metrics) actually supports what the org needs. I think that's what ISACA's after here.

Anita Z. Mar 3, 2026 7:05 pm

Its A. Had something like this in a mock and they focused on risk assessment as the key. Confident with A here.

Mason A. Mar 8, 2026 2:56 am

B here. Awareness training feels most crucial in practice since without user buy-in, any security program can be undermined pretty quick. Not 100 percent sure though, seen prep exams stress this. Official guide or CISM practice tests might help clarify.

Aaron L. Mar 5, 2026 5:05 am

Nah, not A. Risk assessment is super important but without C (governance), the whole program won't support the business properly.

Be respectful. No spam.

Correct Answer:

Explanation

Information security governance is the MOST important element because it establishes the overarching framework that aligns the security program with the organization's strategic objectives. Governance provides direction from senior leadership, defines roles and responsibilities, and ensures that security activities support business goals, manage risk according to the business's risk appetite, and deliver value. It is the foundation upon which other components, such as risk assessments and metrics, are built and managed to ensure they are relevant to the business. Without effective governance, security efforts can become disconnected from business needs, leading to misallocated resources and inadequate protection of critical assets.

Why Incorrect

A. A risk assessment program is a critical process that identifies and evaluates risks, but it operates within the strategic direction and risk appetite set by the governance framework.

B. Information security awareness training is a specific operational control to mitigate human-related risks, not the strategic framework that ensures overall business alignment.

D. Information security metrics are used to measure the performance and effectiveness of the security program, but the governance framework defines the business objectives that the metrics must measure against.

References

1. ISACA

CISM Review Manual

16th Edition. Chapter 1

Section 1.2

"Outcomes of Information Security Governance

" states: "The primary outcome of information security governance is business enablement through the alignment of information security objectives with the business’s strategic objectives." This directly links governance to meeting business needs.

2. ISACA

COBIT 2019 Framework: Introduction and Methodology. Section 3.1

"Governance and Management Objectives

" explains that the primary role of governance is to "evaluate stakeholder needs

conditions and options to determine balanced

agreed-on enterprise objectives" and "set direction through prioritization and decision making." This highlights governance as the mechanism for translating business needs into actionable objectives for the security program.

3. De Haes

& Van Grembergen

W. (2015). Enterprise Governance of Information Technology: Achieving Alignment and Value

Featuring COBIT 5. Springer International Publishing. In Chapter 2

"IT Governance

and its Mechanisms and Implementation

" the authors emphasize that the core of IT (and by extension

information security) governance is the "alignment of business and IT

where IT is an enabler of the business." This academic source confirms that governance is the fundamental principle for ensuring technology and security programs serve business needs. (DOI not typically assigned to full books

but this is a foundational text).

Q: 7

Which of the following is the MOST important consideration when determining which type of failover site to employ?

Options

Correct Answer:

Explanation

The Recovery Time Objective (RTO) is the most critical factor in determining the type of failover site. The RTO defines the maximum tolerable duration of a service outage as determined by the business. This business requirement directly dictates the necessary speed of recovery and, consequently, the required capabilities of an alternate site. A very short RTO (e.g., minutes) necessitates a hot site that is fully operational and ready for immediate failover. A longer RTO (e.g., days) may allow for a more cost-effective warm or cold site, which requires more time to become operational. Therefore, the selection of a failover site is a direct translation of the business's time-based recovery requirements.

Why Incorrect

A. Reciprocal agreements are a type of recovery strategy, but their feasibility and selection are dependent on business requirements like the RTO, not the other way around.

B. Disaster recovery test results are used to validate and improve an existing recovery plan and site, not to determine the initial selection of the site type.

D. Data retention requirements define how long data must be kept for legal or business purposes, which influences backup and archival strategies, not the speed of operational recovery.

References

1. ISACA

CISM Review Manual

15th Edition. In Domain 3: Information Security Program Development and Management

the section on Business Continuity Planning explicitly states that the selection of a recovery strategy is based on the RTO. It notes

"A short RTO will require a more resilient and typically more expensive solution

such as a hot site

whereas a longer RTO may allow for a cold site." (Chapter 3

Section 3.5.5 Recovery Strategies).

2. NIST Special Publication 800-34 Rev. 1

Contingency Planning Guide for Federal Information Systems. This foundational guide states

"The selection of recovery strategies and solutions is based on the system’s RTO and RPO... For example

if a system has an RTO of 12 hours

a cold site would not be an appropriate solution because it typically takes at least one week to set up." (Section 3.3.3

Identify and Select Recovery Strategies

Page 26).

3. Caras

A. (2005). Business Continuity Planning. Carnegie Mellon University

Software Engineering Institute. This technical note explains that the Business Impact Analysis (BIA) identifies critical processes and their associated Recovery Time Objectives (RTOs). The document emphasizes that the "BIA results are the primary input to the selection of cost-effective recovery strategies." The RTO is a core output of the BIA

directly driving the strategy for alternate sites. (CMU/SEI-2005-TN-021

Section 3.2

Page 11).

Q: 8

Which of the following should an information security manager do NEXT after creating a roadmap to execute the strategy for an information security program?

Options

Discussion

Zoe S. Mar 4, 2026 6:55 pm

Its D, not A. Project plan comes after the roadmap, seen similar on practice exams.

Sara Mar 2, 2026 12:55 am

Yeah, this comes down to whether the roadmap's already agreed on. If the roadmap is done, then D makes sense since you need a detailed project plan to start executing. But if exec consensus wasn’t secured, A could sneak in as the right move. Pretty sure on D unless the question’s hiding that detail somewhere.

Nina U. Mar 7, 2026 3:46 am

Always see this kind of flow in ISACA practice and the official CISM guide: D

Amelia G. Mar 6, 2026 12:13 pm

Maybe A here. I thought after creating the roadmap, you'd confirm strategy buy-in with the executive board before moving to detailed project plans, especially if it hasn't been officially signed off yet. Sometimes CISM questions expect that next validation step. Could be missing something, but that's my take. Agree?

Arjun V. Mar 16, 2026 4:39 pm

Pretty sure it's not A, D fits better. Roadmap is higher-level, so the next practical step is making a project plan to actually execute those roadmap items. Unless they want us to assume no exec signoff yet, but I doubt it.

Morgan Mar 7, 2026 12:49 pm

Its D. You move to project planning after the roadmap since the exec buy-in and alignment should've happened before the roadmap step. A is tempting but it’s a timing trap here, pretty sure that's how CISM expects it.

Layla Mar 17, 2026 1:22 am

D not A. Executive consensus should've happened during strategy sign-off, the trap is thinking it's needed after the roadmap.

Mason X. Mar 3, 2026 10:36 pm

Maybe B

Piya U. Mar 16, 2026 1:58 pm

Feels like D since you need to turn the high-level roadmap into a detailed project plan to start executing. Getting consensus or reviewing alignment would normally happen earlier during strategy and roadmap creation, not after. Pretty sure that's CISM best practice, but maybe there's a subtlety I'm missing. Agree?

CuriousLead1595 Mar 10, 2026 1:52 am

Its D here. Trap is A but the board usually signs off before you build the roadmap, not after.

Be respectful. No spam.

Correct Answer:

Explanation

The logical progression in information security program management follows a hierarchy from high-level strategic intent to detailed, actionable execution. After an information security strategy is defined, a roadmap is created to outline the major initiatives, milestones, and timelines required to achieve the strategic goals. The roadmap, however, is still a high-level document. The immediate next step is to translate these high-level initiatives into detailed, manageable units of work. This is accomplished by developing project plans, which specify the tasks, resources, schedules, and deliverables needed to implement each component of the roadmap, thereby operationalizing the strategy.

Why Incorrect

A. Obtaining consensus on the strategy from the executive board is a critical step that should occur before or during the finalization of the strategy, not after the implementation roadmap is created.

B. Reviewing alignment with business goals is a foundational activity performed during the development of the information security strategy itself to ensure its relevance and support for the organization.

C. Defining organizational risk tolerance is a fundamental input required to formulate the information security strategy; it dictates the level of risk the organization is willing to accept and shapes strategic goals.

References

1. ISACA

CISM Review Manual

16th Edition. Domain 1: Information Security Governance. The manual describes the process of strategy development and implementation. It clarifies that a strategy is translated into a roadmap

which is then executed through specific projects. The development of project plans is the logical step to operationalize the high-level initiatives outlined in the roadmap. (Specifically

the concepts in Task G2: "Develop a strategy to implement the information security program" and its supporting content imply this hierarchical breakdown from strategy to roadmap to project-level execution).

2. Calder

& Watkins

S. (2019). IT Governance: An International Guide to Data Security and ISO 27001/ISO 27002 (7th ed.). Kogan Page. Chapter 6

"Information Security Management System (ISMS)

" discusses the Plan-Do-Check-Act (PDCA) cycle. Creating a strategy and roadmap falls within the "Plan" phase. Developing detailed project plans is the transition from high-level planning to the "Do" phase

where the plans are executed.

3. University of Washington

Information Technology Courseware

"IT Strategy

Plans & Roadmaps." This resource distinguishes between strategies (the 'why')

roadmaps (the 'what' and 'when' at a high level)

and project plans (the detailed 'how'). It establishes that project plans are derived from the strategic roadmap to guide execution. This aligns with the principle that detailed planning follows high-level strategic outlining.

Q: 9

Which of the following is MOST appropriate for an organization to consider when defining incident classification and categorization levels?

Options

Discussion

QuietArchitect3504 Mar 2, 2026 9:22 pm

D . C is tricky but I think it's a distractor-impact matters more than just the number of assets affected.

HelpfulDev620 Mar 15, 2026 8:52 am

Its D since incident classification should focus on the actual impact to the business, not just asset count or threat. Impact really drives how you prioritize response. Pretty sure that's what ISACA wants here, but open to thoughts if someone disagrees.

Neha F. Mar 7, 2026 11:46 pm

C Quantity of impacted assets

CarefulEngineer1362 Mar 5, 2026 5:50 am

Had something like this in a mock and impact was always the focus for incident classification schemes. D fits since severity and priority are all about how much the business is affected, not just quantity or threat.

Mason T. Feb 26, 2026 10:10 am

C or D here. I was sure quantity of impacted assets (C) would be critical since more affected systems feels like it raises the level of the incident, especially for reporting. But now reading through some practice material, most emphasize impact overall (D) as the main tie-breaker. Curious what others make of C being less important.

Ryan R. Feb 27, 2026 10:36 pm

Option D, Pretty sure you’ll see this in the official manual and some practice tests too.

Mia M. Mar 4, 2026 8:50 am

D not C. Asset quantity feels like a trap since ISACA usually wants you to focus on severity and business impact when classifying incidents.

Avery Mar 15, 2026 8:40 pm

C vs D. I don't think it's C, even though asset count seems relevant. ISACA usually looks for incident impact (D) because that's what drives response priority in most frameworks. If I'm missing something about the context, let me know, but I'm pretty sure D is right here.

PracticalEngineer6564 Mar 16, 2026 2:00 am

D saw a similar question in a practice set, it's all about incident impact here.

Casey N. Mar 4, 2026 1:40 pm

Probably D. Official manual and some practice tests also go with impact as the driving factor for classification.

Be respectful. No spam.

Correct Answer:

Explanation

The primary purpose of classifying and categorizing security incidents is to establish a framework for prioritization and response. Incident impact is the most appropriate factor because it directly measures the adverse effect of an incident on business operations, assets, and objectives. A classification scheme based on impact (e.g., high, medium, low) ensures that incidents with the greatest potential to disrupt the business, cause financial loss, or damage reputation receive the highest priority and the most appropriate level of resources. This aligns incident response activities directly with the organization's risk tolerance and business protection goals.

Why Incorrect

A. Maturity of incident response activities: This describes the capability of the response team, not the characteristics of the incident itself, which is what classification is based on.

B. Threat environment: This informs the types of incidents an organization might face, but the classification level is determined by the potential damage (impact) of those incidents.

C. Quantity of impacted assets: This is only one component of impact. The compromise of a single, highly critical asset can have a far greater impact than many non-critical ones.

References

1. National Institute of Standards and Technology (NIST) Special Publication 800-61 Rev. 2

Computer Security Incident Handling Guide. Section 2.3.3

"Incident Prioritization

" states

"Incidents should be prioritized based on the relevant factors

such as the functional impact of the incident (e.g.

current and likely future negative impact to business functions)

the information impact of the incident (e.g.

effect on the confidentiality

integrity

and availability of the organization’s information)

and the recoverability from the incident." This directly ties prioritization

which is the outcome of classification

to impact.

2. ISACA

CISM Review Manual

16th Edition. In the domain of Information Security Incident Management

the manual consistently emphasizes that incident classification and subsequent prioritization must be based on business impact. It states that the objective is to manage incidents in accordance with their potential or actual effect on the confidentiality

integrity

and availability of information assets and the resulting impact on the business.

3. Peltier

T. R. (2013). Information Security Risk Analysis

Third Edition. CRC Press. Chapter 7

"Risk Assessment and Analysis

" discusses how the impact of an event is a critical component in determining its overall risk and severity. This principle is applied directly to incident management

where the classification of an incident is a function of its measured or potential impact on the organization.

Q: 10

When establishing metrics for an information security program, the BEST approach is to identify indicators that:

Options

Discussion

Mason Mar 13, 2026 3:30 pm

Makes sense to go with D here. Metrics that prove effectiveness are what ISACA focuses on, it's what exam drills always mention. I could see C mattering if risk culture was the main angle, but not in this case.

Robin E. Mar 18, 2026 9:38 am

Option D, The whole point of these metrics is to show if security controls are actually doing their job. Makes sense, right?

Karan J. Mar 8, 2026 7:27 pm

D Saw a similar question on a practice set, it's always about proving effectiveness for CISM metrics.

Emma N. Mar 3, 2026 3:02 am

I get why C keeps coming up but D is the real ISACA-style pick.

EmmaH Mar 4, 2026 4:10 am

Probably D, metrics should prove the security program's effectiveness. ISACA always circles back to measurable results here.

Quinn G. Mar 3, 2026 5:26 am

Its D - the point of security metrics in CISM is to prove if your controls and program are actually working. Just supporting initiatives (B) isn't enough, you need measurable proof that efforts are effective. Pretty sure that's what ISACA wants here. Open to other views though.

Jamie L. Feb 27, 2026 6:42 pm

I don't think it's B, since just supporting initiatives misses the point of why we use metrics. D fits better because CISM always stresses demonstrating effectiveness. B is tempting but feels like a distractor here.

Cameron A. Mar 8, 2026 9:54 am

D, that's what most practice tests and the official CISM guide focus on for metrics. Always about showing program effectiveness.

Quinn L. Mar 5, 2026 8:50 am

C/D? If the org's risk culture is super strong, C could make sense too.

Vikram V. Mar 17, 2026 3:51 am

Option B since supporting big initiatives seems like what they want here. D looks like a trap.

Be respectful. No spam.

Correct Answer:

Explanation

The primary purpose of information security metrics is to provide objective, quantifiable data that demonstrates the performance and effectiveness of the information security program. These metrics, often in the form of Key Performance Indicators (KPIs) and Key Risk Indicators (KRIs), allow management and stakeholders to assess whether security controls are working as intended, if program objectives are being met, and how well risk is being managed. This data-driven approach is crucial for justifying security investments, guiding strategic decisions, and facilitating continuous improvement of the program's posture.

Why Incorrect

A. Reducing spending is a potential outcome of an efficient program identified through metrics, but it is not the primary goal of establishing them.

B. Metrics are used to measure the success and impact of security initiatives, not merely to support their existence.

C. While metrics should align with the corporate risk culture (e.g., risk appetite), their fundamental purpose is to measure performance, not simply to reflect the culture.

References

1. ISACA

CISM Review Manual

15th Edition. Chapter 3

Section: "Information Security Program Management." The manual states that metrics are essential for "measuring

monitoring

and reporting on the effectiveness of information security controls and the overall information security program." It emphasizes that metrics provide assurance to stakeholders that security objectives are being achieved.

2. National Institute of Standards and Technology (NIST) Special Publication (SP) 800-55 Rev. 1

Performance Measurement Guide for Information Security. Section 2.1

"Purpose of an Information Security Performance Measurement Program

" explicitly states: "An information security performance measurement program helps an organization determine the effectiveness of its information security program

policies

and controls..."

3. ISACA

COBIT 2019 Framework: Introduction and Methodology. The framework's core principles revolve around governance and management objectives. The "Monitor

Evaluate and Assess" (MEA) domain

particularly MEA01

focuses on monitoring performance and conformance to ensure that enterprise and governance objectives are met

which is a direct measure of effectiveness.

Question 1 of 20 · Page 1 / 2

Premium Access Includes

✓ Quiz Simulator
✓ Exam Mode
✓ Progress Tracking
✓ Question Saving
✓ Flash Cards
✓ Drag & Drops
✓ 3 Months Access
✓ PDF Downloads

Get Premium Access

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE