Practice CISM Information Security Governance questions with full explanations on every answer.
Start practicing
Information Security Governance — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
Which of the following is the PRIMARY responsibility of the board of directors regarding information security governance?
2An organization has a decentralized governance model where each business unit manages its own security. What is a key challenge of this model?
3A CISO is developing a multi-year security roadmap. Which of the following should be the PRIMARY driver for prioritizing initiatives?
4Which capability maturity model (CMM) level indicates that security processes are proactively measured and optimized?
5An organization is implementing a new security policy. Which step should occur AFTER the policy is approved?
6Which board-level metric is MOST useful for measuring the effectiveness of the incident response process?
7A CISO is building a business case for a new security tool. Which approach BEST articulates the return on investment (ROI) to the board?
8An organization is subject to GDPR, PCI DSS, and SOX. What is the BEST approach to manage compliance with multiple regulations?
9A security awareness programme is being evaluated. Which metric BEST indicates a positive security culture?
10Which of the following is the PRIMARY benefit of having a formal policy exception management process?
11An organization is deciding whether to adopt a centralized or hybrid security governance model. Which factor MOST strongly favors a hybrid model?
12Which of the following is the PRIMARY responsibility of the CISO in an organization?
13A CISO is reporting to the board on the effectiveness of the security programme. Which TWO metrics are MOST appropriate for board-level reporting? (Select TWO)
14An organization is updating its information security strategy. Which THREE elements should be included to ensure alignment with business objectives? (Select THREE)
15A security policy is being developed. Which THREE steps are part of the policy development lifecycle? (Select THREE)
16Which of the following is the primary responsibility of the board of directors in information security governance?
17An organization is implementing a hybrid governance model for information security. Which statement best describes this approach?
18A CISO is developing a multi-year security roadmap. Which approach best ensures the roadmap aligns with business strategy?
19Which capability maturity model (CMM) level is characterized by security processes being standardized and documented across the organization?
20A security metrics program should include key performance indicators (KPIs) for board reporting. Which metric is most appropriate for executive oversight?
21During a security policy development lifecycle, which step should occur immediately after 'drafting' the policy?
22A company is considering a policy exception that would allow temporary non-compliance with a data encryption standard due to a legacy system. What is the most important element of the exception management process?
23Which of the following is the correct order in the security policy hierarchy, from highest to lowest level?
24Which metric best indicates the effectiveness of a security awareness program in changing employee behavior?
25A multinational organization handles personal data of EU residents. Which regulatory requirement must the information security program address?
26Which of the following best describes the role of the chief information security officer (CISO) in a governance context?
27Which component is essential for building a strong security culture within an organization?
28A CISO is preparing a business case for a new security investment. Which TWO elements are most important to include to justify the investment?
29An organization is designing a security metrics dashboard for the board of directors. Which THREE metrics are most appropriate for board-level reporting?
30A security manager is conducting a regulatory compliance review. Which THREE regulations are most likely to apply to a financial services company operating in the United States?
31Which governance structure is characterized by a single security team that serves the entire organization?
32An organization is developing an information security strategy aligned with business objectives. Which of the following is the BEST approach to prioritize security investments?
33A CISO is reporting to the board of directors. Which metric would BEST demonstrate the effectiveness of the security program in reducing business impact?
34Which of the following is the FIRST step in the security policy development lifecycle?
35A policy exception management process allows a business unit to temporarily deviate from a security policy. What is the MOST important requirement for such an exception?
36An organization's board of directors wants to improve security culture. Which initiative would have the GREATEST impact?
37A multinational organization must comply with GDPR, CCPA, and PCI DSS. The security manager is designing a compliance monitoring program. Which approach is MOST efficient?
38In which reporting model does the CISO have a direct reporting line to the CEO while also reporting to the CIO on operational matters?
39Which capability maturity model (CMM) level indicates that security processes are managed and measured using quantitative metrics?
40A CISO is building a business case for a new security tool. Which approach BEST quantifies the value of the investment?
41Which of the following is the BEST metric for the board to assess the security program's effectiveness in detecting threats?
42An organization is updating its security policies. After drafting the policy, which step should occur NEXT?
43A CISO is designing a security metrics program for the board. Which TWO metrics are MOST appropriate for board-level reporting?
44A financial services firm is subject to SOX, PCI DSS, and GDPR. The CISO needs to implement a regulatory change management process. Which THREE steps are essential?
45Which TWO elements are key components of a security culture measurement program?
46Which governance model is characterized by a single, centralized security team that serves the entire organization?
47An organization's board of directors wants to ensure that security activities align with business objectives. Which governance practice best supports this alignment?
48A CISO reports to the CIO and provides regular security updates to the board audit committee. The CEO has delegated security accountability to the CFO. Which governance structure does this reflect?
49Which capability maturity model (CMM) level indicates that security processes are measured and controlled?
50A security manager wants to measure the effectiveness of the security awareness program. Which metric is most relevant?
51During a policy exception review, the CISO identifies that multiple exceptions have been granted for the same control due to business constraints. What is the best course of action?
52Which regulatory requirement mandates that organizations implement data protection measures for personal data of EU citizens?
53What is the primary purpose of a security incident near-miss reporting culture?
54A company is developing a business case for a new security tool. Which metric best demonstrates the value of the investment?
55An organization's security strategy includes a goal to achieve CMM Level 3. What capability does the organization need to demonstrate?
56Which board-level committee typically receives security reports to provide oversight?
57What is the first step in the security policy development lifecycle?
58A CISO is presenting a security investment proposal to the board. Which two metrics are most effective for articulating the business value of the investment?
59An organization is updating its security governance framework. Which three elements are essential for ensuring board-level oversight?
60A security manager is measuring the security culture of the organization. Which three metrics are most appropriate?
61Which of the following is the PRIMARY reason for aligning the information security program with business objectives?
62An organization has a decentralized governance model with security teams embedded in each business unit. The CISO is concerned about inconsistent security controls across the enterprise. What is the BEST recommendation to address this?
63A CISO is preparing a multi-year security roadmap. Which of the following is the MOST critical factor for ensuring the roadmap aligns with business strategy?
64In a Capability Maturity Model (CMM) for information security processes, which level is characterized by processes being measured and controlled?
65The board of directors has requested a security metrics dashboard. Which metric would BEST demonstrate the effectiveness of the incident response process?
66An organization is developing a security policy for remote access. According to the policy hierarchy, where should this policy fit?
67A CISO is building a business case for a new security tool. Which of the following approaches is MOST effective for justifying the investment?
68Which of the following is the PRIMARY role of the board of directors in information security governance?
69Which of the following best describes a key benefit of a centralized information security governance model?
70An organization is implementing a security awareness program. Which metric is MOST indicative of a positive security culture?
71A multinational organization must comply with GDPR, CCPA, and PCI DSS. Which approach is MOST effective for managing these overlapping requirements?
72Which of the following is the FIRST step in the security policy development lifecycle?
73A CISO is presenting a security metrics dashboard to the board. Which TWO metrics are most appropriate for board-level reporting? (Select TWO.)
74An organization is implementing a policy exception management process. Which THREE elements are essential for effective exception handling? (Select THREE.)
75Which TWO factors are most important when prioritizing security investments? (Select TWO.)
76An organization has a decentralized governance model where each business unit manages its own security team. The CISO reports to the CIO. Which of the following is the GREATEST risk associated with this structure?
77A CISO is developing a multi-year security roadmap aligned with business strategy. The organization is in a highly regulated industry with frequent regulatory changes. Which of the following should be the PRIMARY driver for prioritizing security initiatives?
78Which of the following is the BEST example of a board-level security metric?
79An organization is updating its security policy framework. The current enterprise security policy has not been reviewed in three years. What is the FIRST step in the policy development lifecycle?
80A CISO is building a business case for a new security tool. Which TWO metrics would BEST justify the investment to senior leadership?
81An organization is implementing a security culture measurement program. Which THREE metrics would BEST indicate a positive security culture?
82Which TWO components are essential for an effective information security governance framework?
83A CISO is developing a security strategy. Which THREE elements should be included in a multi-year security roadmap?
84An organization is designing a policy exception management process. Which THREE elements are critical for this process to be effective?
85Which TWO regulations are MOST likely to impact an organization that processes credit card payments and handles personal data of EU residents?
The Information Security Governance domain covers the key concepts tested in this area of the CISM exam blueprint published by ISACA. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all CISM domains — no account required.
The Courseiva CISM question bank contains 85 questions in the Information Security Governance domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Information Security Governance domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included