Practice CISM Information Security Program questions with full explanations on every answer.
Start practicing
Information Security Program — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
An organization's information security program has been in place for two years. During a recent audit, several findings indicated that security controls are not consistently applied across business units. The CISO has been asked to improve the program. Which of the following should the CISO do FIRST?
2A multinational corporation is designing its information security program and must decide how to balance security with business agility. The company operates in highly regulated industries with varying legal requirements. Which of the following approaches BEST aligns with industry best practices for such an environment?
3An organization is developing a new information security program and wants to ensure it aligns with business objectives. Which of the following is the MOST critical first step?
4During a merger, two companies with different information security programs are being integrated. The combined entity must maintain compliance with PCI DSS and GDPR. The CISO is concerned about gaps in coverage due to differing maturity levels. Which of the following is the BEST approach to harmonize the programs?
5Which TWO of the following are key components of an information security program governance structure? (Select TWO.)
6Refer to the exhibit. An analyst observes the network traffic between three internal hosts and a web server. Which of the following is the MOST likely interpretation of this traffic?
7You are the CISO of a mid-sized financial services firm that processes credit card transactions. The company has recently expanded its operations to include a mobile payment application that stores payment credentials in the cloud. The current information security program was designed primarily for the on-premises environment and has not been updated to address cloud-specific risks. The internal audit team has identified that the cloud service provider (CSP) does not have an independent third-party audit report (e.g., SOC 2) available for review. Additionally, the mobile app development team has been deploying code without formal security review, citing the need for rapid releases to compete in the market. The CEO has expressed concern about the potential for a data breach and has asked you to recommend immediate actions to strengthen the security program while minimizing business disruption. Which of the following should you recommend as the FIRST course of action?
8An information security program is being developed for a multinational organization. Which of the following is the PRIMARY driver for aligning the security program with business objectives?
9After a major security incident, the board of directors requests a review of the information security program. Which of the following metrics would be MOST useful to demonstrate the effectiveness of the program over the past year?
10An information security manager is designing a program for a healthcare organization. Which of the following should be the FIRST step in establishing the program?
11An organization's information security program includes a formal exception process. When reviewing an exception request to bypass a critical control, what is the MOST important factor for the information security manager to consider?
12Which of the following are key components of an effective information security program? (Select TWO.)
13An information security manager is evaluating the maturity of the organization's security program. Which of the following indicators suggest a high level of maturity? (Select TWO.)
14Match the following security program components with their primary purpose by dragging each component to the correct description.
15Which of the following is the PRIMARY responsibility of a steering committee in an information security program?
16An organization's information security program is based on a risk management framework. Which of the following BEST describes the role of the information security manager in this context?
17An organization has implemented a balanced scorecard to measure the effectiveness of its information security program. Which of the following metrics would be MOST appropriate for the 'internal processes' perspective?
18Which of the following are key components of an information security program? (Select TWO)
19An information security manager is developing a security program for a multinational organization. Which of the following should be considered when defining the program scope? (Select THREE)
20Match each information security program component with its correct description.
21Which of the following best describes the primary purpose of an Information Security Program?
22An organization's information security program has been operational for two years. The security manager is asked to propose changes to improve effectiveness. Which approach should the manager take first?
23Which of the following is the most important factor for ensuring the long-term success of an information security program?
24An information security manager is developing a program metric to measure the effectiveness of the security awareness training. Which metric is most appropriate?
25During a review of the information security program, the security manager discovers that the program's objectives are not aligned with the organization's strategic business goals. What is the best course of action?
26Which of the following are essential components of an information security program governance framework? (Select TWO.)
27An organization is designing its information security program and needs to ensure it supports business continuity. Which TWO of the following should be integrated into the program?
28Which of the following best describes the primary purpose of a security program's governance framework?
29An organization has a mature security program with documented policies and standards. However, during a recent audit, it was found that several business units are not following the mandated data classification standard. What is the MOST likely root cause?
30Which document should be created FIRST when establishing an information security program?
31An information security manager is designing a metrics program to report to the board. Which of the following metrics would be MOST meaningful to the board?
32An organization has a security program that is aligned with ISO 27001. During an internal audit, it is discovered that several controls are not being applied consistently across all departments. The MOST effective corrective action is to:
33Which of the following are key components of an information security program's strategic plan? (Select two.)
34A security manager is evaluating the effectiveness of the security program. Which of the following would be valid indicators of a mature program? (Select two.)
35Which of the following is the primary purpose of an Information Security Program?
36An information security manager is developing a program metric to report to senior management. Which metric best demonstrates the effectiveness of the information security program?
37Which of the following are key components of a mature information security program? (Select 2)
38An information security manager is designing a security program for a multinational organization. Which factors should be considered when developing the program governance structure? (Select 3)
39Match each information security program component to its primary focus area. Component: 1. Risk Assessment, 2. Security Awareness Training, 3. Incident Response Plan, 4. Policy Framework Focus Areas: A. Human factors and behavior B. Structured response to events C. Identification and analysis of threats D. Governance and compliance requirements Drag each component to its matching focus area.
40Arrange the steps in order for conducting a business impact analysis (BIA) in business continuity management.
41Arrange the steps for implementing a new firewall rule in an enterprise environment.
42Arrange the steps for performing a vulnerability scan on a network segment.
43Match each CISM domain to its focus area.
44Match each security framework to its primary purpose.
45Match each security role to its primary responsibility.
46A multinational corporation is implementing a new information security program. The program manager needs to ensure that security requirements are integrated into the procurement process for third-party services. Which of the following is the most effective approach?
47A financial institution is developing an information security program based on the COBIT framework. The board has requested a balanced scorecard to communicate program effectiveness. Which of the following metric categories would best align with the 'Internal Processes' perspective?
48An organization has just completed a risk assessment and identified several high-risk vulnerabilities. The security program manager needs to prioritize remediation efforts. Which of the following should be the primary factor in determining priority?
49A company's security program includes a policy that all employees must use strong passwords and change them every 90 days. However, the recent internal audit shows that 60% of employees have passwords that do not meet the strength requirements. What is the most effective corrective action?
50A global e-commerce company is designing its information security program. The CISO wants to implement a defense-in-depth strategy for the web application layer. Which combination of controls best achieves this objective?
51A small business owner wants to establish an information security program but has limited budget and staff. Which of the following frameworks would be most appropriate to guide the program?
52An organization has a mature security program but is experiencing an increase in successful social engineering attacks. The incident response team has confirmed that the attacks are bypassing current controls. What should the program manager do first?
53A company's security program includes a policy that prohibits the use of personal devices for work. However, the CISO discovers that several executives are using personal tablets to access corporate email. What is the most appropriate action for the CISO to take?
54Which of the following best describes the primary purpose of an information security program?
55Which TWO of the following are essential components of a security program governance structure?
56Which TWO of the following are key performance indicators (KPIs) that demonstrate the effectiveness of a security awareness program?
57Which THREE of the following are typically included in an information security program budget?
58An auditor reviews the BYOD policy and notes that mobile device management (MDM) logs show several devices without encryption. The policy has been in effect for 6 months. Which of the following is the most likely reason for this non-compliance?
59The security analyst reviews the SIEM alert and finds that the source IP is from a trusted VPN broker used by remote employees. What is the most likely explanation for the alert?
60Based on the risk register entry, what is the primary gap in the current controls?
61A small business is developing its first information security program. Which approach is most effective?
62An organization's security program has been in place for two years, but recently several security incidents occurred due to lack of user awareness. What is the most likely root cause?
63A multinational corporation is designing a global information security program. Which governance structure best ensures consistent security while allowing regional flexibility?
64Which of the following is the primary purpose of an information security program?
65A security manager is tasked with building a business case for a new security program. Which metric is most persuasive to senior management?
66After a data breach, the CISO reviews the security program. The breach exploited a known vulnerability in a legacy system that was deemed 'acceptable risk' two years ago. What should the CISO do to improve the program?
67An organization wants to ensure that its security program aligns with business objectives. Which activity is most important?
68A company's security program includes a set of controls based on a risk assessment. During an audit, several controls are found to be ineffective. What should the security manager do first?
69A security program includes multiple metrics. Which metric best indicates the program's effectiveness in reducing overall risk?
70Which TWO of the following are essential components of an information security program charter?
71Which THREE of the following are key performance indicators (KPIs) for an information security program?
72Which THREE of the following are critical success factors for implementing an information security program?
73Based on the exhibit, which of the following is true about traffic from the internet to the internal network 10.0.0.0/8?
74Based on the exhibit, what is the most significant security gap in this configuration?
75Based on the exhibit, what is the most likely vulnerability that an attacker could exploit?
76A company is implementing an information security program. Which of the following is the PRIMARY reason to align the program with business objectives?
77An organization's security program includes a risk assessment process. Which step should be performed FIRST?
78After a data breach, the CISO is updating the incident response plan. Which of the following is MOST critical to include?
79An organization is developing an information security program for a new subsidiary. Which approach BEST ensures that the subsidiary's program complements the parent's?
80The security team is designing a security awareness program. Which topic should be prioritized FIRST?
81A financial institution's security program must comply with PCI DSS, GDPR, and SOX. Which approach is MOST efficient to manage overlapping compliance requirements?
82An organization's security program includes metrics to measure performance. Which metric BEST indicates the effectiveness of the vulnerability management process?
83A company has a small security team and limited budget. Which initial investment provides the MOST value for building an effective security program?
84During a security program review, the auditor finds that incident response procedures have not been tested in over two years. What is the MOST significant risk arising from this finding?
85Which TWO of the following are primary objectives of a security awareness program?
86Which THREE elements are essential for an effective information security governance framework?
87Which THREE characteristics indicate a higher maturity level in a security program maturity model?
88Refer to the exhibit. The dashboard shows the incident response plan test is overdue. What is the MOST immediate risk?
89Refer to the exhibit. An audit reveals that 20% of privileged accounts were approved by the same manager without secondary review. Which control deficiency is MOST relevant to this finding?
90Refer to the exhibit. The CISO wants to improve the program. Which recommendation BEST addresses the main gap shown in the dashboard?
91A security manager is developing a new information security program for a mid-sized company. Which of the following should be the FIRST step?
92An organization's security program includes a set of metrics reported quarterly to the board. Which metric best demonstrates the effectiveness of the security awareness program?
93A large financial institution is updating its information security program to align with a new regulatory framework. The program currently has a decentralized governance model. Which of the following is the MOST significant risk of maintaining a decentralized model?
94Which of the following is the PRIMARY purpose of a security program's key performance indicators (KPIs)?
95An organization has implemented a new security policy requiring multi-factor authentication for all remote access. Several users complain about the inconvenience. What is the BEST course of action for the security manager?
96A security program manager is reviewing the results of a recent internal audit that identified several security gaps. The manager must prioritize remediation efforts. Which factor should be given the MOST weight?
97An organization wants to ensure its information security program is aligned with business objectives. Which of the following is the BEST approach?
98A security manager is designing a metrics dashboard for executive management. Which of the following metrics is MOST useful for demonstrating the value of the security program?
99During a merger, the acquiring company's security program must integrate with the target company's program. What is the HIGHEST priority action?
100An information security program must include elements to ensure continuous improvement. Which TWO of the following are MOST essential for continuous improvement?
101A security program manager is selecting metrics to report to the board. Which THREE metrics provide the BEST indication of the program's effectiveness?
102When establishing an information security program, which TWO of the following are key components of governance?
103A company is implementing a new security program. The CISO wants to ensure alignment with business objectives. Which approach is best?
104Which metric is most indicative of security program effectiveness?
105A multinational organization needs to comply with GDPR and CCPA. What is the best approach for the information security program?
106During a security audit, several deviations from policy are found. What should the security manager do first?
107Which is a key component of an information security program?
108A security program lacks executive support. What is the best strategy to gain support?
109In developing a security awareness program, which factor is most important for effectiveness?
110Which document should be reviewed and updated at least annually?
111An organization has multiple business units with different risk tolerances. How should the security program address this?
112Which TWO are essential elements of an information security program?
113Which THREE are key performance indicators (KPIs) for an information security program?
114Which THREE are components of the Plan phase in a security program lifecycle (e.g., ISO 27001 PDCA)?
115A large healthcare organization recently experienced a ransomware attack that encrypted patient records (ePHI). The attack originated from a phishing email that bypassed the email security gateway. The security program includes annual security awareness training, but post-incident analysis reveals that employees often ignore suspicious emails. The CISO wants to revise the program to reduce the likelihood of similar incidents. Which course of action is most effective?
116A multinational organization is establishing an information security program. The Chief Information Security Officer (CISO) wants to ensure the program aligns with business objectives and is accountable to senior management. Which of the following governance structures would best support this goal?
117During a security assessment, an organization discovers that its patch management process is not consistently applied across all systems. Which of the following controls would best address this deficiency as part of the information security program?
118An organization has implemented a data classification policy but notices that employees often mark documents as 'internal use only' even when they contain personally identifiable information (PII). Which of the following is the most effective corrective action for the information security program?
119A company is designing its information security program and wants to ensure that it meets regulatory requirements across multiple jurisdictions. Which of the following approaches is most appropriate?
120An organization's information security program recently experienced a ransomware attack that encrypted critical data. Which of the following program components should be improved first to prevent recurrence?
121A large financial institution is maturing its information security program and wants to move from a reactive to a proactive posture. Which of the following initiatives would best support this transition?
122Which TWO of the following are key performance indicators (KPIs) for measuring the effectiveness of an information security program?
123Which TWO of the following are essential components of an information security program charter?
124Which THREE of the following are common challenges in implementing an information security program across a large enterprise?
125You are the CISO of a mid-sized manufacturing company. The company has grown rapidly through acquisitions, and each subsidiary has its own information security program. There is no centralized governance, and recent security incidents have occurred due to inconsistent policies. The board has asked you to create a unified information security program that balances flexibility with control. Each subsidiary has unique operational processes and varying levels of security maturity. You have limited budget and cannot replace all local security teams. Which approach should you take?
126You are the information security program manager at a global financial services firm. The firm has a mature security program, but the CISO is concerned that the program is not keeping pace with emerging threats such as supply chain attacks and advanced persistent threats (APTs). Additionally, the program currently focuses heavily on compliance with regulations (e.g., PCI DSS, GDPR) rather than proactive risk management. The board wants to see a more strategic approach to information security. However, the compliance team is large and influential, and they resist changes that might reduce their role. You have been asked to propose a new program model that addresses these concerns while maintaining regulatory compliance. What should you do?
127You are the CISO of a large healthcare organization that has recently experienced a data breach due to an insider who exfiltrated patient data over several months. The breach was discovered by an external partner. The organization's information security program includes data loss prevention (DLP) tools, but they were not configured to monitor outbound data from the compromised system. Additionally, user activity monitoring (UAM) was only applied to privileged users, not to regular staff. The board demands a comprehensive improvement plan that will prevent similar incidents. However, there are concerns about employee privacy and budget constraints. The organization has a strong culture of trust and minimal monitoring. Which of the following should be the first priority in the revised program?
128You are the information security program manager for a government agency. The agency has a highly regulated environment and is in the process of updating its incident response plan. During a tabletop exercise, it becomes clear that the detection capabilities are strong, but the response coordination between IT, legal, and public affairs is poor. This caused delays in containing a simulated ransomware attack. The existing program includes an incident response policy but no formal procedures for cross-department coordination. The agency's leadership wants quick improvement with minimal budget impact. What should you recommend?
129You are the CISO of a retail company that is planning to implement a new e-commerce platform. The information security program currently consists of a set of high-level policies, but there are no detailed standards or guidelines for secure development. The development team uses agile methodologies and is accustomed to rapid releases. They have resisted security reviews in the past, citing delays. You need to integrate security into the development lifecycle without causing friction. The company's risk appetite is moderate; they accept some risk for speed but not if it leads to major breaches. The board expects you to manage this risk effectively. Which approach should you take?
130You are the director of information security at a multinational corporation that operates in many countries with conflicting data privacy laws. The company's information security program includes a data classification policy and a data retention schedule, but there is no consistent method for handling cross-border data flows. Recently, a regulator in Country A fined the company for transferring personal data to Country B, which does not provide adequate protection. The legal department recommends implementing a binding corporate rules (BCR) approach, but the IT department says it would be too complex to implement across all systems. You must update the program to ensure compliance while minimizing operational impact. The board wants a solution that can be implemented within one year with reasonable cost. What should you do?
131A multinational corporation is designing an information security program to align with diverse business units and regulatory requirements across different regions. The CISO is prioritizing key components that ensure the program is both comprehensive and adaptable. Which TWO components are most critical for achieving this alignment?
132A small e-commerce company with 50 employees and limited IT budget is establishing its first formal information security program. The company processes customer payment data and must comply with PCI DSS. The CEO wants to balance security with operational costs. The IT manager proposes investing in a state-of-the-art security information and event management (SIEM) system costing $100,000 annually. The CISO, however, recommends a more phased approach. Considering the company's size, budget constraints, and compliance requirements, what should be the CISO's primary recommendation?
133A global financial services firm operates in 30 countries and is subject to multiple data protection regulations, including GDPR, CCPA, and various financial services directives. The firm has a centralized information security program but struggles with inconsistent enforcement across regions. The CISO is under pressure to demonstrate compliance to the board while reducing costs. The compliance team suggests creating a separate security program for each regulation, while the IT audit team recommends adopting the most stringent regulation as the baseline. The CISO must decide on a strategy that balances compliance, efficiency, and cost. What is the best approach for the CISO to take?
134An organization is updating its information security program to align with business objectives. Which of the following is the PRIMARY benefit of integrating security risk management into the strategic planning process?
135During an audit of the information security program, the auditor identifies that several critical systems are not included in the incident response plan. Which of the following are the MOST appropriate actions for the security manager to take? (Select TWO.)
136An information security manager reviews the suspicious activity log shown in the exhibit. The payroll file is supposed to be encrypted and only accessible internally. What is the MOST likely cause for the failed download?
137A multinational corporation with a decentralized information security program has recently experienced a data breach involving customer PII. The breach originated from a regional office that had not implemented the global security baseline due to local IT staff claiming 'unique operational requirements.' The CISO has tasked the security manager with revising the program to prevent recurrence. The organization has 12 regional offices, each with its own IT leadership, and a central security team. The budget is tight, and there is resistance to centralized control. Which of the following is the BEST course of action for the security manager?
The Information Security Program domain covers the key concepts tested in this area of the CISM exam blueprint published by ISACA. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all CISM domains — no account required.
The Courseiva CISM question bank contains 137 questions in the Information Security Program domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Information Security Program domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included