Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Free Resources

Difficulty IndexLearn — Free ChaptersIT GlossaryFree Tools & LabsStudy GuidesCareer RoadmapsBrowse by VendorCisco Command ReferenceCCNA Scenarios

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Information Security Governance practice sets

CISM Information Security Governance • Complete Question Bank

CISM Information Security Governance — All Questions With Answers

Complete CISM Information Security Governance question bank — all 0 questions with answers and detailed explanations.

85
Questions
Free
No signup
Certifications/CISM/Practice Test/Information Security Governance/All Questions
Question 1easymultiple choice
Read the full Information Security Governance explanation →

Which of the following is the PRIMARY responsibility of the board of directors regarding information security governance?

Question 2easymultiple choice
Read the full Information Security Governance explanation →

An organization has a decentralized governance model where each business unit manages its own security. What is a key challenge of this model?

Question 3mediummultiple choice
Read the full Information Security Governance explanation →

A CISO is developing a multi-year security roadmap. Which of the following should be the PRIMARY driver for prioritizing initiatives?

Question 4mediummultiple choice
Read the full Information Security Governance explanation →

Which capability maturity model (CMM) level indicates that security processes are proactively measured and optimized?

Question 5mediummultiple choice
Read the full Information Security Governance explanation →

An organization is implementing a new security policy. Which step should occur AFTER the policy is approved?

Question 6mediummultiple choice
Read the full Information Security Governance explanation →

Which board-level metric is MOST useful for measuring the effectiveness of the incident response process?

Question 7hardmultiple choice
Read the full Information Security Governance explanation →

A CISO is building a business case for a new security tool. Which approach BEST articulates the return on investment (ROI) to the board?

Question 8hardmultiple choice
Read the full Information Security Governance explanation →

An organization is subject to GDPR, PCI DSS, and SOX. What is the BEST approach to manage compliance with multiple regulations?

Question 9hardmultiple choice
Read the full Information Security Governance explanation →

A security awareness programme is being evaluated. Which metric BEST indicates a positive security culture?

Question 10mediummultiple choice
Read the full Information Security Governance explanation →

Which of the following is the PRIMARY benefit of having a formal policy exception management process?

Question 11mediummultiple choice
Read the full Information Security Governance explanation →

An organization is deciding whether to adopt a centralized or hybrid security governance model. Which factor MOST strongly favors a hybrid model?

Question 12easymultiple choice
Read the full Information Security Governance explanation →

Which of the following is the PRIMARY responsibility of the CISO in an organization?

Question 13mediummulti select
Read the full Information Security Governance explanation →

A CISO is reporting to the board on the effectiveness of the security programme. Which TWO metrics are MOST appropriate for board-level reporting? (Select TWO)

Question 14hardmulti select
Read the full Information Security Governance explanation →

An organization is updating its information security strategy. Which THREE elements should be included to ensure alignment with business objectives? (Select THREE)

Question 15hardmulti select
Read the full Information Security Governance explanation →

A security policy is being developed. Which THREE steps are part of the policy development lifecycle? (Select THREE)

Question 16easymultiple choice
Read the full Information Security Governance explanation →

Which of the following is the primary responsibility of the board of directors in information security governance?

Question 17mediummultiple choice
Read the full Information Security Governance explanation →

An organization is implementing a hybrid governance model for information security. Which statement best describes this approach?

Question 18hardmultiple choice
Read the full Information Security Governance explanation →

A CISO is developing a multi-year security roadmap. Which approach best ensures the roadmap aligns with business strategy?

Question 19mediummultiple choice
Read the full Information Security Governance explanation →

Which capability maturity model (CMM) level is characterized by security processes being standardized and documented across the organization?

Question 20easymultiple choice
Read the full Information Security Governance explanation →

A security metrics program should include key performance indicators (KPIs) for board reporting. Which metric is most appropriate for executive oversight?

Question 21mediummultiple choice
Read the full Information Security Governance explanation →

During a security policy development lifecycle, which step should occur immediately after 'drafting' the policy?

Question 22hardmultiple choice
Read the full Information Security Governance explanation →

A company is considering a policy exception that would allow temporary non-compliance with a data encryption standard due to a legacy system. What is the most important element of the exception management process?

Question 23mediummultiple choice
Read the full Information Security Governance explanation →

Which of the following is the correct order in the security policy hierarchy, from highest to lowest level?

Question 24easymultiple choice
Read the full Information Security Governance explanation →

Which metric best indicates the effectiveness of a security awareness program in changing employee behavior?

Question 25hardmultiple choice
Read the full Information Security Governance explanation →

A multinational organization handles personal data of EU residents. Which regulatory requirement must the information security program address?

Question 26mediummultiple choice
Read the full Information Security Governance explanation →

Which of the following best describes the role of the chief information security officer (CISO) in a governance context?

Question 27easymultiple choice
Read the full Information Security Governance explanation →

Which component is essential for building a strong security culture within an organization?

Question 28mediummulti select
Read the full Information Security Governance explanation →

A CISO is preparing a business case for a new security investment. Which TWO elements are most important to include to justify the investment?

Question 29hardmulti select
Read the full Information Security Governance explanation →

An organization is designing a security metrics dashboard for the board of directors. Which THREE metrics are most appropriate for board-level reporting?

Question 30mediummulti select
Read the full Information Security Governance explanation →

A security manager is conducting a regulatory compliance review. Which THREE regulations are most likely to apply to a financial services company operating in the United States?

Question 31easymultiple choice
Read the full Information Security Governance explanation →

Which governance structure is characterized by a single security team that serves the entire organization?

Question 32mediummultiple choice
Read the full Information Security Governance explanation →

An organization is developing an information security strategy aligned with business objectives. Which of the following is the BEST approach to prioritize security investments?

Question 33hardmultiple choice
Read the full Information Security Governance explanation →

A CISO is reporting to the board of directors. Which metric would BEST demonstrate the effectiveness of the security program in reducing business impact?

Question 34mediummultiple choice
Read the full Information Security Governance explanation →

Which of the following is the FIRST step in the security policy development lifecycle?

Question 35easymultiple choice
Read the full Information Security Governance explanation →

A policy exception management process allows a business unit to temporarily deviate from a security policy. What is the MOST important requirement for such an exception?

Question 36mediummultiple choice
Read the full Information Security Governance explanation →

An organization's board of directors wants to improve security culture. Which initiative would have the GREATEST impact?

Question 37hardmultiple choice
Read the full Information Security Governance explanation →

A multinational organization must comply with GDPR, CCPA, and PCI DSS. The security manager is designing a compliance monitoring program. Which approach is MOST efficient?

Question 38mediummultiple choice
Read the full Information Security Governance explanation →

In which reporting model does the CISO have a direct reporting line to the CEO while also reporting to the CIO on operational matters?

Question 39easymultiple choice
Read the full Information Security Governance explanation →

Which capability maturity model (CMM) level indicates that security processes are managed and measured using quantitative metrics?

Question 40hardmultiple choice
Read the full Information Security Governance explanation →

A CISO is building a business case for a new security tool. Which approach BEST quantifies the value of the investment?

Question 41mediummultiple choice
Read the full Information Security Governance explanation →

Which of the following is the BEST metric for the board to assess the security program's effectiveness in detecting threats?

Question 42mediummultiple choice
Read the full Information Security Governance explanation →

An organization is updating its security policies. After drafting the policy, which step should occur NEXT?

Question 43mediummulti select
Read the full Information Security Governance explanation →

A CISO is designing a security metrics program for the board. Which TWO metrics are MOST appropriate for board-level reporting?

Question 44hardmulti select
Read the full Information Security Governance explanation →

A financial services firm is subject to SOX, PCI DSS, and GDPR. The CISO needs to implement a regulatory change management process. Which THREE steps are essential?

Question 45easymulti select
Read the full Information Security Governance explanation →

Which TWO elements are key components of a security culture measurement program?

Question 46easymultiple choice
Read the full Information Security Governance explanation →

Which governance model is characterized by a single, centralized security team that serves the entire organization?

Question 47mediummultiple choice
Read the full Information Security Governance explanation →

An organization's board of directors wants to ensure that security activities align with business objectives. Which governance practice best supports this alignment?

Question 48hardmultiple choice
Read the full Information Security Governance explanation →

A CISO reports to the CIO and provides regular security updates to the board audit committee. The CEO has delegated security accountability to the CFO. Which governance structure does this reflect?

Question 49easymultiple choice
Read the full Information Security Governance explanation →

Which capability maturity model (CMM) level indicates that security processes are measured and controlled?

Question 50mediummultiple choice
Read the full Information Security Governance explanation →

A security manager wants to measure the effectiveness of the security awareness program. Which metric is most relevant?

Question 51hardmultiple choice
Read the full Information Security Governance explanation →

During a policy exception review, the CISO identifies that multiple exceptions have been granted for the same control due to business constraints. What is the best course of action?

Question 52mediummultiple choice
Read the full Information Security Governance explanation →

Which regulatory requirement mandates that organizations implement data protection measures for personal data of EU citizens?

Question 53easymultiple choice
Read the full Information Security Governance explanation →

What is the primary purpose of a security incident near-miss reporting culture?

Question 54mediummultiple choice
Read the full Information Security Governance explanation →

A company is developing a business case for a new security tool. Which metric best demonstrates the value of the investment?

Question 55hardmultiple choice
Read the full Information Security Governance explanation →

An organization's security strategy includes a goal to achieve CMM Level 3. What capability does the organization need to demonstrate?

Question 56mediummultiple choice
Read the full Information Security Governance explanation →

Which board-level committee typically receives security reports to provide oversight?

Question 57easymultiple choice
Read the full Information Security Governance explanation →

What is the first step in the security policy development lifecycle?

Question 58mediummulti select
Read the full Information Security Governance explanation →

A CISO is presenting a security investment proposal to the board. Which two metrics are most effective for articulating the business value of the investment?

Question 59hardmulti select
Read the full Information Security Governance explanation →

An organization is updating its security governance framework. Which three elements are essential for ensuring board-level oversight?

Question 60mediummulti select
Read the full Information Security Governance explanation →

A security manager is measuring the security culture of the organization. Which three metrics are most appropriate?

Question 61easymultiple choice
Read the full Information Security Governance explanation →

Which of the following is the PRIMARY reason for aligning the information security program with business objectives?

Question 62mediummultiple choice
Read the full Information Security Governance explanation →

An organization has a decentralized governance model with security teams embedded in each business unit. The CISO is concerned about inconsistent security controls across the enterprise. What is the BEST recommendation to address this?

Question 63hardmultiple choice
Read the full Information Security Governance explanation →

A CISO is preparing a multi-year security roadmap. Which of the following is the MOST critical factor for ensuring the roadmap aligns with business strategy?

Question 64mediummultiple choice
Read the full Information Security Governance explanation →

In a Capability Maturity Model (CMM) for information security processes, which level is characterized by processes being measured and controlled?

Question 65easymultiple choice
Read the full Information Security Governance explanation →

The board of directors has requested a security metrics dashboard. Which metric would BEST demonstrate the effectiveness of the incident response process?

Question 66mediummultiple choice
Read the full Information Security Governance explanation →

An organization is developing a security policy for remote access. According to the policy hierarchy, where should this policy fit?

Question 67hardmultiple choice
Read the full Information Security Governance explanation →

A CISO is building a business case for a new security tool. Which of the following approaches is MOST effective for justifying the investment?

Question 68mediummultiple choice
Read the full Information Security Governance explanation →

Which of the following is the PRIMARY role of the board of directors in information security governance?

Question 69easymultiple choice
Read the full Information Security Governance explanation →

Which of the following best describes a key benefit of a centralized information security governance model?

Question 70mediummultiple choice
Read the full Information Security Governance explanation →

An organization is implementing a security awareness program. Which metric is MOST indicative of a positive security culture?

Question 71hardmultiple choice
Read the full Information Security Governance explanation →

A multinational organization must comply with GDPR, CCPA, and PCI DSS. Which approach is MOST effective for managing these overlapping requirements?

Question 72easymultiple choice
Read the full Information Security Governance explanation →

Which of the following is the FIRST step in the security policy development lifecycle?

Question 73mediummulti select
Read the full Information Security Governance explanation →

A CISO is presenting a security metrics dashboard to the board. Which TWO metrics are most appropriate for board-level reporting? (Select TWO.)

Question 74hardmulti select
Read the full Information Security Governance explanation →

An organization is implementing a policy exception management process. Which THREE elements are essential for effective exception handling? (Select THREE.)

Question 75mediummulti select
Read the full Information Security Governance explanation →

Which TWO factors are most important when prioritizing security investments? (Select TWO.)

Question 76mediummultiple choice
Read the full Information Security Governance explanation →

An organization has a decentralized governance model where each business unit manages its own security team. The CISO reports to the CIO. Which of the following is the GREATEST risk associated with this structure?

Question 77hardmultiple choice
Read the full Information Security Governance explanation →

A CISO is developing a multi-year security roadmap aligned with business strategy. The organization is in a highly regulated industry with frequent regulatory changes. Which of the following should be the PRIMARY driver for prioritizing security initiatives?

Question 78easymultiple choice
Read the full Information Security Governance explanation →

Which of the following is the BEST example of a board-level security metric?

Question 79mediummultiple choice
Read the full Information Security Governance explanation →

An organization is updating its security policy framework. The current enterprise security policy has not been reviewed in three years. What is the FIRST step in the policy development lifecycle?

Question 80mediummulti select
Read the full Information Security Governance explanation →

A CISO is building a business case for a new security tool. Which TWO metrics would BEST justify the investment to senior leadership?

Question 81hardmulti select
Read the full Information Security Governance explanation →

An organization is implementing a security culture measurement program. Which THREE metrics would BEST indicate a positive security culture?

Question 82easymulti select
Read the full Information Security Governance explanation →

Which TWO components are essential for an effective information security governance framework?

Question 83mediummulti select
Read the full Information Security Governance explanation →

A CISO is developing a security strategy. Which THREE elements should be included in a multi-year security roadmap?

Question 84hardmulti select
Read the full Information Security Governance explanation →

An organization is designing a policy exception management process. Which THREE elements are critical for this process to be effective?

Question 85mediummulti select
Read the full Information Security Governance explanation →

Which TWO regulations are MOST likely to impact an organization that processes credit card payments and handles personal data of EU residents?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

CISM Practice Test 1 — 25 Questions→CISM Practice Test 2 — 25 Questions→CISM Practice Test 3 — 25 Questions→CISM Practice Test 4 — 25 Questions→CISM Practice Test 5 — 25 Questions→CISM Practice Exam 1 — 20 Questions→CISM Practice Exam 2 — 20 Questions→CISM Practice Exam 3 — 20 Questions→CISM Practice Exam 4 — 20 Questions→Free CISM Practice Test 1 — 30 Questions→Free CISM Practice Test 2 — 30 Questions→Free CISM Practice Test 3 — 30 Questions→CISM Practice Questions 1 — 50 Questions→CISM Practice Questions 2 — 50 Questions→CISM Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Information Security ProgramIncident ManagementInformation Security ProgrammeInformation Security GovernanceInformation Security Risk Management

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Information Security Governance setsAll Information Security Governance questionsCISM Practice Hub