Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Free Resources

Difficulty IndexLearn — Free ChaptersIT GlossaryFree Tools & LabsStudy GuidesCareer RoadmapsBrowse by VendorCisco Command ReferenceCCNA Scenarios

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsCISMDomainsIncident Management
CISMFree — No Signup

Incident Management

Practice CISM Incident Management questions with full explanations on every answer.

150questions

Start practicing

Incident Management — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

CISM Domains

Information Security ProgramIncident ManagementInformation Security ProgrammeInformation Security GovernanceInformation Security Risk Management

Practice Incident Management questions

10Q20Q30Q50Q

All CISM Incident Management questions (150)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

An organization's incident response (IR) policy should be approved by which of the following to ensure authority and accountability?

2

During a P1 (critical) incident, the incident response manager has been providing hourly situation reports (sitreps) to executives. What is the primary reason for involving legal counsel in these communications?

3

An organization has experienced a ransomware incident that has encrypted critical servers. The incident response team is unable to restore operations within the maximum tolerable downtime (MTD). Which action should be taken next?

4

Which incident severity level requires executive notification and a 24/7 response?

5

Following a data breach, an organization conducts a root cause analysis using the 5 Whys technique. The analysis identifies that a misconfigured firewall allowed unauthorized access. What is the most important next step to prevent recurrence?

6

An organization's incident response plan includes playbooks for different incident types. Which playbook should be used for an incident involving unauthorized access to a user's account due to phishing?

7

Which of the following is typically a member of the crisis management team (CMT) during a major cybersecurity incident?

8

As part of post-incident activities, an organization schedules a lessons learned meeting. When should this meeting ideally take place?

9

During a data breach investigation, legal counsel instructs the forensics team to preserve evidence under attorney-client privilege. Which of the following actions is most critical to maintain that privilege?

10

An organization is updating its incident response playbook after a ransomware attack. Which of the following should be included as a key step in the ransomware playbook?

11

Which of the following is the primary purpose of having a pre-established forensic retainer agreement?

12

After a supply chain attack, the incident response team identifies that a third-party vendor's compromised credentials were used to access the organization's network. Which incident category should this be classified under?

13

Which TWO of the following are essential components of an incident response programme?

14

Which THREE of the following should be included in an incident communication template?

15

Which TWO of the following are appropriate actions for preserving evidence during a cybersecurity incident?

16

During a major security incident classified as P1, which of the following is the MOST appropriate communication frequency to the executive team?

17

An organization's incident response team has contained a ransomware incident. What is the NEXT step according to the incident management program?

18

An organization has just experienced a data breach involving personal data of EU residents. Under GDPR, what is the maximum time frame for notifying the supervisory authority?

19

Which of the following is the PRIMARY purpose of an incident response plan?

20

During a DDoS attack classified as P2, what is the EXPECTED response time and notification level?

21

An organization is conducting a root cause analysis after an insider threat incident. Which of the following tools is MOST appropriate for identifying the underlying management governance failure?

22

When should an incident response transition to business continuity and disaster recovery (BC/DR) activation?

23

Which of the following is the FIRST step when engaging an external forensics firm for an incident?

24

An organization has experienced a credential compromise incident. Which playbook should the incident response team primarily use?

25

During a major incident, the crisis management team (CMT) has been activated. Which of the following is the PRIMARY responsibility of the communications lead on the CMT?

26

What is the PRIMARY purpose of conducting a lessons learned meeting after an incident?

27

An organization's incident response team has identified that a data breach involves customer personal information. Which of the following should be done FIRST to preserve evidence for potential litigation?

28

Which TWO of the following are essential components of an incident response plan? (Select two.)

29

Which TWO of the following are key roles on the crisis management team (CMT) for a major cybersecurity incident? (Select two.)

30

Which THREE of the following are incident severity levels defined in a typical incident management program? (Select three.)

31

During a P1 incident, the incident response team identifies that the root cause is a misconfigured firewall. According to best practices, which of the following should be the PRIMARY focus of the root cause analysis?

32

An organization has experienced a ransomware attack that has encrypted critical servers. The incident response team is unable to contain the incident within the maximum tolerable downtime (MTD). Who has the authority to declare a disaster and activate the business continuity plan?

33

Which of the following is the PRIMARY purpose of having a pre-established contract with a digital forensics firm before an incident occurs?

34

During a data breach investigation, the incident response team discovers that a backup was encrypted by ransomware. The team needs to determine the sequence of events leading to the encryption. Which of the following documentation is MOST critical to preserve for potential litigation?

35

An organization's incident response team is handling a P2 incident involving an insider threat. The team has identified the employee responsible. The communications lead is preparing a notification to affected parties. Which of the following should be included in the notification?

36

Following a major security incident, the lessons learned meeting is scheduled. Which of the following outcomes is MOST important to ensure the effectiveness of future incident response?

37

Which incident severity level requires executive notification and a 24/7 response?

38

During a DDoS attack, the incident response team is struggling to mitigate the attack. The team decides to engage the organization's ISP and a DDoS mitigation service. Which of the following should be done FIRST?

39

An organization is subject to GDPR and experiences a data breach involving personal data. What is the maximum timeframe to notify the supervisory authority?

40

Following a credential compromise incident, the incident response team is conducting root cause analysis using the 5 Whys technique. The first 'why' reveals that the password was weak. The second 'why' reveals that the password policy allowed simple passwords. What should be the focus of the third 'why'?

41

An incident response team is conducting an exercise to test its playbook for a ransomware incident. Which of the following is the PRIMARY benefit of such an exercise?

42

During a P1 incident, the incident response manager is preparing an executive sitrep. Which of the following should be included to preserve legal privilege?

43

An organization is updating its incident response plan. Which TWO components should be included to ensure effective evidence handling? (Select TWO.)

44

During a major cybersecurity incident, the crisis management team (CMT) is activated. Which THREE roles are typically part of the CMT? (Select THREE.)

45

An incident response team is creating playbooks for different incident types. Which TWO incident types should have a dedicated playbook? (Select TWO.)

46

During a major cybersecurity incident classified as P1, the incident response team has been activated. The crisis management team (CMT) is also convened. Which of the following is the PRIMARY responsibility of the CMT during this incident?

47

An organization's incident response plan includes a ransomware playbook. After detecting ransomware on a critical server, which of the following should be the FIRST action according to best practices?

48

During a post-incident root cause analysis, the team uses the '5 Whys' technique and identifies a technical vulnerability as the cause. According to CISM best practices, what should be the NEXT level of analysis?

49

An incident has been declared as P2 (high severity). According to the incident classification, what is the expected response timeframe and notification requirement?

50

In the context of incident management, which of the following is the PRIMARY purpose of conducting lessons learned meetings within two weeks of incident resolution?

51

During a data breach investigation, an organization engages an external forensics firm. To preserve attorney-client privilege, which of the following is the BEST practice?

52

What is the PRIMARY reason for having an incident response team roster and contact list readily available?

53

After a DDoS attack, the incident response team determines that the incident cannot be resolved within the maximum tolerable downtime (MTD). According to best practices, what should happen next?

54

An organization is required to report a material cybersecurity incident to the SEC within 4 business days (proposed rule). However, the incident is still under investigation. What is the BEST course of action?

55

Which of the following incident types is MOST likely to require activation of the crisis management team (CMT) due to potential regulatory and reputational impact?

56

In the incident response team structure, who is typically responsible for coordinating communication with external stakeholders such as customers and the media?

57

An organization maintains evidence handling procedures for incident response. A forensic investigator needs to collect a hard drive from a compromised server. Which of the following is the MOST critical step to ensure admissibility in court?

58

An organization is updating its incident response plan. Which TWO components are essential to include for effective insider threat management? (Select TWO.)

59

After a data breach involving customer PII, the incident response team is conducting a root cause analysis. Which THREE factors should be examined according to CISM best practices? (Select THREE.)

60

An organization is preparing for a potential supply chain incident. According to CISM best practices, which THREE elements should be included in the supply chain incident playbook? (Select THREE.)

61

An organization has experienced a ransomware attack that encrypted critical servers. The incident has been classified as P1. Which of the following is the FIRST action the incident response team should take according to the IR plan?

62

Which of the following is the PRIMARY purpose of conducting a lessons learned meeting after an incident?

63

During a major data breach investigation, legal counsel advises the incident response team to preserve attorney-client privilege over communications with external forensic investigators. Which of the following actions BEST supports this objective?

64

An organization's incident response team is handling a P2 insider threat incident involving unauthorized access to customer data. According to the incident classification, which of the following is the MOST appropriate notification and response timeframe?

65

Which of the following is the PRIMARY reason for having a pre-established forensic retainer agreement before an incident occurs?

66

During a P1 incident, the crisis management team (CMT) has been activated. The CEO asks for an hourly sitrep. Which of the following is the MOST appropriate content for the sitrep?

67

An organization has experienced a DDoS attack that is overwhelming its internet-facing services. The incident response team has implemented mitigations, but services remain degraded. The maximum tolerable downtime (MTD) for the affected services is 4 hours, and 3 hours have passed. Which of the following should the incident manager do NEXT?

68

Which of the following is the BEST approach for sharing threat intelligence indicators of compromise (IoCs) after an incident?

69

Which of the following is the PRIMARY reason for including communication templates in the incident response plan?

70

An organization is conducting a root cause analysis after a data breach. Which of the following sequences BEST aligns with the 5 Whys approach from a CISM perspective?

71

During a P1 incident involving a ransomware attack, the crisis management team has been activated. The communications lead is drafting an all-staff internal communication. Which of the following should be INCLUDED in this communication?

72

Which of the following is the PRIMARY role of the executive sponsor in the incident response team structure?

73

Which of the following incident categories would typically require the involvement of the crisis management team?

74

An organization's incident response plan requires that evidence be preserved for potential litigation. Which of the following actions is MOST critical to ensure the admissibility of digital evidence?

75

After a data breach involving personal data of EU residents, the incident manager must ensure compliance with GDPR notification requirements. Within how many hours must the organization notify the relevant supervisory authority of the breach?

76

Which TWO of the following are essential components of an incident response (IR) plan? (Select TWO)

77

Which THREE of the following are typical roles in an incident response team? (Select THREE)

78

Which TWO of the following are key considerations when managing an external forensics firm during an incident? (Select TWO)

79

Which component of an incident response programme provides detailed step-by-step instructions for handling a specific type of incident?

80

During a P1 (critical) incident, the incident response manager is coordinating response activities. Who is primarily responsible for activating the crisis management team (CMT)?

81

Following a ransomware incident where data was encrypted and exfiltrated, the root cause analysis reveals that the initial access occurred through a phishing email that bypassed email filters due to a misconfiguration. The misconfiguration was not identified because the security team lacked a formal process to review firewall rule changes. Which of the following is the most appropriate management/governance failure to document in the lessons learned?

82

An organization has experienced a data breach involving personal data of EU residents. Under GDPR, what is the maximum time frame within which the organization must notify the relevant supervisory authority?

83

Which incident severity level requires executive notification and 24/7 response, and has major business impact?

84

During a major incident, the incident response team discovers that the incident cannot be resolved within the maximum tolerable downtime (MTD). Which of the following actions should be taken next?

85

An organization is engaging an external forensics firm to investigate a suspected data breach. Which of the following is the most important step to ensure that evidence remains admissible in legal proceedings?

86

Which role in the incident response team structure is responsible for coordinating all response activities and making decisions about incident severity classification?

87

A security analyst detects a series of failed login attempts followed by a successful login from an unusual geographic location. The account is a standard user account. Which incident category best describes this scenario?

88

After a major incident, the lessons learned meeting is scheduled. According to best practices, when should this meeting typically be held after incident resolution?

89

During a P1 incident involving a ransomware attack, the incident response manager needs to communicate with executives. Which of the following is the most appropriate approach for executive communication?

90

An organization is updating its incident response plan after a lessons learned meeting. Which of the following is the primary purpose of updating the plan based on lessons learned?

91

A company experiences a DDoS attack that overwhelms its internet-facing services. The incident response team implements mitigation measures. During which phase of incident response is it most appropriate to collect and preserve evidence for potential legal action?

92

Which type of incident response exercise involves a facilitated discussion of a hypothetical scenario to review plans and procedures?

93

An organization has a policy to share indicators of compromise (IoCs) with an Information Sharing and Analysis Center (ISAC). This activity is most closely associated with which phase of incident management?

94

Which TWO of the following are essential components of an incident response programme that should be established before an incident occurs? (Select TWO.)

95

Which TWO of the following are appropriate criteria for escalating an incident to the crisis management team (CMT)? (Select TWO.)

96

Which THREE of the following are key activities during the post-incident phase of incident management? (Select THREE.)

97

Which component of an incident response programme provides detailed step-by-step instructions for handling a specific type of incident, such as ransomware or data breach?

98

During a P1 (critical) security incident, which of the following is the MOST appropriate frequency for providing executive status updates?

99

An organization has experienced a ransomware incident that has encrypted critical servers. The incident response team is working on containment. Which communication should the incident manager prioritize FIRST?

100

Which post-incident activity involves identifying the technical cause, the process failure that allowed it, and the management/governance failure that permitted the process failure?

101

Which incident severity level is characterized by major business impact, requires executive notification, and demands 24/7 response?

102

An organization's incident response team has contained a data breach. Legal counsel has advised that litigation is likely. Which of the following actions should the team take to preserve evidence?

103

During a major cybersecurity incident, the crisis management team (CMT) has been activated. Which of the following is the PRIMARY responsibility of the CEO as a member of the CMT?

104

What is the recommended timeframe for holding a lessons learned meeting after an incident has been resolved?

105

Which of the following is a key reason to have a forensic retainer in place before an incident occurs?

106

An incident response team is handling a supply chain compromise that has affected a critical business process. The estimated recovery time exceeds the maximum tolerable downtime (MTD). What should the incident manager do NEXT?

107

Which of the following is a key objective of sharing threat intelligence, such as indicators of compromise (IoCs), with an Information Sharing and Analysis Center (ISAC)?

108

Which incident category involves unauthorized access to systems or data by an individual within the organization?

109

An organization has experienced a P2 incident. According to standard incident severity definitions, which response timeframe is typically expected?

110

A security analyst suspects a credential compromise involving an executive's account. The analyst has isolated the system. What should be the NEXT step according to best practices?

111

Which of the following is the PRIMARY reason to include legal counsel in the incident response team?

112

Which TWO of the following are required components of an incident response programme according to best practices? (Select two.)

113

Which THREE of the following are appropriate members of a crisis management team (CMT) for a major cybersecurity incident? (Select three.)

114

Which TWO of the following are typical notification deadlines for regulatory reporting of a data breach? (Select two.)

115

Which THREE of the following are objectives of a lessons learned meeting after an incident? (Select three.)

116

Which component of an incident response program is most likely to include step-by-step technical actions for addressing a specific type of security incident?

117

During a P1 (critical) security incident involving a ransomware attack that has encrypted critical servers, which role is primarily responsible for coordinating the overall response and ensuring timely communication to executive leadership?

118

During a data breach investigation, the legal counsel advises the incident response team to ensure that communications with external forensic experts are protected by attorney-client privilege. Which action best preserves this privilege?

119

After a P2 (high) incident is resolved, the incident response team conducts a lessons learned meeting. Which timeframe is most appropriate for holding this meeting?

120

When an incident cannot be resolved within the maximum tolerable downtime (MTD), what is the appropriate action regarding business continuity and disaster recovery (BC/DR)?

121

Which incident category typically involves an employee intentionally or accidentally causing harm to the organization's information systems?

122

During a P1 incident, the crisis management team (CMT) is activated and meets within the first hour. Which communication practice is most appropriate for the CMT to follow when providing updates to the board of directors?

123

Which of the following is the primary purpose of conducting a root cause analysis (RCA) after a security incident?

124

In the context of incident severity classification, which of the following best describes a P3 (medium) incident?

125

An organization is updating its incident response plan after a major incident. Which post-incident activity should be performed to ensure the plan reflects lessons learned?

126

A company discovers a credential compromise affecting multiple user accounts. According to best practices, what is the first step the incident response team should take?

127

Under the proposed SEC rules for cybersecurity incident disclosure, what is the timeframe for reporting a material cybersecurity incident?

128

Which of the following is an example of an external stakeholder that should be included in the incident response plan's vendor contacts list?

129

Which TWO of the following are key responsibilities of the crisis management team (CMT) during a major cybersecurity incident?

130

Which THREE of the following are essential elements of a forensic evidence handling procedure to ensure admissibility in court?

131

Which component of the incident response programme provides step-by-step technical instructions for handling a specific type of security incident?

132

During a P1 (critical) incident involving a ransomware attack that has encrypted critical systems, the incident manager needs to provide updates to executives. What is the recommended frequency for situation reports (sitreps)?

133

A security analyst discovers that an employee's credentials were used to access a sensitive database containing customer PII. The analyst immediately disables the account and begins remediation. Which incident category best describes this scenario?

134

Following containment of a ransomware incident, the incident response team is conducting a root cause analysis. Which method involves repeatedly asking 'why' to drill down to underlying causes?

135

What is the primary purpose of having a pre-established forensic retainer agreement with an external forensics firm?

136

During a major incident, the crisis management team (CMT) has been activated. Which of the following is typically NOT a member of the CMT?

137

An incident response team is handling a P2 (high) incident. According to the incident severity classification, which of the following is the expected response timeframe?

138

Which document outlines the overall strategy, roles, and responsibilities for incident response across the organization?

139

After a data breach incident, the incident response team must preserve evidence for potential litigation. Which of the following actions should be taken FIRST?

140

An organization is required to notify regulators of a material cybersecurity incident within 4 business days. Which regulation imposes this requirement?

141

During a DDoS attack, the incident response team determines that the attack cannot be mitigated within the maximum tolerable downtime (MTD). What should happen next?

142

Which of the following is the primary reason for conducting a lessons learned meeting after an incident?

143

An organization has just experienced a P1 incident. Which of the following communication steps should occur FIRST?

144

During a forensic investigation, the external forensics firm discovers evidence that may indicate criminal activity. The incident manager wants to ensure attorney-client privilege is maintained. What should be done?

145

Which incident severity level requires executive notification and a 24/7 response?

146

Which TWO of the following are components of an incident response programme?

147

Which TWO of the following are incident categories in an incident management programme?

148

Which THREE of the following are typical roles in an incident response team?

149

An organization has experienced a ransomware attack that has encrypted critical servers and is causing major business disruption. According to incident severity levels, which priority should this incident be assigned?

150

During a major cybersecurity incident, the incident response team determines that the incident cannot be resolved within the maximum tolerable downtime (MTD). Which of the following actions should be taken next?

Practice all 150 Incident Management questions

Other CISM exam domains

Information Security ProgramInformation Security ProgrammeInformation Security GovernanceInformation Security Risk Management

Frequently asked questions

What does the Incident Management domain cover on the CISM exam?

The Incident Management domain covers the key concepts tested in this area of the CISM exam blueprint published by ISACA. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all CISM domains — no account required.

How many Incident Management questions are in the CISM question bank?

The Courseiva CISM question bank contains 150 questions in the Incident Management domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice Incident Management for CISM?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only Incident Management questions for CISM?

Yes — the session launcher on this page draws questions exclusively from the Incident Management domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your CISM domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide

Related Exams

CISSPCISACRISC