Isaca CISM Certified Information Security Manager Exam
The Certified Information Security Manager (CISM) credential is a globally recognized standard for professionals managing enterprise information security. This practice exam is designed to reflect real-world scenarios and complex decision-making processes across four critical domains: Information Security Governance, Risk Management, Program Development and Management, and Incident Management. Developed with industry alignment in mind, the content helps reinforce strategic thinking and aligns with key frameworks and compliance standards.
Whether you’re advancing toward leadership in cybersecurity or solidifying your understanding of risk-based strategies, this exam prep supports focused learning through realistic content structure. It emphasizes situational awareness, policy development, lifecycle management, and effective risk response. Ideal for IT professionals, consultants, or aspiring managers seeking to validate their expertise and readiness for high-stakes responsibilities in modern security environments.
Tailored for those aiming to pass the CISM certification on the first attempt, this resource strengthens your confidence through comprehensive and relevant content. Prepare with clarity and purpose to meet today’s evolving security management challenges.
Sample Questions and Answers
1. Which of the following BEST ensures alignment between information security objectives and business objectives?
A. Implementation of security policies
B. Regular security audits
C. A well-defined governance framework
D. Enforcement of technical controls
Answer: C
Explanation: A governance framework ensures that information security supports and aligns with business goals by providing structure, accountability, and performance measurement.
2. What is the PRIMARY purpose of an information security strategy?
A. To define access control policies
B. To create a disaster recovery plan
C. To support business objectives through security goals
D. To reduce IT costs
Answer: C
Explanation: An information security strategy is meant to align security initiatives with business objectives to protect critical assets effectively.
3. Which of the following would MOST likely be considered a key performance indicator (KPI) for information security governance?
A. Number of firewall rules
B. Number of incidents closed within SLA
C. Number of software licenses
D. Number of users trained in Excel
Answer: B
Explanation: KPIs should reflect measurable outcomes related to security effectiveness; resolving incidents within SLA directly reflects operational efficiency.
4. What is the BEST justification for senior management support of an information security program?
A. Compliance with internal policies
B. Alignment with business risk appetite
C. Acquisition of technical tools
D. Enhancing staff productivity
Answer: B
Explanation: Senior management is more likely to support security programs that are aligned with business risk tolerance and strategic objectives.
5. Which of the following is the MOST important component of a security governance program?
A. Security awareness training
B. Network access controls
C. Executive sponsorship
D. Firewalls
Answer: C
Explanation: Without executive sponsorship, security programs lack the authority, funding, and prioritization required for success.
✅ Domain 2: Information Risk Management
6. What is the PRIMARY purpose of a risk register?
A. To track hardware and software inventory
B. To log employee activities
C. To document and manage identified risks
D. To outline security policies
Answer: C
Explanation: A risk register helps organizations document identified risks, assess their impact, and plan mitigation strategies.
7. A risk that remains after controls have been applied is called:
A. Transferred risk
B. Inherent risk
C. Residual risk
D. Accepted risk
Answer: C
Explanation: Residual risk is what remains after all mitigation and controls have been implemented.
8. The MOST important factor when evaluating the impact of a risk is:
A. Cost of mitigation
B. Business process criticality
C. Number of users affected
D. Frequency of occurrence
Answer: B
Explanation: The criticality of the business process helps determine the true impact a risk can have on operations.
9. What is the BEST way to assess the likelihood of a risk event occurring?
A. Vendor recommendations
B. Qualitative interviews
C. Historical data and trend analysis
D. Employee surveys
Answer: C
Explanation: Historical data provides objective evidence that can be used to estimate future likelihoods more accurately.
10. Which of the following BEST reflects risk appetite?
A. Compliance with legal requirements
B. Investment in antivirus tools
C. Tolerance for operational disruptions
D. Implementation of firewalls
Answer: C
Explanation: Risk appetite reflects how much disruption or loss an organization is willing to tolerate.
✅ Domain 3: Information Security Program Development and Management
11. What is the PRIMARY purpose of an information security program?
A. To install and maintain security software
B. To protect the organization’s assets and support business objectives
C. To conduct penetration testing
D. To limit employee internet usage
Answer: B
Explanation: An effective security program ensures that security initiatives protect assets in alignment with business goals.
12. Which metric BEST assesses the maturity of an information security program?
A. Percentage of blocked emails
B. Number of incidents
C. Capability Maturity Model Integration (CMMI) level
D. Volume of firewall logs
Answer: C
Explanation: CMMI levels assess the maturity and optimization of processes, including those related to security programs.
13. What should be done FIRST when designing an information security program?
A. Define policies and procedures
B. Conduct a gap analysis
C. Assign access privileges
D. Install firewalls
Answer: B
Explanation: A gap analysis reveals deficiencies between the current and desired state, helping prioritize improvements.
14. Security awareness programs should primarily focus on:
A. System configurations
B. Technical jargon
C. Behavioral change
D. Security architecture
Answer: C
Explanation: The main goal of awareness programs is to positively influence employee behavior to reduce risk.
15. Who should have final approval over the information security policy?
A. IT Director
B. Risk Manager
C. HR Manager
D. Executive Management
Answer: D
Explanation: Executive management is responsible for final approval to ensure the policy aligns with strategic direction.
✅ Domain 4: Information Security Incident Management
16. What is the FIRST step in an incident response process?
A. Containment
B. Identification
C. Eradication
D. Recovery
Answer: B
Explanation: An incident must be identified before any response steps can be taken.
17. What is the PRIMARY goal of incident response?
A. To prevent all future incidents
B. To find and punish the attacker
C. To minimize business disruption
D. To alert the media
Answer: C
Explanation: The objective is to manage incidents in a way that limits operational and financial impact.
18. What is MOST important to ensure during post-incident reviews?
A. Assign blame
B. Update antivirus
C. Identify root cause
D. Change incident response team
Answer: C
Explanation: Root cause analysis is essential to prevent recurrence and improve future responses.
19. Which of the following should be performed BEFORE restoring a system after an incident?
A. Notify law enforcement
B. Eradicate the threat
C. Reboot the server
D. Inform customers
Answer: B
Explanation: Systems should only be restored once the root cause or threat has been eradicated to prevent reinfection.
20. What is the BEST metric for evaluating the effectiveness of an incident response team?
A. Number of security tools used
B. Volume of spam emails blocked
C. Mean time to respond (MTTR)
D. Number of team members
Answer: C
Explanation: MTTR reflects how quickly incidents are detected and mitigated, offering insight into team performance.
✅ Mixed Questions (All Domains)
21. A third-party risk assessment should focus PRIMARILY on:
A. Cost of services
B. Compliance with local laws
C. Data handling and security practices
D. Employee retention rates
Answer: C
Explanation: When dealing with third parties, it is critical to assess how they handle sensitive organizational data.
22. What BEST helps prevent privilege escalation attacks?
A. Firewalls
B. Intrusion detection systems
C. Role-based access control
D. VPN usage
Answer: C
Explanation: Role-based access control ensures users only have access rights necessary for their job functions.
23. The PRIMARY reason for conducting business impact analysis (BIA) is to:
A. Determine legal liability
B. Measure user satisfaction
C. Identify critical business functions
D. Reduce licensing costs
Answer: C
Explanation: BIA is used to prioritize recovery by identifying systems and processes critical to business operations.
24. A well-documented policy framework should include:
A. Product specifications
B. Regulatory audit tools
C. Objectives, responsibilities, and enforcement
D. Market analysis
Answer: C
Explanation: Policy frameworks must clearly state the policy’s intent, roles, and enforcement methods to be effective.
25. Which control type is a firewall?
A. Preventive
B. Detective
C. Corrective
D. Compensating
Answer: A
Explanation: Firewalls are preventive controls, designed to block unauthorized access before it occurs.
26. What is the PRIMARY purpose of security logging and monitoring?
A. Reducing hardware cost
B. Investigating breaches
C. Meeting business goals
D. Saving bandwidth
Answer: B
Explanation: Logs and monitoring systems enable quick detection, analysis, and response to security incidents.
27. During vendor onboarding, the MOST important document to review is:
A. Product datasheet
B. Code of conduct
C. Service level agreement (SLA)
D. Organizational chart
Answer: C
Explanation: SLAs define expectations, responsibilities, and penalties — critical for vendor performance and risk management.
28. The effectiveness of a password policy can BEST be evaluated by:
A. Measuring login times
B. Conducting password audits
C. Monitoring internet use
D. Reviewing antivirus logs
Answer: B
Explanation: Password audits assess whether users comply with policy, such as using complex and unique passwords.
29. Encryption is MOST useful in which scenario?
A. Physical asset tracking
B. Backup media storage
C. Printer access control
D. Network speed optimization
Answer: B
Explanation: Encrypting backups protects sensitive data if storage media is lost or stolen.
30. Which activity is MOST essential to ensure a security policy remains current and relevant?
A. Annual printing of policies
B. Random email testing
C. Periodic review and updates
D. Social media announcements
Answer: C
Explanation: Policies must be regularly reviewed and updated to reflect new threats, business changes, and compliance requirements.