Practice CISM Information Security Governance questions with full explanations on every answer.
Start practicing
Information Security Governance — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
A multinational corporation is implementing an information security governance framework. The board has requested a mechanism to ensure that security investments align with business objectives. Which of the following is the BEST approach to achieve this alignment?
2A newly appointed CISO wants to establish an information security governance committee. What is the PRIMARY purpose of this committee?
3A financial services firm has a mature information security program but is struggling to demonstrate the value of security investments to the board. Which metric would BEST communicate the effectiveness of the security program in business terms?
4During a merger, the acquiring company's CISO must integrate the security governance of the target company. The target company has no formal security governance. What is the FIRST step the CISO should take?
5An organization's security governance committee has approved a new security policy. What is the NEXT critical step to ensure the policy's effectiveness?
6A healthcare organization is developing an information security strategy. The board has mandated that the strategy must support innovation while protecting patient data. Which governance approach BEST balances these priorities?
7Which of the following is the PRIMARY role of the board of directors in information security governance?
8An organization has a decentralized security governance model. The CISO is struggling to enforce consistent security policies across business units. What is the BEST approach to improve consistency?
9A company is considering outsourcing its security operations center (SOC). Which governance consideration is MOST critical before finalizing the decision?
10Which TWO of the following are key components of an information security governance framework? (Choose two.)
11Which THREE of the following are essential roles in an effective information security governance structure? (Choose three.)
12Which TWO of the following are primary objectives of information security governance? (Choose two.)
13You are the CISO of a mid-sized e-commerce company with 500 employees. The company recently suffered a data breach where an attacker exfiltrated customer credit card data from the production database. The investigation revealed that the breach originated from a compromised developer workstation. The developer had been granted direct access to the production database for troubleshooting purposes, a practice that had been in place for years. The security governance framework currently lacks a formal process for managing privileged access. The board has asked for immediate improvements to prevent recurrence. Which course of action BEST addresses the governance gap?
14You are the IT governance officer at a regional bank with 1,200 employees. The bank has a security policy that requires annual security awareness training for all staff. However, the compliance rate is only 60%. The board is concerned about regulatory risk and wants to improve compliance. The current training is a generic online module that takes 30 minutes to complete. Employees complain that the training is boring and not relevant to their roles. The training is managed by the HR department, which sends reminders but does not enforce consequences. Which of the following is the BEST course of action to improve training compliance and governance?
15An organization is implementing a new cloud-based ERP system. Which of the following is the MOST important action for the information security manager to ensure alignment with the organization's risk appetite?
16A multinational corporation is designing its information security governance framework. The board has requested a single metric that best indicates the effectiveness of the security program. Which metric would BEST satisfy this request?
17An information security manager is developing a security strategy for a financial institution. Which of the following should be the PRIMARY driver for selecting security controls?
18During an audit, it was found that the organization's information security policy is not being followed by business units. Which of the following is the MOST effective way for the information security manager to improve compliance?
19An organization has decided to adopt a risk-based approach to information security. What is the FIRST step the information security manager should take to implement this approach?
20Which TWO of the following are key responsibilities of an information security governance committee?
21Which THREE of the following are essential components of an information security governance framework?
22You are the information security manager for a mid-sized e-commerce company with 500 employees. The company recently experienced a data breach where an attacker exploited a vulnerability in a third-party payment processing API, resulting in the exposure of 10,000 customer credit card numbers. The breach was detected by an external forensics team 90 days after the initial compromise. The board is concerned about the company's ability to detect and respond to incidents. Currently, the company has a part-time security team of three people who focus on firewall management and antivirus updates. There is no formal incident response plan, and security monitoring is limited to basic log review once a week. The CISO has asked you to recommend a course of action to improve the security posture, with a focus on governance and oversight. Which of the following is the BEST course of action?
23A multinational corporation is implementing a risk-based approach to information security governance. The chief information security officer (CISO) has been asked to prioritize security initiatives based on business impact. Which of the following actions should the CISO take FIRST to align security governance with business objectives?
24A security audit has identified several governance weaknesses. Which TWO of the following are most likely to indicate a lack of effective information security governance? (Choose two.)
25Refer to the exhibit. A security analyst reviews the ACL on the organization's border router. Based on the exhibit, which of the following is the MOST significant governance concern?
26Arrange the steps for responding to a data breach involving personally identifiable information (PII).
27Arrange the steps for deploying a security patch to critical servers in a production environment.
28Match each security control type to its example.
29Match each security metric to its description.
30A company's information security manager is tasked with ensuring that security initiatives align with business goals. Which of the following best demonstrates this alignment?
31An organization has recently experienced a data breach due to an insider threat. The board has requested an update on governance improvements. Which of the following should the information security manager recommend first?
32An information security manager is evaluating the effectiveness of the organization's security governance. Which of the following metrics would best indicate that governance processes are functioning properly?
33A multinational corporation is establishing an information security governance framework. The board has approved a top-down approach where security policies are created at the corporate level and adapted locally. Which of the following is a key benefit of this approach?
34After a security incident, the board holds the CISO accountable. The CISO argues that the incident was caused by a failure in the third-party risk management process. Which of the following governance deficiencies is most likely the root cause?
35An information security manager is preparing a report for the board on the state of information security governance. Which of the following elements is most important to include in the report?
36A financial institution is restructuring its information security governance to comply with a new regulatory requirement that mandates a formal risk appetite statement. The board has conflicting views on the level of risk to accept. Which of the following should the information security manager do to facilitate the definition of risk appetite?
37A company's information security manager notices that several business units have implemented shadow IT systems that bypass the central security governance. Which of the following governance strategies would most effectively address this issue in the long term?
38During a merger, the acquiring company's board insists on integrating the target company's information security governance into its own within 90 days. However, the target has a significantly different risk culture and lacks documented policies. What is the most critical governance risk in this scenario?
39Which TWO of the following are primary responsibilities of the board of directors in information security governance?
40Which TWO of the following are key indicators that an organization's information security governance is effective?
41Which THREE of the following are essential components of a mature information security governance framework?
42Refer to the exhibit. A security manager notices that several contractors have been granted access to a financial system without documented exceptions. Based on the policy, what is the most likely governance deficiency?
43Refer to the exhibit. An information security manager reviews the risk register and sees that Risk ID R001 has a residual risk of High with a treatment of Accept. Which of the following best explains why this situation may indicate a governance failure?
44Refer to the exhibit. The audit finding reveals a deficiency in which critical aspect of information security governance?
45An organization is developing its information security strategy. Which of the following should be the PRIMARY driver for defining security objectives?
46A large enterprise is implementing a new governance framework. The board has approved a risk appetite statement. What is the MOST important next step for the information security manager?
47A global company is establishing an information security governance committee. Which membership composition BEST ensures alignment between security and business strategy?
48An information security manager is asked to report on the effectiveness of the security program. Which metric would BEST indicate governance effectiveness?
49After a merger, two companies with different security cultures are being integrated. What is the BEST approach for the information security manager to achieve a unified governance structure?
50A financial institution is designing its information security governance to comply with multiple regulations. The board has limited risk appetite. Which approach BEST ensures effective governance while minimizing conflict?
51An information security manager is developing a security scorecard for the board. Which of the following should be included to BEST demonstrate governance performance?
52A company is restructuring its security governance due to rapid growth. The CISO reports to the CIO. What is the PRIMARY risk of this reporting structure?
53An organization's governance framework requires regular reporting to the board. Which reporting frequency and format is MOST effective for a board with limited security expertise?
54Which TWO of the following are essential components of an effective information security governance framework? (Select exactly two.)
55Which THREE of the following are key indicators of a mature information security governance process? (Select exactly three.)
56Which TWO of the following are primary responsibilities of the board of directors with regard to information security governance? (Select exactly two.)
57Given the exhibit, what is the MOST appropriate action for the information security manager?
58Based on the exhibit, which role is missing from the governance policy that would be essential for enforcing accountability?
59Given the exhibit, what is the MOST significant governance gap in the described architecture?
60A CISO is developing an information security governance framework for a financial institution. Which of the following is the PRIMARY purpose of such a framework?
61A multinational corporation is designing an information security strategy to support its global operations. Which approach best ensures that the strategy is actionable and measurable?
62An organization's information security governance committee has not met for the past six months. Which of the following is the most significant risk associated with this situation?
63An organization plans to implement ISO/IEC 27001 to formalize its information security management system. Which step is most critical to ensure successful implementation?
64A multinational corporation must comply with both GDPR and CCPA. Which governance approach is most effective?
65During an internal audit, it is discovered that business units frequently purchase cloud services without involving the IT security department. Which governance deficiency does this scenario most clearly demonstrate?
66Which of the following is the best indicator that an organization has effective information security governance?
67A company's security steering committee includes representatives from Human Resources, Legal, and Risk Management, but not from Business Operations. What is the most likely consequence of this membership gap?
68After a merger, the combined organization has two different risk tolerance levels: one entity is risk-averse, the other is risk-taking. What is the best governance action?
69Which TWO of the following are key elements of an information security governance framework, as defined by COBIT?
70Which THREE of the following are responsibilities of the board of directors regarding information security governance?
71Which THREE of the following are challenges in implementing information security governance in a decentralized organization?
72Refer to the exhibit. A security administrator reports that the VPN tunnel to the remote peer (10.1.1.1) intermittently fails. Based on the configuration, which of the following is the most likely cause?
73Refer to the exhibit. A company implements this data classification scheme. Which risk is most likely introduced by this scheme?
74Refer to the exhibit. This error log indicates a failure in which component of information security governance?
75A multinational corporation is experiencing significant security incidents due to inconsistent security policies across subsidiaries. The CISO proposes implementing a centralized governance model. However, business unit leaders argue that local regulations require autonomy. Which approach best balances governance with local compliance?
76A company has recently adopted COBIT 2019 as its governance framework. The board is requesting a concise report on the effectiveness of the security program. Which reporting structure best aligns with COBIT's guidance?
77During an internal audit, it was found that the security policy does not address the use of personal devices for work. Which governance action should be taken first?
78An organization's security steering committee meets quarterly but lacks decision-making authority. Projects are delayed due to lack of prioritization. What is the most effective improvement?
79A financial institution is integrating a newly acquired fintech startup. The startup has a very different security culture. What governance approach best ensures integration without stifling innovation?
80A small business cannot afford a dedicated security team. Which governance model is most appropriate?
81Which TWO of the following are essential components of an information security governance framework according to ISACA's COBIT?
82Which TWO of the following are key indicators that an organization's information security governance is inadequate?
83Which THREE elements are typically included in a security governance charter?
84Acme Corp, a global manufacturer, has a decentralized security governance model. Each business unit manages its own security, resulting in inconsistent policies and repeated audit findings. The new CISO proposes a federated model where a central team sets minimum standards and each unit can add local controls. However, the European unit's head insists on full autonomy due to GDPR strictness. The board is concerned about compliance costs. What should the CISO do first?
85TechStart, a cloud-based startup, has rapidly grown from 50 to 500 employees. It lacks a formal security governance structure. The CEO asks the CISO to develop one. The CISO finds that the company's culture values speed over compliance. The board expects a governance framework within three months. What is the most practical approach?
86A hospital chain has separate security teams for each facility. There is no central coordination, leading to duplicate efforts and inconsistent patient data protection. The system's CISO wants to improve governance with minimal disruption. What should he do?
87BankOne has a mature security governance program but recently failed a regulatory audit because the board had not formally approved the risk appetite statement. The CISO argues that risk appetite is reviewed annually and was verbally approved. To prevent recurrence, what governance change is most effective?
88A government agency is criticized for poor security governance after a data breach. An external review finds that security policies are not aligned with agency's mission. The director wants to implement a governance framework that ties security to strategic objectives. Which framework is most suitable?
89A retail company's security governance includes a policy that all software must be approved by a security committee. This delays critical business applications. The CIO complains. How should the CISO adjust governance?
90Which TWO of the following are typically considered key components of an information security governance framework?
91Refer to the exhibit. An organization is implementing access controls for a new data repository that will store financial reports classified as Category C. Which of the following is the MOST appropriate control to include?
92A global financial services firm with 15,000 employees has recently experienced a significant data breach due to inadequate oversight of third-party vendors. The breach originated from a cloud service provider that had been granted elevated access without a formal risk assessment or contract review. The board has directed the CISO to overhaul the information security governance framework to prevent recurrence. Currently, the organization has a decentralized security model where each business unit manages its own vendor relationships. The CISO proposes a centralized governance body. Which of the following is the BEST course of action to establish effective governance over third-party risk?
The Information Security Governance domain covers the key concepts tested in this area of the CISM exam blueprint published by ISACA. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all CISM domains — no account required.
The Courseiva CISM question bank contains 92 questions in the Information Security Governance domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Information Security Governance domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included