ISACA · Free Practice Questions · Last reviewed May 2026
24real exam-style questions organised by domain, each with the correct answer highlighted and a plain-English explanation of why it's right — and why the others are wrong.
An organization's information security program has been in place for two years. During a recent audit, several findings indicated that security controls are not consistently applied across business units. The CISO has been asked to improve the program. Which of the following should the CISO do FIRST?
Automate security compliance monitoring across all business units.
Update the information security policy to mandate compliance.
Conduct a risk assessment to identify gaps and prioritize remediation.
A risk assessment provides the basis for prioritizing controls and ensuring consistent application based on risk.
Implement additional security controls across all business units.
A multinational corporation is designing its information security program and must decide how to balance security with business agility. The company operates in highly regulated industries with varying legal requirements. Which of the following approaches BEST aligns with industry best practices for such an environment?
Implement the strictest regulatory requirements globally to ensure compliance everywhere.
Adopt a baseline of controls that meet the lowest common denominator of all regulations.
Develop a risk-based framework that allows for tailored controls based on local risk assessments.
A risk-based approach provides flexibility while ensuring that controls are appropriate for the risks.
Allow each business unit to define its own security controls based on local requirements.
An organization is developing a new information security program and wants to ensure it aligns with business objectives. Which of the following is the MOST critical first step?
Develop a security awareness training program.
Identify business strategy and risk appetite.
Aligning with business strategy ensures security enables rather than hinders the business.
Design the security architecture based on industry frameworks.
Conduct a comprehensive risk assessment.
During a merger, two companies with different information security programs are being integrated. The combined entity must maintain compliance with PCI DSS and GDPR. The CISO is concerned about gaps in coverage due to differing maturity levels. Which of the following is the BEST approach to harmonize the programs?
Adopt the more stringent security program from the acquirer across the entire entity.
Merge the two programs by combining all controls from each.
Implement a completely new framework that meets both regulations.
Perform a gap analysis against the requirements and prioritize remediation.
A gap analysis provides a clear picture of what is missing and allows for efficient resource allocation.
Which TWO of the following are key components of an information security program governance structure? (Select TWO.)
A steering committee that includes senior management and business unit leaders.
A steering committee ensures alignment with business strategy and provides oversight.
An incident response plan that defines roles and procedures.
Regular reporting to the board of directors on security metrics and risks.
Reporting to the board ensures visibility and accountability.
A vulnerability scanning schedule and remediation SLAs.
A firewall policy that specifies allowed and denied traffic.
Refer to the exhibit. An analyst observes the network traffic between three internal hosts and a web server. Which of the following is the MOST likely interpretation of this traffic?
A SYN flood attack is in progress.
A single host is using multiple IP addresses to scan the server.
Multiple users are accessing the web server normally.
The logs show successful TCP connections followed by HTTP requests.
A distributed denial-of-service (DDoS) attack is occurring.
Want more Information Security Program practice?
Practice this domainA financial institution is implementing a new online banking platform. The risk assessment identified that the authentication module has a high likelihood of exploitation due to weak password policies. The risk owner has decided to implement multi-factor authentication (MFA) to reduce the risk. This is an example of which risk response strategy?
Risk avoidance
Risk mitigation
MFA reduces the likelihood or impact of the risk, which is the definition of risk mitigation.
Risk acceptance
Risk transfer
An organization has a risk appetite that allows for a maximum residual risk level of 'medium' for all operational risks. A new project introduces a risk with inherent risk level 'high' and control effectiveness rated as 'partially effective'. The risk owner proposes to accept the risk. As the CISM, what is the best course of action?
Accept the risk since the risk owner has agreed.
Transfer the risk to an insurance company.
Insist on additional controls to reduce residual risk to at least 'medium'.
This ensures residual risk aligns with appetite, which is the correct risk management approach.
Recommend revising the risk appetite to accommodate this risk.
During a risk assessment, a CISM identifies that the organization's data backup process has a single point of failure. The backup server is located in the same data center as the primary server. Which risk response is most appropriate?
Mitigate by moving the backup server to a geographically separate location.
This reduces the likelihood of both servers being lost simultaneously.
Transfer the risk by purchasing business interruption insurance.
Avoid the risk by discontinuing the backup process.
Accept the risk because the cost of mitigation is high.
A multinational corporation is assessing the risk of data breaches from third-party vendors. The CISM is tasked with selecting a risk treatment strategy. The organization has a low risk appetite for data breaches. Which strategy should be prioritized?
Mitigate the risk by conducting regular vendor audits.
Avoid the risk by not engaging vendors that cannot meet security requirements.
Avoidance eliminates the risk entirely, fitting low appetite.
Transfer the risk by requiring vendors to have cyber insurance.
Accept the risk because third-party risks are unavoidable.
In a risk assessment, a CISM calculates the annualized loss expectancy (ALE) for a specific threat. The single loss expectancy (SLE) is $50,000 and the annualized rate of occurrence (ARO) is 0.2. What is the ALE, and which risk response is most cost-effective if a control costs $12,000 per year and reduces ARO to 0.05?
Accept the risk because the control is not cost-justified.
The cost of control is greater than the risk reduction benefit, so acceptance is appropriate.
Accept the risk because ALE after control is only $2,500.
Implement the control because it reduces ALE to $2,500.
Implement the control because ALE is $10,000, and control cost is only $12,000.
A company is evaluating its risk management process. The CISM notices that risks are being assessed based on qualitative scales (low, medium, high) but decisions require quantitative data. What is the most effective action to improve the process?
Switch to a fully quantitative risk assessment methodology.
Use a hybrid approach that includes both qualitative and quantitative assessments.
Provides comprehensive risk information for decision-making.
Replace qualitative scales with precise monetary values.
Continue using qualitative method since it is simpler.
Want more Information Security Risk Management practice?
Practice this domainA multinational corporation is implementing an information security governance framework. The board has requested a mechanism to ensure that security investments align with business objectives. Which of the following is the BEST approach to achieve this alignment?
Minimize security spending to maximize ROI.
Adopt a best-practice framework such as NIST CSF and implement all controls.
Focus on regulatory compliance to ensure legal requirements are met.
Develop a risk-based prioritization framework linking security initiatives to business risk appetite.
Directly aligns security investments with business objectives through risk management.
A newly appointed CISO wants to establish an information security governance committee. What is the PRIMARY purpose of this committee?
To manage day-to-day security operations.
To implement security controls across the organization.
To approve technical security solutions.
To ensure security strategy aligns with business objectives and provide oversight.
Governance committees bridge security and business strategy.
A financial services firm has a mature information security program but is struggling to demonstrate the value of security investments to the board. Which metric would BEST communicate the effectiveness of the security program in business terms?
Number of security alerts triaged per day.
Reduction in average cost per security incident over the past year.
Directly ties security program effectiveness to financial impact.
Time to patch critical vulnerabilities.
Percentage of systems with endpoint protection installed.
During a merger, the acquiring company's CISO must integrate the security governance of the target company. The target company has no formal security governance. What is the FIRST step the CISO should take?
Conduct a security awareness training for the target company's employees.
Perform a comprehensive risk assessment of the target company's security posture.
Initial assessment informs integration strategy.
Align the target company's security policies with the acquirer's policies.
Implement the acquirer's security governance framework immediately.
An organization's security governance committee has approved a new security policy. What is the NEXT critical step to ensure the policy's effectiveness?
Implement technical controls to enforce the policy.
Conduct an audit to measure compliance.
Communicate the policy to all relevant stakeholders and provide training.
Awareness and understanding are prerequisites for compliance.
Enforce disciplinary actions for non-compliance.
A healthcare organization is developing an information security strategy. The board has mandated that the strategy must support innovation while protecting patient data. Which governance approach BEST balances these priorities?
Implement strict access controls and encryption for all data.
Establish a risk appetite framework that defines acceptable risk levels for innovation initiatives.
Enables informed decision-making balancing innovation and security.
Adopt a 'security by design' approach for all new projects.
Create a separate innovation sandbox with limited data access.
Want more Information Security Governance practice?
Practice this domainA multinational corporation has just detected a ransomware attack that encrypted critical files on a file server. The incident response team has been activated. Which of the following should be the FIRST action taken by the team?
Restore encrypted files from backup
Reboot the file server to clear the encryption
Isolate the affected systems from the network
Isolation stops the ransomware from spreading and limits damage.
Notify law enforcement
During an incident investigation, the security team discovers that an attacker exfiltrated sensitive customer data via encrypted DNS tunneling over a period of three months. The data loss was only noticed after a routine audit. Which of the following weaknesses MOST likely allowed the attacker to remain undetected for so long?
Inadequate monitoring of DNS traffic for anomalies
Without monitoring DNS traffic for tunneling, exfiltration can go unnoticed for long periods.
Weak password policies
Unpatched web server software
Lack of data-at-rest encryption
An organization's incident response plan includes a step to 'contain the incident.' Which of the following actions is an example of containment?
Disconnecting an infected workstation from the network
This prevents further propagation of malware.
Restoring data from backup
Analyzing log files to determine the attack vector
Removing malware from the system
During a simulated phishing exercise, several employees clicked a link and entered their credentials on a fake login page. The security team needs to determine the impact. Which of the following should be the NEXT step?
Reset the affected employees' passwords and enable multi-factor authentication
This mitigates the credential compromise.
Implement a security awareness training program
Conduct a forensic analysis of the employees' workstations
Block the phishing domain at the web proxy
An organization is developing an incident response plan. The CISO wants to ensure that the plan aligns with industry best practices. Which framework should the CISO use as a primary reference?
ISO 31000
NIST Cybersecurity Framework
ITIL
NIST SP 800-61
NIST SP 800-61 is the standard for computer security incident handling.
After a security incident, the incident response team prepares a report detailing the root cause, impact, and lessons learned. Who is the PRIMARY audience for this report?
The affected users
Senior management and the board of directors
They need to make strategic decisions based on the incident.
The IT support team
External auditors
Want more Incident Management practice?
Practice this domainThe CISM exam has 150 questions and must be completed in 240 minutes. The passing score is 450/1000.
Scenario-based management questions on information security governance, risk management, programme development, and incident response.
The exam covers 4 domains: Information Security Program, Information Security Risk Management, Information Security Governance, Incident Management. Questions are weighted by domain — higher-weight domains appear more on your actual exam.
No. These are original exam-style practice questions written against the official ISACA CISM exam objectives. They are not copied from the real exam. Courseiva focuses on genuine understanding, not memorisation of braindumps.
Courseiva tracks your accuracy per domain and routes you toward weak areas automatically. Free, no account required.