Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Free Resources

Difficulty IndexLearn — Free ChaptersIT GlossaryFree Tools & LabsStudy GuidesCareer RoadmapsBrowse by VendorCisco Command ReferenceCCNA Scenarios

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsCISMDomainsInformation Security Programme
CISMFree — No Signup

Information Security Programme

Practice CISM Information Security Programme questions with full explanations on every answer.

165questions

Start practicing

Information Security Programme — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

CISM Domains

Information Security ProgramIncident ManagementInformation Security ProgrammeInformation Security GovernanceInformation Security Risk Management

Practice Information Security Programme questions

10Q20Q30Q50Q

All CISM Information Security Programme questions (165)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

A CISO is evaluating the reporting structure for the information security team. Which reporting line is generally considered MOST effective for ensuring independence and organizational influence?

2

An organization is implementing a security controls framework and needs to prioritize which controls to implement first. According to CIS Controls v8, which approach aligns with the principle of 'implementation groups'?

3

During a third-party risk assessment, the security team discovers that a critical vendor's sub-supplier (nth party) has access to sensitive data. The vendor contract does not address nth-party risk. What is the BEST course of action?

4

Which of the following is a LEADING indicator of security performance?

5

An information security manager is designing a security awareness program. Which approach BEST addresses the different learning needs of various employee groups?

6

A security manager needs to justify an increase in the security budget. Which metric is MOST compelling to demonstrate the value of security investments to the board?

7

Which control family from NIST SP 800-53 is MOST directly associated with ensuring that users have appropriate access rights?

8

An organization is designing a security operations center (SOC). Which of the following functions is PRIMARILY responsible for analyzing alerts and determining if they represent genuine threats?

9

What is the PRIMARY purpose of a security champions program?

10

A security manager is selecting a controls framework for a new organization. Which framework provides the most granular control families and is widely used for US federal agencies?

11

A company maintains a security scorecard for the executive team. Which metric is MOST appropriate to include as a leading indicator on a one-page dashboard?

12

In the context of defense-in-depth, which control provides protection at the network layer to prevent unauthorized access?

13

An organization is designing a vendor tiering process for its third-party risk management program. Which TWO factors are MOST appropriate for determining a vendor's risk tier?

14

A security manager is developing a set of objectives and key results (OKRs) for the security program. Which THREE would be considered effective security OKRs?

15

Which TWO budget components are considered 'services' in a typical security budget?

16

A CISO is designing the security organization for a financial services firm. Which reporting structure is most likely to ensure the independence and authority of the information security function?

17

Which of the following security team roles is primarily responsible for designing and implementing security solutions to protect an organization's systems and data?

18

An organization is implementing a security controls framework and must decide on prioritization. According to defense-in-depth principles, which approach should be taken first?

19

Which of the following is a leading indicator for security performance?

20

A security awareness program includes phishing simulations. Which metric best measures the long-term effectiveness of the program?

21

In a vendor tiering system for third-party risk management, which factor is most critical for determining the tier?

22

An organization's security budget is 12% of the IT budget. Which of the following best describes the maturity of this security program?

23

A security manager is designing an executive security report. Which content is most appropriate for a one-page C-suite dashboard?

24

Which control selection framework includes implementation groups (IG1, IG2, IG3) that help organizations prioritize controls based on their risk profile?

25

A company wants to establish a security champions program. What is the primary benefit of embedding security champions in development teams?

26

Which of the following is a key objective of a Security Operations Center (SOC)?

27

An organization is implementing a data security program. Which of the following is the most effective approach to protect sensitive data at rest?

28

A CISO is evaluating security metrics for reporting to the board. Which TWO of the following are leading indicators?

29

A company is designing a third-party risk management (TPRM) program. Which THREE of the following are essential components of the ongoing monitoring phase for a critical vendor?

30

Which TWO of the following are typical components of a security awareness program?

31

Which of the following is a leading indicator of security program effectiveness?

32

An organization is implementing a security controls framework and needs to prioritize controls for a small business with limited resources. Which implementation group from CIS Controls v8 should be addressed first?

33

A CISO is designing a security scorecard for the board of directors. Which metric is most appropriate to include for a one-page executive dashboard?

34

An organization is designing a third-party risk management (TPRM) program. They have identified a vendor that stores sensitive customer data. According to best practices, what should be the minimum requirement for this vendor's contract?

35

Which control family in NIST SP 800-53 addresses the identification and authentication of users?

36

A security architect is designing a defense-in-depth strategy. Which combination of controls best exemplifies this approach?

37

In a security awareness program, which training approach is most appropriate for software developers?

38

A CISO is preparing the security budget for the next fiscal year. The current IT budget is $10 million. For a mature security program, what is the recommended security budget range?

39

An organization is implementing a security champions program. Which of the following is the primary benefit of such a program?

40

Which metric is considered a lagging indicator of security program performance?

41

A company is assessing nth-party risk from a critical cloud provider. Which approach should be taken to manage this risk effectively?

42

Which role is primarily responsible for designing and reviewing an organization's security architecture?

43

An organization is defining objectives and key results (OKRs) for the security program. Which TWO of the following are examples of leading indicators that could be used as key results?

44

A company is implementing a vendor tiering system for third-party risk management. Which TWO factors should be used to determine the tier of a vendor?

45

Which THREE of the following are components of a security operations center (SOC)?

46

An organization is redesigning its information security program to better align with business objectives. The CISO reports to the CIO, but business leaders feel security decisions are too IT-centric. Which reporting structure would best address this concern?

47

Which security control framework is organized into Implementation Groups (IG1, IG2, IG3) based on organizational risk profile and resources?

48

A security manager is developing metrics for the C-suite dashboard. Which combination of metrics would provide the best view of security program effectiveness, including both leading and lagging indicators?

49

During a third-party risk assessment, the security team discovers that a critical vendor has subcontracted data processing to another company without notification. This represents which type of risk?

50

An organization wants to implement a defense-in-depth strategy for its web application. Which set of controls best exemplifies this approach?

51

Which role is primarily responsible for developing and maintaining the organization's security architecture?

52

A security manager needs to justify an increase in the security budget to the board. The current budget is 0.15% of revenue. Which approach would most effectively demonstrate the need for additional funding?

53

Which of the following is a leading indicator for measuring the effectiveness of a security awareness program?

54

An organization is implementing a security champions program. What is the primary purpose of this initiative?

55

When selecting security controls, a company must prioritize which controls first?

56

A company uses a SaaS provider that processes sensitive customer data. The provider undergoes annual SOC 2 audits. Which additional step is essential to manage nth-party risk?

57

What is the primary function of a Security Operations Center (SOC)?

58

Which TWO metrics are considered leading indicators for information security program performance?

59

Which THREE components are essential for a comprehensive third-party risk management (TPRM) program?

60

Which TWO are key elements of a security awareness program designed to change employee behavior?

61

An information security manager is designing the reporting structure for the CISO. Which reporting structure is most likely to ensure independence and adequate authority for the security function?

62

Which of the following is a leading indicator for measuring the effectiveness of a security awareness program?

63

A large organization is implementing a security controls framework and wants to prioritize controls that provide the greatest risk reduction with the least operational friction. Which approach should the security manager adopt?

64

A security manager is developing metrics for the executive dashboard. Which combination of metrics provides a balanced view of security program performance?

65

An organization is implementing a third-party risk management (TPRM) program. Which approach best addresses nth-party risk?

66

Which of the following best describes the role of a security architect in a security program?

67

Which of the following is a key objective of implementing a security champions program?

68

A security manager needs to justify an increase in the security budget. Which approach provides the strongest quantitative justification?

69

A company has implemented a security awareness program with quarterly phishing simulations. The click rate has remained at 15% for the past two quarters. What is the most effective next step?

70

Which control framework is most appropriate for an organization that wants a prioritized set of controls based on implementation groups (IG1, IG2, IG3)?

71

What is the primary purpose of a vulnerability management program?

72

An organization's SOC team is measured on mean time to detect (MTTD) and mean time to respond (MTTR). The security manager notices that MTTD is low but MTTR is high. What is the most likely cause?

73

A security manager is selecting controls for a new application. Which TWO controls are most important to include in a defense-in-depth strategy? (Select TWO)

74

Which THREE elements are essential components of a third-party risk management (TPRM) program? (Select THREE)

75

A security manager is developing OKRs for the security team. Which TWO key results are appropriate leading indicators? (Select TWO)

76

Which of the following is the BEST reporting structure for a CISO to ensure independent oversight and alignment with business strategy?

77

An organization is implementing a defense-in-depth strategy. Which of the following control combinations BEST exemplifies this approach?

78

A financial institution uses CIS Controls v8 and must prioritize implementation. The organization has limited resources and high exposure to ransomware. Which implementation group should be addressed FIRST?

79

A CISO wants to present a high-level security status to the board using a one-page dashboard. Which of the following metrics is MOST appropriate for this audience?

80

A company is designing its security awareness program. Which approach BEST addresses the need for role-based training?

81

Which of the following is a leading indicator of security program effectiveness?

82

During third-party risk assessment, a vendor is found to have access to sensitive customer data. The vendor's own supply chain includes a critical fourth-party component. What is the BEST way to address this nth-party risk?

83

An organization's security budget is 8% of the IT budget. Industry benchmarks suggest 10-15% for mature programs. Which of the following should the CISO do FIRST to justify an increase?

84

In a security operations center (SOC), which function is PRIMARILY responsible for analyzing alerts and determining whether they represent actual security incidents?

85

Which of the following is the PRIMARY purpose of a security champions program?

86

An organization uses ISO 27001 Annex A as its control framework. During a risk assessment, a control weakness is identified that could lead to a high-impact data breach. However, implementing the recommended control is cost-prohibitive. Which approach BEST addresses this situation?

87

A CISO is evaluating a cloud provider's security posture. Which of the following should be the MOST important consideration in the vendor risk assessment?

88

A security manager is designing a metrics dashboard for the CISO. Which TWO metrics are leading indicators of security performance? (Select TWO)

89

An organization is implementing a vendor tiering program for third-party risk management. Which TWO criteria should be used to classify vendors into high, medium, or low risk tiers? (Select TWO)

90

A security awareness program includes phishing simulations. Which THREE factors should be considered when designing the simulation frequency and difficulty? (Select THREE)

91

Which of the following is a leading indicator of security program effectiveness?

92

When implementing security controls, which approach ensures that multiple layers of defense are applied so that if one control fails, others compensate?

93

An organization's CISO reports to the CIO. The CISO is concerned that security initiatives are often deprioritized due to conflicts of interest. Which reporting structure would best address this concern?

94

A company is selecting a security control framework. They want a prioritized set of controls that are implementation group-based and address common cyber threats. Which framework best meets these requirements?

95

A security awareness manager is designing role-based training. Which training is most appropriate for software developers?

96

In a vendor risk assessment, a third-party vendor will have access to sensitive customer data. According to TPRM best practices, what should the organization do first?

97

A security dashboard is being designed for the C-suite. Which metric is most appropriate for a one-page executive summary?

98

An organization wants to establish a security champions program. What is the primary benefit of embedding security advocates in development teams?

99

A mature security program allocates 12% of IT budget to security. Which combination of budget components is most balanced for a program seeking to improve detection and response capabilities?

100

A security manager is evaluating OKRs for the vulnerability management team. Which key result best aligns with an objective to reduce risk from vulnerabilities?

101

When designing phishing simulations, which approach best balances user learning and operational disruption?

102

A company is implementing a third-party risk management program and needs to prioritize vendors for assessment. Which factor should be given the highest weight?

103

Which TWO of the following are key components of a security operations center (SOC)? (Select TWO)

104

An organization is selecting security controls from NIST SP 800-53. Which TWO control families are most directly related to access control? (Select TWO)

105

A security manager is building a business case for additional security budget. Which THREE justifications are most effective for obtaining executive approval? (Select THREE)

106

A CISO is deciding on the organizational structure for the information security team. Which reporting structure is most likely to ensure the security function has sufficient independence and authority?

107

An organization is implementing a defense-in-depth strategy. Which of the following is the BEST example of a compensating control?

108

An information security manager is developing a security scorecard for the board. Which combination of metrics BEST provides a balanced view of security program effectiveness?

109

A company is designing a security awareness program. Which approach is MOST effective for ensuring that employees apply security principles in their daily work?

110

Which control framework is structured around Implementation Groups (IG1, IG2, IG3) to help organizations prioritize security controls based on risk?

111

An organization's third-party risk management program has been in place for two years. Which of the following is the MOST critical action to ensure the program remains effective?

112

A company is developing security metrics to present to the C-suite. Which metric is a leading indicator of security performance?

113

An information security manager is asked to justify an increase in the security budget. Which approach BEST demonstrates the value of the security program?

114

Which security team role is primarily responsible for defining and maintaining security architecture standards?

115

An organization with a mature security program allocates 12% of its IT budget to security. Which factor is MOST likely to support this level of investment?

116

A SOC analyst receives an alert about a potential malware infection on a critical server. Which step should the analyst take FIRST?

117

When selecting security controls based on NIST SP 800-53, which control family is MOST directly related to protecting the confidentiality of data?

118

Which TWO of the following are components of a typical vulnerability management program?

119

Which THREE of the following are key activities in a third-party risk management (TPRM) program?

120

Which TWO of the following are characteristics of a security champions program that contribute to its effectiveness?

121

In designing a security programme for a mid-sized enterprise, the CISO is deciding which security framework to adopt for control selection. Which of the following frameworks is specifically structured around implementation groups (IG1, IG2, IG3) to help organizations prioritize controls based on risk and maturity?

122

A security awareness program includes phishing simulations. After six months, the click rate has decreased from 15% to 8%, but the number of reported phishing emails has also dropped. The CISO wants to measure the effectiveness of the program. Which metric would best indicate sustained improvement in security behavior?

123

An organization is implementing a vendor risk management program. A vendor that provides cloud-based HR services will have access to employee PII. According to industry best practices, what should be the first step in the vendor lifecycle?

124

A CISO is preparing an executive dashboard for the board of directors. Which combination of metrics would provide the most meaningful overview of the security programme's effectiveness?

125

In a defence-in-depth strategy, which control is considered a compensating control when a critical application cannot be patched immediately due to operational constraints?

126

Which role within a security team is primarily responsible for designing and reviewing security architectures to ensure alignment with business requirements and security standards?

127

An organization is developing a security scorecard for the CISO. Which of the following is a leading indicator that would be most useful for predicting future security incidents?

128

A CISO is planning the security programme budget and wants to justify the investment to the CFO. The organization has a moderate risk appetite and an IT budget of $10 million. What is the most appropriate budget range for the security programme based on industry benchmarks?

129

Which of the following is the primary objective of a security champions programme?

130

In a third-party risk management programme, what is the primary purpose of vendor tiering?

131

During a security architecture review, the security architect identifies that a new application stores sensitive customer data in plaintext in the database. The application owner argues that performance requirements prevent encryption. What is the most appropriate compensating control to reduce risk?

132

An organization wants to measure the effectiveness of its security awareness programme. Which metric is a leading indicator of improved security culture?

133

A CISO is developing key risk indicators (KRIs) for the security programme. Which TWO of the following are lagging indicators? (Select TWO.)

134

A multinational organization is implementing a vendor risk management programme. Which THREE of the following should be included in the programme to effectively manage nth-party risk? (Select THREE.)

135

In designing a security operations centre (SOC), which TWO functions are core to the SOC's responsibilities? (Select TWO.)

136

Which of the following is the PRIMARY purpose of a security awareness program?

137

An organization is implementing a defense-in-depth strategy. Which of the following control combinations BEST exemplifies this principle?

138

A CISO is presenting security metrics to the board. Which of the following metrics would be MOST relevant for a one-page executive dashboard?

139

An organization uses CIS Controls v8. They are a small business with limited cybersecurity resources. Which implementation group (IG) should they prioritize?

140

A security manager is selecting controls for a new application. Which of the following is the BEST approach for prioritization?

141

Which of the following is a LEADING indicator of security performance?

142

A company is designing a third-party risk management (TPRM) program. Which factor should PRIMARILY determine the tier of a vendor?

143

An information security manager needs to justify a budget increase. Which approach would be MOST effective for gaining executive approval?

144

Which of the following BEST describes the role of a security architect in a security program?

145

Which of the following is the PRIMARY benefit of a security champions program?

146

An organization uses ISO 27001 Annex A controls. During a risk assessment, they identify a need for a compensating control because the primary control is not feasible. What should the security manager do FIRST?

147

Which of the following metrics would be MOST useful for measuring the effectiveness of a phishing simulation program?

148

An organization is developing a vendor risk management program. Which TWO of the following should be included in the vendor onboarding risk assessment?

149

A security manager is developing a security scorecard for the CISO. Which THREE of the following metrics are considered LEADING indicators?

150

An organization is designing a security awareness program. Which TWO of the following should be included for developers?

151

A security manager is designing a security awareness program for a mid-sized organization. Which of the following is the MOST effective approach to ensure that training is relevant to different employee roles?

152

An organization is implementing a security controls framework based on NIST SP 800-53. The CISO wants to prioritize controls that will provide the greatest risk reduction for critical assets. Which approach should be used to select the initial set of controls?

153

A security manager is developing a security scorecard for the C-suite. Which combination of metrics would be MOST appropriate for a one-page dashboard?

154

An organization with a mature security program is reviewing its budget allocation. The board has asked the CISO to justify a proposed increase. Which of the following provides the STRONGEST justification for the security budget?

155

A security architect is designing a defense-in-depth strategy for a financial institution. Which TWO of the following are essential components of a defense-in-depth approach?

156

A CISO is establishing a vendor risk management (TPRM) program. Which THREE of the following are key components of an effective TPRM program?

157

A security manager is designing a security awareness program. Which TWO metrics are leading indicators of program effectiveness?

158

An organization is implementing CIS Controls v8. Which THREE of the following are implementation groups (IGs) defined in the CIS Controls?

159

A CISO is building a security operations center (SOC). Which TWO of the following are primary functions of a SOC?

160

An organization is implementing a security champions program to improve application security. Which THREE of the following are key success factors for such a program?

161

A security manager is designing a security budget for a mid-sized company. Which TWO of the following are typical components of a security budget?

162

A security architect is selecting controls for an e-commerce platform. Which TWO of the following are examples of compensating controls?

163

A CISO is evaluating metrics for an executive security report. Which TWO of the following are lagging indicators?

164

An organization is implementing an identity and access management (IAM) program. Which THREE of the following are key components of a mature IAM program?

165

A security manager is designing a vulnerability management program. Which TWO of the following are essential processes?

Practice all 165 Information Security Programme questions

Other CISM exam domains

Information Security ProgramIncident ManagementInformation Security GovernanceInformation Security Risk Management

Frequently asked questions

What does the Information Security Programme domain cover on the CISM exam?

The Information Security Programme domain covers the key concepts tested in this area of the CISM exam blueprint published by ISACA. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all CISM domains — no account required.

How many Information Security Programme questions are in the CISM question bank?

The Courseiva CISM question bank contains 165 questions in the Information Security Programme domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice Information Security Programme for CISM?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only Information Security Programme questions for CISM?

Yes — the session launcher on this page draws questions exclusively from the Information Security Programme domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your CISM domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide

Related Exams

CISSPCISACRISC