Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsCISMExam Questions

ISACA · Free Practice Questions · Last reviewed May 2026

CISM Exam Questions and Answers

24real exam-style questions organised by domain, each with the correct answer highlighted and a plain-English explanation of why it's right — and why the others are wrong.

150 exam questions
240 min time limit
Pass: 450/1000 / 1000
4 exam domains
OverviewDomain BlueprintStudy GuideAll QuestionsSample by Domain
1. Information Security Program2. Information Security Risk Management3. Information Security Governance4. Incident Management
1

Domain 1: Information Security Program

All Information Security Program questions
Q1
mediumFull explanation →

An organization's information security program has been in place for two years. During a recent audit, several findings indicated that security controls are not consistently applied across business units. The CISO has been asked to improve the program. Which of the following should the CISO do FIRST?

A

Automate security compliance monitoring across all business units.

B

Update the information security policy to mandate compliance.

C

Conduct a risk assessment to identify gaps and prioritize remediation.

A risk assessment provides the basis for prioritizing controls and ensuring consistent application based on risk.

D

Implement additional security controls across all business units.

Why: Conducting a risk assessment first (Option C) is the correct initial step because it systematically identifies where controls are failing or missing across business units, quantifies the associated risks, and prioritizes remediation based on business impact. Without this foundational analysis, any subsequent actions—such as automation, policy updates, or new controls—would lack direction and could waste resources on low-priority areas. This aligns with the CISM program lifecycle, where risk assessment drives all other program improvements.
Q2
hardFull explanation →

A multinational corporation is designing its information security program and must decide how to balance security with business agility. The company operates in highly regulated industries with varying legal requirements. Which of the following approaches BEST aligns with industry best practices for such an environment?

A

Implement the strictest regulatory requirements globally to ensure compliance everywhere.

B

Adopt a baseline of controls that meet the lowest common denominator of all regulations.

C

Develop a risk-based framework that allows for tailored controls based on local risk assessments.

A risk-based approach provides flexibility while ensuring that controls are appropriate for the risks.

D

Allow each business unit to define its own security controls based on local requirements.

Why: Option C is correct because a risk-based framework, such as ISO 27001 or NIST SP 800-53, allows the organization to establish a baseline of controls while tailoring them to address specific local legal requirements and risk profiles. This approach balances security and business agility by avoiding unnecessary overhead from overly strict global mandates while ensuring that critical regulatory obligations are met through localized risk assessments.
Q3
easyFull explanation →

An organization is developing a new information security program and wants to ensure it aligns with business objectives. Which of the following is the MOST critical first step?

A

Develop a security awareness training program.

B

Identify business strategy and risk appetite.

Aligning with business strategy ensures security enables rather than hinders the business.

C

Design the security architecture based on industry frameworks.

D

Conduct a comprehensive risk assessment.

Why: Identifying business strategy and risk appetite is the most critical first step because the information security program must be designed to support the organization's objectives and operate within the risk tolerance defined by leadership. Without this alignment, subsequent security controls and investments may conflict with business goals or fail to address the risks the organization is willing to accept. This ensures that security is a business enabler rather than a technical silo.
Q4
mediumFull explanation →

During a merger, two companies with different information security programs are being integrated. The combined entity must maintain compliance with PCI DSS and GDPR. The CISO is concerned about gaps in coverage due to differing maturity levels. Which of the following is the BEST approach to harmonize the programs?

A

Adopt the more stringent security program from the acquirer across the entire entity.

B

Merge the two programs by combining all controls from each.

C

Implement a completely new framework that meets both regulations.

D

Perform a gap analysis against the requirements and prioritize remediation.

A gap analysis provides a clear picture of what is missing and allows for efficient resource allocation.

Why: Option D is correct because a gap analysis identifies where controls are missing or insufficient, allowing for a prioritized remediation plan. Option A is wrong because adopting the higher standard may be unnecessary and costly. Option B is wrong because merging without analysis could introduce risks. Option C is wrong because a new framework from scratch may not leverage existing investments.
Q5
mediumFull explanation →

Which TWO of the following are key components of an information security program governance structure? (Select TWO.)

A

A steering committee that includes senior management and business unit leaders.

A steering committee ensures alignment with business strategy and provides oversight.

B

An incident response plan that defines roles and procedures.

C

Regular reporting to the board of directors on security metrics and risks.

Reporting to the board ensures visibility and accountability.

D

A vulnerability scanning schedule and remediation SLAs.

E

A firewall policy that specifies allowed and denied traffic.

Why: A steering committee that includes senior management and business unit leaders is a key component of an information security program governance structure because it provides strategic oversight, aligns security initiatives with business objectives, and ensures accountability at the executive level. This committee typically authorizes policies, reviews risk appetite, and approves resource allocation, which are essential for effective governance.
Q6
hardFull explanation →

Refer to the exhibit. An analyst observes the network traffic between three internal hosts and a web server. Which of the following is the MOST likely interpretation of this traffic?

A

A SYN flood attack is in progress.

B

A single host is using multiple IP addresses to scan the server.

C

Multiple users are accessing the web server normally.

The logs show successful TCP connections followed by HTTP requests.

D

A distributed denial-of-service (DDoS) attack is occurring.

Why: The exhibit shows multiple internal hosts (10.0.0.1, 10.0.0.2, 10.0.0.3) each establishing a normal TCP three-way handshake with the web server (192.168.1.100) on port 80, with varying source ports and no abnormal flags or packet rates. This pattern indicates legitimate concurrent user access, as each host completes the handshake and exchanges data without flooding or scanning behavior.

Want more Information Security Program practice?

Practice this domain
2

Domain 2: Information Security Risk Management

All Information Security Risk Management questions
Q1
mediumFull explanation →

A financial institution is implementing a new online banking platform. The risk assessment identified that the authentication module has a high likelihood of exploitation due to weak password policies. The risk owner has decided to implement multi-factor authentication (MFA) to reduce the risk. This is an example of which risk response strategy?

A

Risk avoidance

B

Risk mitigation

MFA reduces the likelihood or impact of the risk, which is the definition of risk mitigation.

C

Risk acceptance

D

Risk transfer

Why: Implementing multi-factor authentication (MFA) reduces the likelihood or impact of a security risk by adding additional authentication factors (e.g., something you know, something you have, something you are) beyond a weak password. This directly aligns with risk mitigation, which seeks to decrease the residual risk to an acceptable level through controls. The decision does not eliminate the risk entirely (avoidance), accept it without action, or transfer it to a third party.
Q2
hardFull explanation →

An organization has a risk appetite that allows for a maximum residual risk level of 'medium' for all operational risks. A new project introduces a risk with inherent risk level 'high' and control effectiveness rated as 'partially effective'. The risk owner proposes to accept the risk. As the CISM, what is the best course of action?

A

Accept the risk since the risk owner has agreed.

B

Transfer the risk to an insurance company.

C

Insist on additional controls to reduce residual risk to at least 'medium'.

This ensures residual risk aligns with appetite, which is the correct risk management approach.

D

Recommend revising the risk appetite to accommodate this risk.

Why: The organization's risk appetite mandates that residual risk must be at 'medium' or lower. With an inherent risk of 'high' and controls rated 'partially effective', the residual risk remains above the acceptable threshold. Therefore, the best course is to insist on additional controls to bring residual risk down to at least 'medium', ensuring compliance with the risk appetite.
Q3
easyFull explanation →

During a risk assessment, a CISM identifies that the organization's data backup process has a single point of failure. The backup server is located in the same data center as the primary server. Which risk response is most appropriate?

A

Mitigate by moving the backup server to a geographically separate location.

This reduces the likelihood of both servers being lost simultaneously.

B

Transfer the risk by purchasing business interruption insurance.

C

Avoid the risk by discontinuing the backup process.

D

Accept the risk because the cost of mitigation is high.

Why: Moving the backup server to a geographically separate location directly eliminates the single point of failure by ensuring that a localized disaster (e.g., fire, flood, power outage) at the primary data center does not simultaneously destroy both the primary and backup data. This is a classic risk mitigation strategy that reduces the likelihood and impact of data loss, aligning with the principle of geographic redundancy for disaster recovery.
Q4
mediumFull explanation →

A multinational corporation is assessing the risk of data breaches from third-party vendors. The CISM is tasked with selecting a risk treatment strategy. The organization has a low risk appetite for data breaches. Which strategy should be prioritized?

A

Mitigate the risk by conducting regular vendor audits.

B

Avoid the risk by not engaging vendors that cannot meet security requirements.

Avoidance eliminates the risk entirely, fitting low appetite.

C

Transfer the risk by requiring vendors to have cyber insurance.

D

Accept the risk because third-party risks are unavoidable.

Why: Given the organization's low risk appetite for data breaches, the most appropriate strategy is to avoid the risk entirely by not engaging vendors that cannot meet security requirements. This aligns with the principle that when risk exceeds the acceptable threshold, avoidance is the prioritized treatment. Avoidance eliminates the risk source, whereas other strategies like mitigation or transfer still retain some residual risk that may be unacceptable.
Q5
hardFull explanation →

In a risk assessment, a CISM calculates the annualized loss expectancy (ALE) for a specific threat. The single loss expectancy (SLE) is $50,000 and the annualized rate of occurrence (ARO) is 0.2. What is the ALE, and which risk response is most cost-effective if a control costs $12,000 per year and reduces ARO to 0.05?

A

Accept the risk because the control is not cost-justified.

The cost of control is greater than the risk reduction benefit, so acceptance is appropriate.

B

Accept the risk because ALE after control is only $2,500.

C

Implement the control because it reduces ALE to $2,500.

D

Implement the control because ALE is $10,000, and control cost is only $12,000.

Why: The ALE is calculated as SLE × ARO = $50,000 × 0.2 = $10,000. After implementing the control costing $12,000 per year, the residual ALE is $50,000 × 0.05 = $2,500. The annual cost of the control ($12,000) exceeds the reduction in ALE ($10,000 - $2,500 = $7,500), so the control is not cost-justified. Therefore, accepting the risk is the most cost-effective response.
Q6
easyFull explanation →

A company is evaluating its risk management process. The CISM notices that risks are being assessed based on qualitative scales (low, medium, high) but decisions require quantitative data. What is the most effective action to improve the process?

A

Switch to a fully quantitative risk assessment methodology.

B

Use a hybrid approach that includes both qualitative and quantitative assessments.

Provides comprehensive risk information for decision-making.

C

Replace qualitative scales with precise monetary values.

D

Continue using qualitative method since it is simpler.

Why: A hybrid approach (Option B) is most effective because it leverages qualitative scales for initial, rapid risk identification and prioritization, while quantitative data (e.g., ALE, SLE, ARO) provides the monetary rigor needed for cost-benefit analysis and management decisions. This aligns with ISACA's guidance that risk assessment should be tailored to the decision context, not purely one method.

Want more Information Security Risk Management practice?

Practice this domain
3

Domain 3: Information Security Governance

All Information Security Governance questions
Q1
mediumFull explanation →

A multinational corporation is implementing an information security governance framework. The board has requested a mechanism to ensure that security investments align with business objectives. Which of the following is the BEST approach to achieve this alignment?

A

Minimize security spending to maximize ROI.

B

Adopt a best-practice framework such as NIST CSF and implement all controls.

C

Focus on regulatory compliance to ensure legal requirements are met.

D

Develop a risk-based prioritization framework linking security initiatives to business risk appetite.

Directly aligns security investments with business objectives through risk management.

Why: Option D is correct because a risk-based prioritization framework directly maps security initiatives to the organization's risk appetite, ensuring that investments target the most critical business risks. This aligns with the CISM principle that governance must link security activities to business objectives through risk management, not through arbitrary cost-cutting or blanket compliance.
Q2
easyFull explanation →

A newly appointed CISO wants to establish an information security governance committee. What is the PRIMARY purpose of this committee?

A

To manage day-to-day security operations.

B

To implement security controls across the organization.

C

To approve technical security solutions.

D

To ensure security strategy aligns with business objectives and provide oversight.

Governance committees bridge security and business strategy.

Why: The primary purpose of an information security governance committee is to ensure that the security strategy aligns with business objectives and to provide oversight. This committee does not execute day-to-day operations or implement controls; instead, it sets direction, reviews risk posture, and ensures that security investments support organizational goals, as defined in frameworks like COBIT and ISO 38500.
Q3
hardFull explanation →

A financial services firm has a mature information security program but is struggling to demonstrate the value of security investments to the board. Which metric would BEST communicate the effectiveness of the security program in business terms?

A

Number of security alerts triaged per day.

B

Reduction in average cost per security incident over the past year.

Directly ties security program effectiveness to financial impact.

C

Time to patch critical vulnerabilities.

D

Percentage of systems with endpoint protection installed.

Why: The reduction in average cost per security incident directly translates security program outcomes into financial terms that resonate with the board. This metric demonstrates the program's effectiveness by quantifying the monetary value of improved prevention, detection, and response capabilities, aligning with the CISM focus on governance and business alignment.
Q4
mediumFull explanation →

During a merger, the acquiring company's CISO must integrate the security governance of the target company. The target company has no formal security governance. What is the FIRST step the CISO should take?

A

Conduct a security awareness training for the target company's employees.

B

Perform a comprehensive risk assessment of the target company's security posture.

Initial assessment informs integration strategy.

C

Align the target company's security policies with the acquirer's policies.

D

Implement the acquirer's security governance framework immediately.

Why: Without a formal security governance structure, the CISO must first understand the target company's current security posture through a comprehensive risk assessment. This step identifies vulnerabilities, threats, and gaps in controls, providing the baseline data needed to prioritize integration efforts and align with the acquirer's governance framework. Skipping this assessment risks implementing policies that are irrelevant or ineffective against the target's actual risks.
Q5
easyFull explanation →

An organization's security governance committee has approved a new security policy. What is the NEXT critical step to ensure the policy's effectiveness?

A

Implement technical controls to enforce the policy.

B

Conduct an audit to measure compliance.

C

Communicate the policy to all relevant stakeholders and provide training.

Awareness and understanding are prerequisites for compliance.

D

Enforce disciplinary actions for non-compliance.

Why: Option B is correct because communication and training are essential for adoption. Option A is wrong because implementation without communication leads to non-compliance. Option C is wrong because auditing before implementation is premature. Option D is wrong because enforcement without understanding is ineffective.
Q6
hardFull explanation →

A healthcare organization is developing an information security strategy. The board has mandated that the strategy must support innovation while protecting patient data. Which governance approach BEST balances these priorities?

A

Implement strict access controls and encryption for all data.

B

Establish a risk appetite framework that defines acceptable risk levels for innovation initiatives.

Enables informed decision-making balancing innovation and security.

C

Adopt a 'security by design' approach for all new projects.

D

Create a separate innovation sandbox with limited data access.

Why: A risk appetite framework (Option B) is the correct governance approach because it explicitly defines the level of risk the organization is willing to accept in pursuit of innovation, allowing the board to balance patient data protection with strategic growth. This framework provides a decision-making boundary for security controls, ensuring that innovation initiatives are not stifled by overly restrictive measures while still maintaining compliance with healthcare regulations like HIPAA and HITECH.

Want more Information Security Governance practice?

Practice this domain
4

Domain 4: Incident Management

All Incident Management questions
Q1
mediumFull explanation →

A multinational corporation has just detected a ransomware attack that encrypted critical files on a file server. The incident response team has been activated. Which of the following should be the FIRST action taken by the team?

A

Restore encrypted files from backup

B

Reboot the file server to clear the encryption

C

Isolate the affected systems from the network

Isolation stops the ransomware from spreading and limits damage.

D

Notify law enforcement

Why: The first priority in ransomware incident response is containment to prevent the encryption from spreading to other systems. Isolating the affected file server from the network (e.g., disabling the network interface or disconnecting the cable) stops the ransomware from communicating with its command-and-control server and encrypting additional shares. This aligns with the NIST SP 800-61 containment strategy and ensures that the incident response team can safely preserve forensic evidence before any remediation.
Q2
hardFull explanation →

During an incident investigation, the security team discovers that an attacker exfiltrated sensitive customer data via encrypted DNS tunneling over a period of three months. The data loss was only noticed after a routine audit. Which of the following weaknesses MOST likely allowed the attacker to remain undetected for so long?

A

Inadequate monitoring of DNS traffic for anomalies

Without monitoring DNS traffic for tunneling, exfiltration can go unnoticed for long periods.

B

Weak password policies

C

Unpatched web server software

D

Lack of data-at-rest encryption

Why: The correct answer is A because DNS tunneling exfiltrates data by encoding it within DNS queries and responses, which are often allowed through firewalls without deep inspection. The attacker remained undetected for three months because the security team lacked monitoring of DNS traffic for anomalies, such as unusual query volumes, non-standard record types (e.g., TXT records), or domains with high entropy. Without DNS-specific anomaly detection or a security information and event management (SIEM) system correlating DNS logs, the exfiltration blended into normal traffic.
Q3
easyFull explanation →

An organization's incident response plan includes a step to 'contain the incident.' Which of the following actions is an example of containment?

A

Disconnecting an infected workstation from the network

This prevents further propagation of malware.

B

Restoring data from backup

C

Analyzing log files to determine the attack vector

D

Removing malware from the system

Why: Disconnecting an infected workstation from the network is a classic containment action because it immediately isolates the compromised system, preventing the spread of malware or unauthorized lateral movement to other hosts. Containment focuses on limiting the scope and impact of an incident, not on remediation or investigation. This step aligns with the NIST SP 800-61 incident response lifecycle, where containment is performed before eradication and recovery.
Q4
mediumFull explanation →

During a simulated phishing exercise, several employees clicked a link and entered their credentials on a fake login page. The security team needs to determine the impact. Which of the following should be the NEXT step?

A

Reset the affected employees' passwords and enable multi-factor authentication

This mitigates the credential compromise.

B

Implement a security awareness training program

C

Conduct a forensic analysis of the employees' workstations

D

Block the phishing domain at the web proxy

Why: When credentials are compromised in a phishing attack, the immediate priority is to contain the breach by invalidating the exposed credentials. Resetting the affected employees' passwords and enabling multi-factor authentication (MFA) prevents attackers from using the harvested credentials for unauthorized access, especially if the credentials are reused across other systems. This aligns with the Incident Response phase of containment before moving to eradication or recovery.
Q5
hardFull explanation →

An organization is developing an incident response plan. The CISO wants to ensure that the plan aligns with industry best practices. Which framework should the CISO use as a primary reference?

A

ISO 31000

B

NIST Cybersecurity Framework

C

ITIL

D

NIST SP 800-61

NIST SP 800-61 is the standard for computer security incident handling.

Why: NIST SP 800-61 (Computer Security Incident Handling Guide) is the definitive U.S. government standard for incident response processes, covering preparation, detection, containment, eradication, and recovery. It provides detailed, step-by-step guidance for building an incident response plan, making it the primary reference for aligning with industry best practices.
Q6
easyFull explanation →

After a security incident, the incident response team prepares a report detailing the root cause, impact, and lessons learned. Who is the PRIMARY audience for this report?

A

The affected users

B

Senior management and the board of directors

They need to make strategic decisions based on the incident.

C

The IT support team

D

External auditors

Why: The primary audience for a post-incident report detailing root cause, impact, and lessons learned is senior management and the board of directors. They require this information to make strategic decisions about risk acceptance, resource allocation for remediation, and to fulfill fiduciary duties regarding cybersecurity governance. The report provides the business context and financial impact necessary for executive-level oversight, not the technical details needed by operational teams.

Want more Incident Management practice?

Practice this domain

Frequently asked questions

How many questions are on the CISM exam?

The CISM exam has 150 questions and must be completed in 240 minutes. The passing score is 450/1000.

What types of questions appear on the CISM exam?

Scenario-based management questions on information security governance, risk management, programme development, and incident response.

How are CISM questions organised by domain?

The exam covers 4 domains: Information Security Program, Information Security Risk Management, Information Security Governance, Incident Management. Questions are weighted by domain — higher-weight domains appear more on your actual exam.

Are these the actual CISM exam questions?

No. These are original exam-style practice questions written against the official ISACA CISM exam objectives. They are not copied from the real exam. Courseiva focuses on genuine understanding, not memorisation of braindumps.

Ready to practice all 150 CISM questions?

Courseiva tracks your accuracy per domain and routes you toward weak areas automatically. Free, no account required.

Browse all CISM questionsTake a timed practice test