Reinforce CISM concepts with active-recall study cards covering all 5 blueprint domains. Each card shows the question on the front and the correct answer with a full explanation on the back.
Flashcards work through active recall — the process of retrieving information from memory rather than passively re-reading it. Research consistently shows that active recall produces stronger, longer-lasting memory than re-reading study guides. For CISM preparation, this means flashcards are one of the highest-return study tools available.
Attempt recall first
Read the CISM question on each card, pause, and attempt to formulate the answer in your own words before revealing. This retrieval attempt — even if wrong — dramatically strengthens memory compared to immediately reading the answer.
Review wrong cards again
When you get a card wrong, note it and add it back to your review pile. Spaced repetition — seeing difficult cards more frequently — is the mechanism that makes flashcard study far more efficient than linear reading.
Study by domain
Group your CISM flashcard sessions by domain for the first 3–4 weeks. Master one domain before moving to the next. In the final week, shuffle all cards together to test cross-domain recall — which is what the real CISM exam requires.
Short sessions beat marathon reviews
20–30 flashcard cards per session, done daily, produces better retention than a single 200-card marathon session. Five short daily sessions per week over 4 weeks gives you over 400 total card reviews — enough to reliably pass CISM.
Sample cards from the CISM flashcard bank. Read the question, think of the answer, then read the explanation below.
An organization's information security program has been in place for two years. During a recent audit, several findings indicated that security controls are not consistently applied across business units. The CISO has been asked to improve the program. Which of the following should the CISO do FIRST?
Conduct a risk assessment to identify gaps and prioritize remediation.
Conducting a risk assessment first (Option C) is the correct initial step because it systematically identifies where controls are failing or missing across business units, quantifies the associated risks, and prioritizes remediation based on business impact. Without this foundational analysis, any subsequent actions—such as automation, policy updates, or new controls—would lack direction and could waste resources on low-priority areas. This aligns with the CISM program lifecycle, where risk assessment drives all other program improvements.
An organization's incident response (IR) policy should be approved by which of the following to ensure authority and accountability?
The board of directors or executive management
The IR policy requires senior management approval to demonstrate organizational commitment and allocate necessary resources.
A CISO is evaluating the reporting structure for the information security team. Which reporting line is generally considered MOST effective for ensuring independence and organizational influence?
Report to the board of directors or audit committee
Reporting to the board of directors or a board committee ensures security has a direct voice at the highest level, avoiding conflicts with IT or business operations.
Which of the following is the PRIMARY responsibility of the board of directors regarding information security governance?
Setting the strategic direction and oversight of the security programme
The board is responsible for ensuring that information security is aligned with business objectives and that adequate resources are allocated.
A financial institution is implementing a new online banking platform. The risk assessment identified that the authentication module has a high likelihood of exploitation due to weak password policies. The risk owner has decided to implement multi-factor authentication (MFA) to reduce the risk. This is an example of which risk response strategy?
Risk mitigation
Implementing multi-factor authentication (MFA) reduces the likelihood or impact of a security risk by adding additional authentication factors (e.g., something you know, something you have, something you are) beyond a weak password. This directly aligns with risk mitigation, which seeks to decrease the residual risk to an acceptable level through controls. The decision does not eliminate the risk entirely (avoidance), accept it without action, or transfer it to a third party.
A financial institution is implementing a new online banking platform. The risk assessment identified that the authentication module has a high likelihood of exploitation due to weak password policies. The risk owner has decided to implement multi-factor authentication (MFA) to reduce the risk. This is an example of which risk response strategy?
Risk mitigation
Implementing multi-factor authentication (MFA) reduces the likelihood or impact of a security risk by adding additional authentication factors (e.g., something you know, something you have, something you are) beyond a weak password. This directly aligns with risk mitigation, which seeks to decrease the residual risk to an acceptable level through controls. The decision does not eliminate the risk entirely (avoidance), accept it without action, or transfer it to a third party.
A multinational corporation is implementing an information security governance framework. The board has requested a mechanism to ensure that security investments align with business objectives. Which of the following is the BEST approach to achieve this alignment?
Develop a risk-based prioritization framework linking security initiatives to business risk appetite.
Option D is correct because a risk-based prioritization framework directly maps security initiatives to the organization's risk appetite, ensuring that investments target the most critical business risks. This aligns with the CISM principle that governance must link security activities to business objectives through risk management, not through arbitrary cost-cutting or blanket compliance.
A healthcare organization is developing an information security strategy. The board has mandated that the strategy must support innovation while protecting patient data. Which governance approach BEST balances these priorities?
Establish a risk appetite framework that defines acceptable risk levels for innovation initiatives.
A risk appetite framework (Option B) is the correct governance approach because it explicitly defines the level of risk the organization is willing to accept in pursuit of innovation, allowing the board to balance patient data protection with strategic growth. This framework provides a decision-making boundary for security controls, ensuring that innovation initiatives are not stifled by overly restrictive measures while still maintaining compliance with healthcare regulations like HIPAA and HITECH.
A newly appointed CISO wants to establish an information security governance committee. What is the PRIMARY purpose of this committee?
To ensure security strategy aligns with business objectives and provide oversight.
The primary purpose of an information security governance committee is to ensure that the security strategy aligns with business objectives and to provide oversight. This committee does not execute day-to-day operations or implement controls; instead, it sets direction, reviews risk posture, and ensures that security investments support organizational goals, as defined in frameworks like COBIT and ISO 38500.
A security analyst receives an alert from the SIEM indicating a high number of failed login attempts from a single external IP address targeting a public-facing web server. The analyst checks the logs and sees that the attempts are using common usernames. What is the MOST appropriate immediate response?
Block the IP address at the firewall.
The immediate response to a brute-force attack from a single external IP is to block that IP at the firewall. This stops the attack at the network perimeter, preventing further authentication attempts without affecting legitimate users (assuming the IP is not a known legitimate source). Delaying action could allow the attacker to compromise an account via password guessing, especially since common usernames are being targeted.
A financial services firm has a mature information security program but is struggling to demonstrate the value of security investments to the board. Which metric would BEST communicate the effectiveness of the security program in business terms?
Reduction in average cost per security incident over the past year.
The reduction in average cost per security incident directly translates security program outcomes into financial terms that resonate with the board. This metric demonstrates the program's effectiveness by quantifying the monetary value of improved prevention, detection, and response capabilities, aligning with the CISM focus on governance and business alignment.
You are the CISO of a mid-sized e-commerce company with 500 employees. The company recently suffered a data breach where an attacker exfiltrated customer credit card data from the production database. The investigation revealed that the breach originated from a compromised developer workstation. The developer had been granted direct access to the production database for troubleshooting purposes, a practice that had been in place for years. The security governance framework currently lacks a formal process for managing privileged access. The board has asked for immediate improvements to prevent recurrence. Which course of action BEST addresses the governance gap?
Implement a privileged access management (PAM) solution with just-in-time access and session recording.
The core governance gap is the lack of a formal process for managing privileged access. Implementing a Privileged Access Management (PAM) solution with just-in-time (JIT) access and session recording directly addresses this by enforcing time-bound, auditable, and approved access to the production database, eliminating standing privileges. This aligns with the principle of least privilege and provides a governance mechanism to control, monitor, and revoke elevated access, which is the root cause of the breach.
A company is considering outsourcing its security operations center (SOC). Which governance consideration is MOST critical before finalizing the decision?
The ability to maintain oversight and accountability for security outcomes.
Option D is correct because governance requires that the organization retains ultimate responsibility for security outcomes, even when functions are outsourced. Without the ability to maintain oversight and accountability, the company cannot ensure that its security posture aligns with business risk tolerance and regulatory compliance requirements. This is a fundamental principle of information security governance, as the board and senior management cannot delegate accountability.
A security analyst detects unusual outbound network traffic from a database server to an unknown IP address. The traffic uses encrypted connections on port 443. Which type of attack is MOST likely occurring?
Data exfiltration
The encrypted outbound traffic on port 443 (HTTPS) from a database server to an unknown IP is a classic indicator of data exfiltration. Attackers often use encrypted channels to bypass network security controls, as the contents of the traffic cannot be inspected by DLP or IDS/IPS systems. The database server is a high-value target for sensitive data, making this the most likely attack scenario.
A multinational corporation is assessing the risk of data breaches from third-party vendors. The CISM is tasked with selecting a risk treatment strategy. The organization has a low risk appetite for data breaches. Which strategy should be prioritized?
Avoid the risk by not engaging vendors that cannot meet security requirements.
Given the organization's low risk appetite for data breaches, the most appropriate strategy is to avoid the risk entirely by not engaging vendors that cannot meet security requirements. This aligns with the principle that when risk exceeds the acceptable threshold, avoidance is the prioritized treatment. Avoidance eliminates the risk source, whereas other strategies like mitigation or transfer still retain some residual risk that may be unacceptable.
During a simulated phishing exercise, several employees clicked a link and entered their credentials on a fake login page. The security team needs to determine the impact. Which of the following should be the NEXT step?
Reset the affected employees' passwords and enable multi-factor authentication
When credentials are compromised in a phishing attack, the immediate priority is to contain the breach by invalidating the exposed credentials. Resetting the affected employees' passwords and enabling multi-factor authentication (MFA) prevents attackers from using the harvested credentials for unauthorized access, especially if the credentials are reused across other systems. This aligns with the Incident Response phase of containment before moving to eradication or recovery.
Based on the SIEM alert exhibit, which immediate action should the incident responder take?
Lock the user account 'jsmith'
The SIEM alert indicates a successful brute-force login from source IP 10.0.0.55 to the destination server using the account 'jsmith'. Locking the user account immediately stops the attacker from further exploiting the compromised credentials, which is the most direct containment action. Blocking the IP alone would not prevent re-authentication if the attacker switches IPs, and contacting the user wastes critical time during an active incident.
During an incident investigation, the security team discovers that an attacker exfiltrated sensitive customer data via encrypted DNS tunneling over a period of three months. The data loss was only noticed after a routine audit. Which of the following weaknesses MOST likely allowed the attacker to remain undetected for so long?
Inadequate monitoring of DNS traffic for anomalies
The correct answer is A because DNS tunneling exfiltrates data by encoding it within DNS queries and responses, which are often allowed through firewalls without deep inspection. The attacker remained undetected for three months because the security team lacked monitoring of DNS traffic for anomalies, such as unusual query volumes, non-standard record types (e.g., TXT records), or domains with high entropy. Without DNS-specific anomaly detection or a security information and event management (SIEM) system correlating DNS logs, the exfiltration blended into normal traffic.
During an incident, the response team collects volatile data from a compromised server. Which of the following should be collected FIRST to minimize loss of evidence?
Contents of RAM
Volatile data, such as the contents of RAM, is lost when a system is powered off. The first priority during incident response is to capture this data because it contains running processes, network connections, encryption keys, and malware that exist only in memory. Collecting RAM first ensures that this critical evidence is preserved before any other actions that might alter the system state.
A multinational corporation has just detected a ransomware attack that encrypted critical files on a file server. The incident response team has been activated. Which of the following should be the FIRST action taken by the team?
Isolate the affected systems from the network
The first priority in ransomware incident response is containment to prevent the encryption from spreading to other systems. Isolating the affected file server from the network (e.g., disabling the network interface or disconnecting the cable) stops the ransomware from communicating with its command-and-control server and encrypting additional shares. This aligns with the NIST SP 800-61 containment strategy and ensures that the incident response team can safely preserve forensic evidence before any remediation.
After a security incident, the incident response team prepares a report detailing the root cause, impact, and lessons learned. Who is the PRIMARY audience for this report?
Senior management and the board of directors
The primary audience for a post-incident report detailing root cause, impact, and lessons learned is senior management and the board of directors. They require this information to make strategic decisions about risk acceptance, resource allocation for remediation, and to fulfill fiduciary duties regarding cybersecurity governance. The report provides the business context and financial impact necessary for executive-level oversight, not the technical details needed by operational teams.
An organization uses a SIEM to correlate security events. The SIEM generates an alert for a possible brute-force attack against an admin account. The incident response team reviews the alert and finds that the account is a service account with a known password. What should the team do NEXT?
Change the password for the service account
The correct next step is to change the password for the service account because the alert indicates a possible brute-force attack, and a known password represents a compromised credential. Even if the account is a service account, the password must be rotated to prevent unauthorized access. This aligns with the incident response principle of containing the threat by invalidating the compromised authentication factor.
After a security incident, the incident response team identifies that the root cause was a phishing email that bypassed the email filter. The email contained a malicious macro that executed PowerShell commands. Which control would be MOST effective in preventing similar incidents in the future?
Disable macros in documents originating from external sources
Disabling macros in documents from external sources directly addresses the attack vector: the malicious macro that executed PowerShell commands. This control prevents the macro from running, regardless of the email filter's failure, by blocking the execution environment at the endpoint level. It is a preventive technical control that stops the attack before it can proceed.
The CISM flashcard bank covers all 5 official blueprint domains published by ISACA. Cards are distributed proportionally, so domains with higher exam weight have more cards.
Domain Coverage
Information Security Program
Incident Management
Information Security Programme
Information Security Governance
Information Security Risk Management
Both flashcards and practice questions are evidence-based study tools. The difference is in what they train:
Flashcards — concept retention
Best for memorising definitions, acronyms, protocol behaviours, command syntax, and conceptual distinctions. Use flashcards to build the foundational vocabulary that CISM questions assume you know.
Best in: weeks 1–3
Practice tests — application
Best for applying concepts to realistic scenarios, eliminating distractors, and building exam stamina.CISM questions test scenario reasoning — not just recall — so practice tests are essential.
Best in: weeks 3–6
The most effective CISM study plan combines both: use flashcards for the first 2–3 weeks to build conceptual foundations, then shift to practice tests and mock exams in the final 2–3 weeks to apply and benchmark that knowledge. Most candidates who pass on their first attempt use both tools.
Yes. Courseiva provides free CISM flashcards across all official exam domains. Every card includes the correct answer and a full explanation of why it is right and why the distractors are wrong. The platform also includes topic-based practice, mock exams, and readiness tracking — no account required.
Courseiva has 905+ original CISM flashcards across all 5 exam blueprint domains. New cards are added regularly as the question bank grows. All cards are written by certified engineers against the official ISACA exam objectives.
Courseiva flashcards are purpose-built for IT certification exams. Unlike generic flashcard platforms where content quality varies, every Courseiva card is mapped to the official CISM exam blueprint, written by engineers who hold the certification, and includes a full explanation of the correct answer and why the distractors are wrong. This explanation quality is what separates genuine learning from rote memorisation.
Courseiva is a web platform — an internet connection is required. For offline study, we recommend creating free Courseiva account, using the platform in your browser, and using your device's offline capabilities if your browser supports offline web apps.
Save your results, see which domains need more work, and get spaced repetition recommendations — all free.
Sign Up FreeFree forever · Every certification included