Practice CISM Incident Management questions with full explanations on every answer.
Start practicing
Incident Management — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
An organization's incident response (IR) policy should be approved by which of the following to ensure authority and accountability?
2During a P1 (critical) incident, the incident response manager has been providing hourly situation reports (sitreps) to executives. What is the primary reason for involving legal counsel in these communications?
3An organization has experienced a ransomware incident that has encrypted critical servers. The incident response team is unable to restore operations within the maximum tolerable downtime (MTD). Which action should be taken next?
4Which incident severity level requires executive notification and a 24/7 response?
5Following a data breach, an organization conducts a root cause analysis using the 5 Whys technique. The analysis identifies that a misconfigured firewall allowed unauthorized access. What is the most important next step to prevent recurrence?
6An organization's incident response plan includes playbooks for different incident types. Which playbook should be used for an incident involving unauthorized access to a user's account due to phishing?
7Which of the following is typically a member of the crisis management team (CMT) during a major cybersecurity incident?
8As part of post-incident activities, an organization schedules a lessons learned meeting. When should this meeting ideally take place?
9During a data breach investigation, legal counsel instructs the forensics team to preserve evidence under attorney-client privilege. Which of the following actions is most critical to maintain that privilege?
10An organization is updating its incident response playbook after a ransomware attack. Which of the following should be included as a key step in the ransomware playbook?
11Which of the following is the primary purpose of having a pre-established forensic retainer agreement?
12After a supply chain attack, the incident response team identifies that a third-party vendor's compromised credentials were used to access the organization's network. Which incident category should this be classified under?
13Which TWO of the following are essential components of an incident response programme?
14Which THREE of the following should be included in an incident communication template?
15Which TWO of the following are appropriate actions for preserving evidence during a cybersecurity incident?
16During a major security incident classified as P1, which of the following is the MOST appropriate communication frequency to the executive team?
17An organization's incident response team has contained a ransomware incident. What is the NEXT step according to the incident management program?
18An organization has just experienced a data breach involving personal data of EU residents. Under GDPR, what is the maximum time frame for notifying the supervisory authority?
19Which of the following is the PRIMARY purpose of an incident response plan?
20During a DDoS attack classified as P2, what is the EXPECTED response time and notification level?
21An organization is conducting a root cause analysis after an insider threat incident. Which of the following tools is MOST appropriate for identifying the underlying management governance failure?
22When should an incident response transition to business continuity and disaster recovery (BC/DR) activation?
23Which of the following is the FIRST step when engaging an external forensics firm for an incident?
24An organization has experienced a credential compromise incident. Which playbook should the incident response team primarily use?
25During a major incident, the crisis management team (CMT) has been activated. Which of the following is the PRIMARY responsibility of the communications lead on the CMT?
26What is the PRIMARY purpose of conducting a lessons learned meeting after an incident?
27An organization's incident response team has identified that a data breach involves customer personal information. Which of the following should be done FIRST to preserve evidence for potential litigation?
28Which TWO of the following are essential components of an incident response plan? (Select two.)
29Which TWO of the following are key roles on the crisis management team (CMT) for a major cybersecurity incident? (Select two.)
30Which THREE of the following are incident severity levels defined in a typical incident management program? (Select three.)
31During a P1 incident, the incident response team identifies that the root cause is a misconfigured firewall. According to best practices, which of the following should be the PRIMARY focus of the root cause analysis?
32An organization has experienced a ransomware attack that has encrypted critical servers. The incident response team is unable to contain the incident within the maximum tolerable downtime (MTD). Who has the authority to declare a disaster and activate the business continuity plan?
33Which of the following is the PRIMARY purpose of having a pre-established contract with a digital forensics firm before an incident occurs?
34During a data breach investigation, the incident response team discovers that a backup was encrypted by ransomware. The team needs to determine the sequence of events leading to the encryption. Which of the following documentation is MOST critical to preserve for potential litigation?
35An organization's incident response team is handling a P2 incident involving an insider threat. The team has identified the employee responsible. The communications lead is preparing a notification to affected parties. Which of the following should be included in the notification?
36Following a major security incident, the lessons learned meeting is scheduled. Which of the following outcomes is MOST important to ensure the effectiveness of future incident response?
37Which incident severity level requires executive notification and a 24/7 response?
38During a DDoS attack, the incident response team is struggling to mitigate the attack. The team decides to engage the organization's ISP and a DDoS mitigation service. Which of the following should be done FIRST?
39An organization is subject to GDPR and experiences a data breach involving personal data. What is the maximum timeframe to notify the supervisory authority?
40Following a credential compromise incident, the incident response team is conducting root cause analysis using the 5 Whys technique. The first 'why' reveals that the password was weak. The second 'why' reveals that the password policy allowed simple passwords. What should be the focus of the third 'why'?
41An incident response team is conducting an exercise to test its playbook for a ransomware incident. Which of the following is the PRIMARY benefit of such an exercise?
42During a P1 incident, the incident response manager is preparing an executive sitrep. Which of the following should be included to preserve legal privilege?
43An organization is updating its incident response plan. Which TWO components should be included to ensure effective evidence handling? (Select TWO.)
44During a major cybersecurity incident, the crisis management team (CMT) is activated. Which THREE roles are typically part of the CMT? (Select THREE.)
45An incident response team is creating playbooks for different incident types. Which TWO incident types should have a dedicated playbook? (Select TWO.)
46During a major cybersecurity incident classified as P1, the incident response team has been activated. The crisis management team (CMT) is also convened. Which of the following is the PRIMARY responsibility of the CMT during this incident?
47An organization's incident response plan includes a ransomware playbook. After detecting ransomware on a critical server, which of the following should be the FIRST action according to best practices?
48During a post-incident root cause analysis, the team uses the '5 Whys' technique and identifies a technical vulnerability as the cause. According to CISM best practices, what should be the NEXT level of analysis?
49An incident has been declared as P2 (high severity). According to the incident classification, what is the expected response timeframe and notification requirement?
50In the context of incident management, which of the following is the PRIMARY purpose of conducting lessons learned meetings within two weeks of incident resolution?
51During a data breach investigation, an organization engages an external forensics firm. To preserve attorney-client privilege, which of the following is the BEST practice?
52What is the PRIMARY reason for having an incident response team roster and contact list readily available?
53After a DDoS attack, the incident response team determines that the incident cannot be resolved within the maximum tolerable downtime (MTD). According to best practices, what should happen next?
54An organization is required to report a material cybersecurity incident to the SEC within 4 business days (proposed rule). However, the incident is still under investigation. What is the BEST course of action?
55Which of the following incident types is MOST likely to require activation of the crisis management team (CMT) due to potential regulatory and reputational impact?
56In the incident response team structure, who is typically responsible for coordinating communication with external stakeholders such as customers and the media?
57An organization maintains evidence handling procedures for incident response. A forensic investigator needs to collect a hard drive from a compromised server. Which of the following is the MOST critical step to ensure admissibility in court?
58An organization is updating its incident response plan. Which TWO components are essential to include for effective insider threat management? (Select TWO.)
59After a data breach involving customer PII, the incident response team is conducting a root cause analysis. Which THREE factors should be examined according to CISM best practices? (Select THREE.)
60An organization is preparing for a potential supply chain incident. According to CISM best practices, which THREE elements should be included in the supply chain incident playbook? (Select THREE.)
61An organization has experienced a ransomware attack that encrypted critical servers. The incident has been classified as P1. Which of the following is the FIRST action the incident response team should take according to the IR plan?
62Which of the following is the PRIMARY purpose of conducting a lessons learned meeting after an incident?
63During a major data breach investigation, legal counsel advises the incident response team to preserve attorney-client privilege over communications with external forensic investigators. Which of the following actions BEST supports this objective?
64An organization's incident response team is handling a P2 insider threat incident involving unauthorized access to customer data. According to the incident classification, which of the following is the MOST appropriate notification and response timeframe?
65Which of the following is the PRIMARY reason for having a pre-established forensic retainer agreement before an incident occurs?
66During a P1 incident, the crisis management team (CMT) has been activated. The CEO asks for an hourly sitrep. Which of the following is the MOST appropriate content for the sitrep?
67An organization has experienced a DDoS attack that is overwhelming its internet-facing services. The incident response team has implemented mitigations, but services remain degraded. The maximum tolerable downtime (MTD) for the affected services is 4 hours, and 3 hours have passed. Which of the following should the incident manager do NEXT?
68Which of the following is the BEST approach for sharing threat intelligence indicators of compromise (IoCs) after an incident?
69Which of the following is the PRIMARY reason for including communication templates in the incident response plan?
70An organization is conducting a root cause analysis after a data breach. Which of the following sequences BEST aligns with the 5 Whys approach from a CISM perspective?
71During a P1 incident involving a ransomware attack, the crisis management team has been activated. The communications lead is drafting an all-staff internal communication. Which of the following should be INCLUDED in this communication?
72Which of the following is the PRIMARY role of the executive sponsor in the incident response team structure?
73Which of the following incident categories would typically require the involvement of the crisis management team?
74An organization's incident response plan requires that evidence be preserved for potential litigation. Which of the following actions is MOST critical to ensure the admissibility of digital evidence?
75After a data breach involving personal data of EU residents, the incident manager must ensure compliance with GDPR notification requirements. Within how many hours must the organization notify the relevant supervisory authority of the breach?
76Which TWO of the following are essential components of an incident response (IR) plan? (Select TWO)
77Which THREE of the following are typical roles in an incident response team? (Select THREE)
78Which TWO of the following are key considerations when managing an external forensics firm during an incident? (Select TWO)
79Which component of an incident response programme provides detailed step-by-step instructions for handling a specific type of incident?
80During a P1 (critical) incident, the incident response manager is coordinating response activities. Who is primarily responsible for activating the crisis management team (CMT)?
81Following a ransomware incident where data was encrypted and exfiltrated, the root cause analysis reveals that the initial access occurred through a phishing email that bypassed email filters due to a misconfiguration. The misconfiguration was not identified because the security team lacked a formal process to review firewall rule changes. Which of the following is the most appropriate management/governance failure to document in the lessons learned?
82An organization has experienced a data breach involving personal data of EU residents. Under GDPR, what is the maximum time frame within which the organization must notify the relevant supervisory authority?
83Which incident severity level requires executive notification and 24/7 response, and has major business impact?
84During a major incident, the incident response team discovers that the incident cannot be resolved within the maximum tolerable downtime (MTD). Which of the following actions should be taken next?
85An organization is engaging an external forensics firm to investigate a suspected data breach. Which of the following is the most important step to ensure that evidence remains admissible in legal proceedings?
86Which role in the incident response team structure is responsible for coordinating all response activities and making decisions about incident severity classification?
87A security analyst detects a series of failed login attempts followed by a successful login from an unusual geographic location. The account is a standard user account. Which incident category best describes this scenario?
88After a major incident, the lessons learned meeting is scheduled. According to best practices, when should this meeting typically be held after incident resolution?
89During a P1 incident involving a ransomware attack, the incident response manager needs to communicate with executives. Which of the following is the most appropriate approach for executive communication?
90An organization is updating its incident response plan after a lessons learned meeting. Which of the following is the primary purpose of updating the plan based on lessons learned?
91A company experiences a DDoS attack that overwhelms its internet-facing services. The incident response team implements mitigation measures. During which phase of incident response is it most appropriate to collect and preserve evidence for potential legal action?
92Which type of incident response exercise involves a facilitated discussion of a hypothetical scenario to review plans and procedures?
93An organization has a policy to share indicators of compromise (IoCs) with an Information Sharing and Analysis Center (ISAC). This activity is most closely associated with which phase of incident management?
94Which TWO of the following are essential components of an incident response programme that should be established before an incident occurs? (Select TWO.)
95Which TWO of the following are appropriate criteria for escalating an incident to the crisis management team (CMT)? (Select TWO.)
96Which THREE of the following are key activities during the post-incident phase of incident management? (Select THREE.)
97Which component of an incident response programme provides detailed step-by-step instructions for handling a specific type of incident, such as ransomware or data breach?
98During a P1 (critical) security incident, which of the following is the MOST appropriate frequency for providing executive status updates?
99An organization has experienced a ransomware incident that has encrypted critical servers. The incident response team is working on containment. Which communication should the incident manager prioritize FIRST?
100Which post-incident activity involves identifying the technical cause, the process failure that allowed it, and the management/governance failure that permitted the process failure?
101Which incident severity level is characterized by major business impact, requires executive notification, and demands 24/7 response?
102An organization's incident response team has contained a data breach. Legal counsel has advised that litigation is likely. Which of the following actions should the team take to preserve evidence?
103During a major cybersecurity incident, the crisis management team (CMT) has been activated. Which of the following is the PRIMARY responsibility of the CEO as a member of the CMT?
104What is the recommended timeframe for holding a lessons learned meeting after an incident has been resolved?
105Which of the following is a key reason to have a forensic retainer in place before an incident occurs?
106An incident response team is handling a supply chain compromise that has affected a critical business process. The estimated recovery time exceeds the maximum tolerable downtime (MTD). What should the incident manager do NEXT?
107Which of the following is a key objective of sharing threat intelligence, such as indicators of compromise (IoCs), with an Information Sharing and Analysis Center (ISAC)?
108Which incident category involves unauthorized access to systems or data by an individual within the organization?
109An organization has experienced a P2 incident. According to standard incident severity definitions, which response timeframe is typically expected?
110A security analyst suspects a credential compromise involving an executive's account. The analyst has isolated the system. What should be the NEXT step according to best practices?
111Which of the following is the PRIMARY reason to include legal counsel in the incident response team?
112Which TWO of the following are required components of an incident response programme according to best practices? (Select two.)
113Which THREE of the following are appropriate members of a crisis management team (CMT) for a major cybersecurity incident? (Select three.)
114Which TWO of the following are typical notification deadlines for regulatory reporting of a data breach? (Select two.)
115Which THREE of the following are objectives of a lessons learned meeting after an incident? (Select three.)
116Which component of an incident response program is most likely to include step-by-step technical actions for addressing a specific type of security incident?
117During a P1 (critical) security incident involving a ransomware attack that has encrypted critical servers, which role is primarily responsible for coordinating the overall response and ensuring timely communication to executive leadership?
118During a data breach investigation, the legal counsel advises the incident response team to ensure that communications with external forensic experts are protected by attorney-client privilege. Which action best preserves this privilege?
119After a P2 (high) incident is resolved, the incident response team conducts a lessons learned meeting. Which timeframe is most appropriate for holding this meeting?
120When an incident cannot be resolved within the maximum tolerable downtime (MTD), what is the appropriate action regarding business continuity and disaster recovery (BC/DR)?
121Which incident category typically involves an employee intentionally or accidentally causing harm to the organization's information systems?
122During a P1 incident, the crisis management team (CMT) is activated and meets within the first hour. Which communication practice is most appropriate for the CMT to follow when providing updates to the board of directors?
123Which of the following is the primary purpose of conducting a root cause analysis (RCA) after a security incident?
124In the context of incident severity classification, which of the following best describes a P3 (medium) incident?
125An organization is updating its incident response plan after a major incident. Which post-incident activity should be performed to ensure the plan reflects lessons learned?
126A company discovers a credential compromise affecting multiple user accounts. According to best practices, what is the first step the incident response team should take?
127Under the proposed SEC rules for cybersecurity incident disclosure, what is the timeframe for reporting a material cybersecurity incident?
128Which of the following is an example of an external stakeholder that should be included in the incident response plan's vendor contacts list?
129Which TWO of the following are key responsibilities of the crisis management team (CMT) during a major cybersecurity incident?
130Which THREE of the following are essential elements of a forensic evidence handling procedure to ensure admissibility in court?
131Which component of the incident response programme provides step-by-step technical instructions for handling a specific type of security incident?
132During a P1 (critical) incident involving a ransomware attack that has encrypted critical systems, the incident manager needs to provide updates to executives. What is the recommended frequency for situation reports (sitreps)?
133A security analyst discovers that an employee's credentials were used to access a sensitive database containing customer PII. The analyst immediately disables the account and begins remediation. Which incident category best describes this scenario?
134Following containment of a ransomware incident, the incident response team is conducting a root cause analysis. Which method involves repeatedly asking 'why' to drill down to underlying causes?
135What is the primary purpose of having a pre-established forensic retainer agreement with an external forensics firm?
136During a major incident, the crisis management team (CMT) has been activated. Which of the following is typically NOT a member of the CMT?
137An incident response team is handling a P2 (high) incident. According to the incident severity classification, which of the following is the expected response timeframe?
138Which document outlines the overall strategy, roles, and responsibilities for incident response across the organization?
139After a data breach incident, the incident response team must preserve evidence for potential litigation. Which of the following actions should be taken FIRST?
140An organization is required to notify regulators of a material cybersecurity incident within 4 business days. Which regulation imposes this requirement?
141During a DDoS attack, the incident response team determines that the attack cannot be mitigated within the maximum tolerable downtime (MTD). What should happen next?
142Which of the following is the primary reason for conducting a lessons learned meeting after an incident?
143An organization has just experienced a P1 incident. Which of the following communication steps should occur FIRST?
144During a forensic investigation, the external forensics firm discovers evidence that may indicate criminal activity. The incident manager wants to ensure attorney-client privilege is maintained. What should be done?
145Which incident severity level requires executive notification and a 24/7 response?
146Which TWO of the following are components of an incident response programme?
147Which TWO of the following are incident categories in an incident management programme?
148Which THREE of the following are typical roles in an incident response team?
149An organization has experienced a ransomware attack that has encrypted critical servers and is causing major business disruption. According to incident severity levels, which priority should this incident be assigned?
150During a major cybersecurity incident, the incident response team determines that the incident cannot be resolved within the maximum tolerable downtime (MTD). Which of the following actions should be taken next?
The Incident Management domain covers the key concepts tested in this area of the CISM exam blueprint published by ISACA. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all CISM domains — no account required.
The Courseiva CISM question bank contains 150 questions in the Incident Management domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Incident Management domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included