Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

Certifications›CISM›Objectives›Incident Management
Objective 4.0

Incident Management

CISM Practice Questions

Use this page to practise Incident Management questions for this certification. Focus on how the exam tests incident management in scenario format — understanding the why behind each answer builds more durable knowledge than memorising options.

Full Practice Test →All Objectives

What this objective tests

CISM Incident Management — Key Topics

Incident Management questions on this certification test your ability to deploy and manage incident management concepts in scenario-based situations.

  • Core Incident Management concepts and how they apply in real-world cloud scenarios.
  • How to deploy incident management correctly and verify the outcome.
  • Troubleshooting incident management issues by interpreting error output and system state.
  • Cloud best practices and Incident Management design trade-offs tested by this certification.

Common exam traps

Where candidates lose marks on Incident Management

  • ⚠Selecting the most expensive service when a simpler managed option meets the requirement.
  • ⚠Forgetting that cloud resources must be explicitly secured — defaults are rarely secure.
  • ⚠Choosing a global service fix when the issue is region-specific.
  • ⚠Overlooking cost implications of cross-region data transfer in architecture questions.

CISM Incident Management — Practice Questions

30 questions from this objective

Question 2mediummultiple choice
Read the full NAT/PAT explanation →

A multinational corporation has just detected a ransomware attack that encrypted critical files on a file server. The incident response team has been activated. Which of the following should be the FIRST action taken by the team?

Question 3hardmultiple choice
Read the full DNS explanation →

During an incident investigation, the security team discovers that an attacker exfiltrated sensitive customer data via encrypted DNS tunneling over a period of three months. The data loss was only noticed after a routine audit. Which of the following weaknesses MOST likely allowed the attacker to remain undetected for so long?

Question 4easymultiple choice
Full question →

An organization's incident response plan includes a step to 'contain the incident.' Which of the following actions is an example of containment?

Question 5mediummultiple choice
Full question →

During a simulated phishing exercise, several employees clicked a link and entered their credentials on a fake login page. The security team needs to determine the impact. Which of the following should be the NEXT step?

Question 6hardmultiple choice
Full question →

An organization is developing an incident response plan. The CISO wants to ensure that the plan aligns with industry best practices. Which framework should the CISO use as a primary reference?

Question 7easymultiple choice
Full question →

After a security incident, the incident response team prepares a report detailing the root cause, impact, and lessons learned. Who is the PRIMARY audience for this report?

Question 8mediummultiple choice
Full question →

During an incident, the response team collects volatile data from a compromised server. Which of the following should be collected FIRST to minimize loss of evidence?

Question 9hardmultiple choice
Full question →

An organization uses a SIEM to correlate security events. The SIEM generates an alert for a possible brute-force attack against an admin account. The incident response team reviews the alert and finds that the account is a service account with a known password. What should the team do NEXT?

Question 10easymultiple choice
Full question →

Which of the following is the PRIMARY purpose of an incident response plan?

Question 11mediummultiple choice
Full question →

A security analyst detects unusual outbound network traffic from a database server to an unknown IP address. The traffic uses encrypted connections on port 443. Which type of attack is MOST likely occurring?

Question 12hardmultiple choice
Full question →

During an incident investigation, the team discovers that an attacker used a valid user's credentials to access a sensitive database. The user's account had multi-factor authentication (MFA) enabled. How is this MOST likely possible?

Question 13mediummulti select
Full question →

Which TWO of the following are key indicators of a potential insider threat incident? (Select exactly 2)

Question 14hardmulti select
Full question →

Which THREE of the following are essential components of an incident response plan? (Select exactly 3)

Question 15easymulti select
Full question →

Which TWO of the following are best practices for preserving digital evidence during an incident? (Select exactly 2)

Question 16mediummulti select
Full question →

Which THREE of the following are common challenges in incident response? (Select exactly 3)

Question 17mediummultiple choice
Full question →

Based on the SIEM alert exhibit, which immediate action should the incident responder take?

Exhibit

Refer to the exhibit.

```
[Alert] Correlation Rule: Multiple Failed Logins
Source IP: 10.0.0.55
Destination IP: 192.168.1.10
Event Count: 150 failed logins to admin account 'jsmith' within 5 minutes
Action: Triggered
```
Question 18hardmultiple choice
Full question →

Given the exhibit output from a web server, which connection is MOST suspicious and likely indicates a command-and-control (C2) channel?

Exhibit

Refer to the exhibit.

```
# netstat -an | grep :443
tcp4  0      0  *.443                 *.*                    LISTEN
tcp4  0      0  192.168.1.100.443     10.0.0.1.54321        ESTABLISHED
tcp4  0      0  192.168.1.100.443     10.0.0.2.54322        ESTABLISHED
tcp4  0      0  192.168.1.100.443     203.0.113.5.44333     ESTABLISHED
```
Question 19easymultiple choice
Full question →

Based on the incident response policy exhibit, which phase should include notifying external stakeholders such as law enforcement?

Exhibit

Refer to the exhibit.

```
Policy: IncidentResponse
- Phase: Detection
  - Action: Alert security team
- Phase: Analysis
  - Action: Determine scope and impact
- Phase: Containment
  - Action: Isolate affected systems
- Phase: Eradication
  - Action: Remove malware
- Phase: Recovery
  - Action: Restore from backup
- Phase: Post-Incident
  - Action: Conduct lessons learned
```
Question 20hardmultiple choice
Full question →

You are the incident response manager for a financial services company. The company has a hybrid infrastructure with on-premises servers and cloud services. At 2:00 AM, the SIEM generates a critical alert: a database server in the DMZ is communicating with a known malicious IP address on port 443. The server contains customer PII. The on-call security analyst reports that the server is running and the connection is active. The incident response plan states that any confirmed compromise of PII must be reported to the regulator within 72 hours. You have the following options: A) Immediately isolate the server by disconnecting it from the network, then begin forensic analysis. B) Leave the server connected to gather more intelligence about the attacker's actions, but block only the malicious IP at the firewall. C) Shut down the server to preserve evidence and prevent data exfiltration. D) Copy the server's disk over the network for forensic analysis before taking any action. Which option is the BEST course of action?

Question 21mediummultiple choice
Full question →

You are a security analyst for a mid-sized e-commerce company. The company uses a cloud-based email service. Several employees report receiving phishing emails that appear to come from the CEO, asking them to purchase gift cards. The emails have a spoofed sender address but pass SPF and DKIM checks because the attacker compromised a legitimate email account. The CEO's account has been locked, but the attacker may have set up forwarding rules. You need to ensure the attacker cannot use the account further. You have the following options: A) Change the CEO's password and enable MFA, then remove any forwarding rules. B) Delete the CEO's email account and create a new one. C) Block all emails from the CEO's email address at the gateway. D) Restore the CEO's mailbox from a backup taken before the compromise. Which option is the BEST course of action?

Question 22easymultiple choice
Full question →

An analyst receives an alert indicating a potential data exfiltration. The alert shows a host IP address 10.10.50.200 sending large amounts of data to an external IP address 203.0.113.5 over port 443. What should the analyst do FIRST?

Question 23mediummultiple choice
Full question →

A financial institution is designing an incident response plan. They want to ensure that during a ransomware incident, critical transaction systems can be restored within 4 hours. Which metric should be used to measure this requirement?

Question 24hardmultiple choice
Full question →

After a security incident, the incident response team identifies that the root cause was a phishing email that bypassed the email filter. The email contained a malicious macro that executed PowerShell commands. Which control would be MOST effective in preventing similar incidents in the future?

Question 25easymultiple choice
Full question →

During an incident, the CIRT leader decides to contain a compromised server by disconnecting it from the network. However, this action may result in loss of volatile forensics data. What should the CIRT leader do?

Question 26mediummultiple choice
Full question →

An organization has a mature incident management process. After a major incident, they conduct a post-incident review. Which activity is MOST important during this review?

Question 27mediummulti select
Full question →

Which TWO actions are appropriate during the containment phase of an incident involving a malware outbreak on multiple workstations?

Question 28hardmulti select
Full question →

Which THREE elements should be included in an incident response plan to ensure effective communication during a security incident?

Question 29easymultiple choice
Full question →

Refer to the exhibit. The security analyst observes these alerts. What is the MOST likely sequence of events?

Exhibit

Refer to the exhibit.

---
Incident Log:
[2025-03-20 08:15:23] ALERT: Multiple failed logins for user 'jsmith' from IP 10.0.0.45
[2025-03-20 08:16:01] ALERT: Successful login for user 'jsmith' from IP 10.0.0.45
[2025-03-20 08:20:45] ALERT: Unusual outbound connection from host 10.0.0.45 to 198.51.100.10:4444
[2025-03-20 08:22:30] ALERT: Large data transfer from host 10.0.0.45 to 198.51.100.10
---
Question 30mediummultiple choice
Read the full Ansible explanation →

Refer to the exhibit. During a ransomware incident, the response team discovers that the backup server is also encrypted. Which phase of the playbook is MOST impacted?

Exhibit

Refer to the exhibit.

---
Incident Response Playbook: Ransomware
Phase 1: Identification - Confirm ransomware via user reports and endpoint alerts.
Phase 2: Containment - Disconnect affected systems from the network. Do not power off.
Phase 3: Eradication - Remove malware using approved tools; reimage if necessary.
Phase 4: Recovery - Restore data from clean backups; verify integrity.
Phase 5: Post-Incident - Conduct lessons learned.
---
Question 31hardmultiple choice
Read the full NAT/PAT explanation →

You are the incident response manager for a mid-sized e-commerce company. At 2:00 PM, the security operations center receives an alert from the intrusion detection system indicating a potential SQL injection attack against the customer database server. The server hosts a critical database containing customer PII and payment card data. The alert shows multiple suspicious queries from an internal IP address 192.168.10.50, which belongs to the development team's jump box. The development team uses this jump box to access production servers for maintenance. The jump box is managed by the IT operations team. The CEO is currently in a meeting with investors and cannot be disturbed. The CISO is on leave. The company has a written incident response plan that designates the IT director as the incident response coordinator in the absence of the CISO. The IT director has limited security knowledge. The database administrator (DBA) reports that the database is experiencing high CPU usage and that some customer records appear to have been modified. You need to take immediate action. What should you do FIRST?

More Incident Management questions available in the full practice test.

Continue Practising →

All CISM Objectives

  • 4.Incident Management