Practice CISM Information Security Programme questions with full explanations on every answer.
Start practicing
Information Security Programme — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
A CISO is evaluating the reporting structure for the information security team. Which reporting line is generally considered MOST effective for ensuring independence and organizational influence?
2An organization is implementing a security controls framework and needs to prioritize which controls to implement first. According to CIS Controls v8, which approach aligns with the principle of 'implementation groups'?
3During a third-party risk assessment, the security team discovers that a critical vendor's sub-supplier (nth party) has access to sensitive data. The vendor contract does not address nth-party risk. What is the BEST course of action?
4Which of the following is a LEADING indicator of security performance?
5An information security manager is designing a security awareness program. Which approach BEST addresses the different learning needs of various employee groups?
6A security manager needs to justify an increase in the security budget. Which metric is MOST compelling to demonstrate the value of security investments to the board?
7Which control family from NIST SP 800-53 is MOST directly associated with ensuring that users have appropriate access rights?
8An organization is designing a security operations center (SOC). Which of the following functions is PRIMARILY responsible for analyzing alerts and determining if they represent genuine threats?
9What is the PRIMARY purpose of a security champions program?
10A security manager is selecting a controls framework for a new organization. Which framework provides the most granular control families and is widely used for US federal agencies?
11A company maintains a security scorecard for the executive team. Which metric is MOST appropriate to include as a leading indicator on a one-page dashboard?
12In the context of defense-in-depth, which control provides protection at the network layer to prevent unauthorized access?
13An organization is designing a vendor tiering process for its third-party risk management program. Which TWO factors are MOST appropriate for determining a vendor's risk tier?
14A security manager is developing a set of objectives and key results (OKRs) for the security program. Which THREE would be considered effective security OKRs?
15Which TWO budget components are considered 'services' in a typical security budget?
16A CISO is designing the security organization for a financial services firm. Which reporting structure is most likely to ensure the independence and authority of the information security function?
17Which of the following security team roles is primarily responsible for designing and implementing security solutions to protect an organization's systems and data?
18An organization is implementing a security controls framework and must decide on prioritization. According to defense-in-depth principles, which approach should be taken first?
19Which of the following is a leading indicator for security performance?
20A security awareness program includes phishing simulations. Which metric best measures the long-term effectiveness of the program?
21In a vendor tiering system for third-party risk management, which factor is most critical for determining the tier?
22An organization's security budget is 12% of the IT budget. Which of the following best describes the maturity of this security program?
23A security manager is designing an executive security report. Which content is most appropriate for a one-page C-suite dashboard?
24Which control selection framework includes implementation groups (IG1, IG2, IG3) that help organizations prioritize controls based on their risk profile?
25A company wants to establish a security champions program. What is the primary benefit of embedding security champions in development teams?
26Which of the following is a key objective of a Security Operations Center (SOC)?
27An organization is implementing a data security program. Which of the following is the most effective approach to protect sensitive data at rest?
28A CISO is evaluating security metrics for reporting to the board. Which TWO of the following are leading indicators?
29A company is designing a third-party risk management (TPRM) program. Which THREE of the following are essential components of the ongoing monitoring phase for a critical vendor?
30Which TWO of the following are typical components of a security awareness program?
31Which of the following is a leading indicator of security program effectiveness?
32An organization is implementing a security controls framework and needs to prioritize controls for a small business with limited resources. Which implementation group from CIS Controls v8 should be addressed first?
33A CISO is designing a security scorecard for the board of directors. Which metric is most appropriate to include for a one-page executive dashboard?
34An organization is designing a third-party risk management (TPRM) program. They have identified a vendor that stores sensitive customer data. According to best practices, what should be the minimum requirement for this vendor's contract?
35Which control family in NIST SP 800-53 addresses the identification and authentication of users?
36A security architect is designing a defense-in-depth strategy. Which combination of controls best exemplifies this approach?
37In a security awareness program, which training approach is most appropriate for software developers?
38A CISO is preparing the security budget for the next fiscal year. The current IT budget is $10 million. For a mature security program, what is the recommended security budget range?
39An organization is implementing a security champions program. Which of the following is the primary benefit of such a program?
40Which metric is considered a lagging indicator of security program performance?
41A company is assessing nth-party risk from a critical cloud provider. Which approach should be taken to manage this risk effectively?
42Which role is primarily responsible for designing and reviewing an organization's security architecture?
43An organization is defining objectives and key results (OKRs) for the security program. Which TWO of the following are examples of leading indicators that could be used as key results?
44A company is implementing a vendor tiering system for third-party risk management. Which TWO factors should be used to determine the tier of a vendor?
45Which THREE of the following are components of a security operations center (SOC)?
46An organization is redesigning its information security program to better align with business objectives. The CISO reports to the CIO, but business leaders feel security decisions are too IT-centric. Which reporting structure would best address this concern?
47Which security control framework is organized into Implementation Groups (IG1, IG2, IG3) based on organizational risk profile and resources?
48A security manager is developing metrics for the C-suite dashboard. Which combination of metrics would provide the best view of security program effectiveness, including both leading and lagging indicators?
49During a third-party risk assessment, the security team discovers that a critical vendor has subcontracted data processing to another company without notification. This represents which type of risk?
50An organization wants to implement a defense-in-depth strategy for its web application. Which set of controls best exemplifies this approach?
51Which role is primarily responsible for developing and maintaining the organization's security architecture?
52A security manager needs to justify an increase in the security budget to the board. The current budget is 0.15% of revenue. Which approach would most effectively demonstrate the need for additional funding?
53Which of the following is a leading indicator for measuring the effectiveness of a security awareness program?
54An organization is implementing a security champions program. What is the primary purpose of this initiative?
55When selecting security controls, a company must prioritize which controls first?
56A company uses a SaaS provider that processes sensitive customer data. The provider undergoes annual SOC 2 audits. Which additional step is essential to manage nth-party risk?
57What is the primary function of a Security Operations Center (SOC)?
58Which TWO metrics are considered leading indicators for information security program performance?
59Which THREE components are essential for a comprehensive third-party risk management (TPRM) program?
60Which TWO are key elements of a security awareness program designed to change employee behavior?
61An information security manager is designing the reporting structure for the CISO. Which reporting structure is most likely to ensure independence and adequate authority for the security function?
62Which of the following is a leading indicator for measuring the effectiveness of a security awareness program?
63A large organization is implementing a security controls framework and wants to prioritize controls that provide the greatest risk reduction with the least operational friction. Which approach should the security manager adopt?
64A security manager is developing metrics for the executive dashboard. Which combination of metrics provides a balanced view of security program performance?
65An organization is implementing a third-party risk management (TPRM) program. Which approach best addresses nth-party risk?
66Which of the following best describes the role of a security architect in a security program?
67Which of the following is a key objective of implementing a security champions program?
68A security manager needs to justify an increase in the security budget. Which approach provides the strongest quantitative justification?
69A company has implemented a security awareness program with quarterly phishing simulations. The click rate has remained at 15% for the past two quarters. What is the most effective next step?
70Which control framework is most appropriate for an organization that wants a prioritized set of controls based on implementation groups (IG1, IG2, IG3)?
71What is the primary purpose of a vulnerability management program?
72An organization's SOC team is measured on mean time to detect (MTTD) and mean time to respond (MTTR). The security manager notices that MTTD is low but MTTR is high. What is the most likely cause?
73A security manager is selecting controls for a new application. Which TWO controls are most important to include in a defense-in-depth strategy? (Select TWO)
74Which THREE elements are essential components of a third-party risk management (TPRM) program? (Select THREE)
75A security manager is developing OKRs for the security team. Which TWO key results are appropriate leading indicators? (Select TWO)
76Which of the following is the BEST reporting structure for a CISO to ensure independent oversight and alignment with business strategy?
77An organization is implementing a defense-in-depth strategy. Which of the following control combinations BEST exemplifies this approach?
78A financial institution uses CIS Controls v8 and must prioritize implementation. The organization has limited resources and high exposure to ransomware. Which implementation group should be addressed FIRST?
79A CISO wants to present a high-level security status to the board using a one-page dashboard. Which of the following metrics is MOST appropriate for this audience?
80A company is designing its security awareness program. Which approach BEST addresses the need for role-based training?
81Which of the following is a leading indicator of security program effectiveness?
82During third-party risk assessment, a vendor is found to have access to sensitive customer data. The vendor's own supply chain includes a critical fourth-party component. What is the BEST way to address this nth-party risk?
83An organization's security budget is 8% of the IT budget. Industry benchmarks suggest 10-15% for mature programs. Which of the following should the CISO do FIRST to justify an increase?
84In a security operations center (SOC), which function is PRIMARILY responsible for analyzing alerts and determining whether they represent actual security incidents?
85Which of the following is the PRIMARY purpose of a security champions program?
86An organization uses ISO 27001 Annex A as its control framework. During a risk assessment, a control weakness is identified that could lead to a high-impact data breach. However, implementing the recommended control is cost-prohibitive. Which approach BEST addresses this situation?
87A CISO is evaluating a cloud provider's security posture. Which of the following should be the MOST important consideration in the vendor risk assessment?
88A security manager is designing a metrics dashboard for the CISO. Which TWO metrics are leading indicators of security performance? (Select TWO)
89An organization is implementing a vendor tiering program for third-party risk management. Which TWO criteria should be used to classify vendors into high, medium, or low risk tiers? (Select TWO)
90A security awareness program includes phishing simulations. Which THREE factors should be considered when designing the simulation frequency and difficulty? (Select THREE)
91Which of the following is a leading indicator of security program effectiveness?
92When implementing security controls, which approach ensures that multiple layers of defense are applied so that if one control fails, others compensate?
93An organization's CISO reports to the CIO. The CISO is concerned that security initiatives are often deprioritized due to conflicts of interest. Which reporting structure would best address this concern?
94A company is selecting a security control framework. They want a prioritized set of controls that are implementation group-based and address common cyber threats. Which framework best meets these requirements?
95A security awareness manager is designing role-based training. Which training is most appropriate for software developers?
96In a vendor risk assessment, a third-party vendor will have access to sensitive customer data. According to TPRM best practices, what should the organization do first?
97A security dashboard is being designed for the C-suite. Which metric is most appropriate for a one-page executive summary?
98An organization wants to establish a security champions program. What is the primary benefit of embedding security advocates in development teams?
99A mature security program allocates 12% of IT budget to security. Which combination of budget components is most balanced for a program seeking to improve detection and response capabilities?
100A security manager is evaluating OKRs for the vulnerability management team. Which key result best aligns with an objective to reduce risk from vulnerabilities?
101When designing phishing simulations, which approach best balances user learning and operational disruption?
102A company is implementing a third-party risk management program and needs to prioritize vendors for assessment. Which factor should be given the highest weight?
103Which TWO of the following are key components of a security operations center (SOC)? (Select TWO)
104An organization is selecting security controls from NIST SP 800-53. Which TWO control families are most directly related to access control? (Select TWO)
105A security manager is building a business case for additional security budget. Which THREE justifications are most effective for obtaining executive approval? (Select THREE)
106A CISO is deciding on the organizational structure for the information security team. Which reporting structure is most likely to ensure the security function has sufficient independence and authority?
107An organization is implementing a defense-in-depth strategy. Which of the following is the BEST example of a compensating control?
108An information security manager is developing a security scorecard for the board. Which combination of metrics BEST provides a balanced view of security program effectiveness?
109A company is designing a security awareness program. Which approach is MOST effective for ensuring that employees apply security principles in their daily work?
110Which control framework is structured around Implementation Groups (IG1, IG2, IG3) to help organizations prioritize security controls based on risk?
111An organization's third-party risk management program has been in place for two years. Which of the following is the MOST critical action to ensure the program remains effective?
112A company is developing security metrics to present to the C-suite. Which metric is a leading indicator of security performance?
113An information security manager is asked to justify an increase in the security budget. Which approach BEST demonstrates the value of the security program?
114Which security team role is primarily responsible for defining and maintaining security architecture standards?
115An organization with a mature security program allocates 12% of its IT budget to security. Which factor is MOST likely to support this level of investment?
116A SOC analyst receives an alert about a potential malware infection on a critical server. Which step should the analyst take FIRST?
117When selecting security controls based on NIST SP 800-53, which control family is MOST directly related to protecting the confidentiality of data?
118Which TWO of the following are components of a typical vulnerability management program?
119Which THREE of the following are key activities in a third-party risk management (TPRM) program?
120Which TWO of the following are characteristics of a security champions program that contribute to its effectiveness?
121In designing a security programme for a mid-sized enterprise, the CISO is deciding which security framework to adopt for control selection. Which of the following frameworks is specifically structured around implementation groups (IG1, IG2, IG3) to help organizations prioritize controls based on risk and maturity?
122A security awareness program includes phishing simulations. After six months, the click rate has decreased from 15% to 8%, but the number of reported phishing emails has also dropped. The CISO wants to measure the effectiveness of the program. Which metric would best indicate sustained improvement in security behavior?
123An organization is implementing a vendor risk management program. A vendor that provides cloud-based HR services will have access to employee PII. According to industry best practices, what should be the first step in the vendor lifecycle?
124A CISO is preparing an executive dashboard for the board of directors. Which combination of metrics would provide the most meaningful overview of the security programme's effectiveness?
125In a defence-in-depth strategy, which control is considered a compensating control when a critical application cannot be patched immediately due to operational constraints?
126Which role within a security team is primarily responsible for designing and reviewing security architectures to ensure alignment with business requirements and security standards?
127An organization is developing a security scorecard for the CISO. Which of the following is a leading indicator that would be most useful for predicting future security incidents?
128A CISO is planning the security programme budget and wants to justify the investment to the CFO. The organization has a moderate risk appetite and an IT budget of $10 million. What is the most appropriate budget range for the security programme based on industry benchmarks?
129Which of the following is the primary objective of a security champions programme?
130In a third-party risk management programme, what is the primary purpose of vendor tiering?
131During a security architecture review, the security architect identifies that a new application stores sensitive customer data in plaintext in the database. The application owner argues that performance requirements prevent encryption. What is the most appropriate compensating control to reduce risk?
132An organization wants to measure the effectiveness of its security awareness programme. Which metric is a leading indicator of improved security culture?
133A CISO is developing key risk indicators (KRIs) for the security programme. Which TWO of the following are lagging indicators? (Select TWO.)
134A multinational organization is implementing a vendor risk management programme. Which THREE of the following should be included in the programme to effectively manage nth-party risk? (Select THREE.)
135In designing a security operations centre (SOC), which TWO functions are core to the SOC's responsibilities? (Select TWO.)
136Which of the following is the PRIMARY purpose of a security awareness program?
137An organization is implementing a defense-in-depth strategy. Which of the following control combinations BEST exemplifies this principle?
138A CISO is presenting security metrics to the board. Which of the following metrics would be MOST relevant for a one-page executive dashboard?
139An organization uses CIS Controls v8. They are a small business with limited cybersecurity resources. Which implementation group (IG) should they prioritize?
140A security manager is selecting controls for a new application. Which of the following is the BEST approach for prioritization?
141Which of the following is a LEADING indicator of security performance?
142A company is designing a third-party risk management (TPRM) program. Which factor should PRIMARILY determine the tier of a vendor?
143An information security manager needs to justify a budget increase. Which approach would be MOST effective for gaining executive approval?
144Which of the following BEST describes the role of a security architect in a security program?
145Which of the following is the PRIMARY benefit of a security champions program?
146An organization uses ISO 27001 Annex A controls. During a risk assessment, they identify a need for a compensating control because the primary control is not feasible. What should the security manager do FIRST?
147Which of the following metrics would be MOST useful for measuring the effectiveness of a phishing simulation program?
148An organization is developing a vendor risk management program. Which TWO of the following should be included in the vendor onboarding risk assessment?
149A security manager is developing a security scorecard for the CISO. Which THREE of the following metrics are considered LEADING indicators?
150An organization is designing a security awareness program. Which TWO of the following should be included for developers?
151A security manager is designing a security awareness program for a mid-sized organization. Which of the following is the MOST effective approach to ensure that training is relevant to different employee roles?
152An organization is implementing a security controls framework based on NIST SP 800-53. The CISO wants to prioritize controls that will provide the greatest risk reduction for critical assets. Which approach should be used to select the initial set of controls?
153A security manager is developing a security scorecard for the C-suite. Which combination of metrics would be MOST appropriate for a one-page dashboard?
154An organization with a mature security program is reviewing its budget allocation. The board has asked the CISO to justify a proposed increase. Which of the following provides the STRONGEST justification for the security budget?
155A security architect is designing a defense-in-depth strategy for a financial institution. Which TWO of the following are essential components of a defense-in-depth approach?
156A CISO is establishing a vendor risk management (TPRM) program. Which THREE of the following are key components of an effective TPRM program?
157A security manager is designing a security awareness program. Which TWO metrics are leading indicators of program effectiveness?
158An organization is implementing CIS Controls v8. Which THREE of the following are implementation groups (IGs) defined in the CIS Controls?
159A CISO is building a security operations center (SOC). Which TWO of the following are primary functions of a SOC?
160An organization is implementing a security champions program to improve application security. Which THREE of the following are key success factors for such a program?
161A security manager is designing a security budget for a mid-sized company. Which TWO of the following are typical components of a security budget?
162A security architect is selecting controls for an e-commerce platform. Which TWO of the following are examples of compensating controls?
163A CISO is evaluating metrics for an executive security report. Which TWO of the following are lagging indicators?
164An organization is implementing an identity and access management (IAM) program. Which THREE of the following are key components of a mature IAM program?
165A security manager is designing a vulnerability management program. Which TWO of the following are essential processes?
The Information Security Programme domain covers the key concepts tested in this area of the CISM exam blueprint published by ISACA. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all CISM domains — no account required.
The Courseiva CISM question bank contains 165 questions in the Information Security Programme domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Information Security Programme domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included