Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Free Resources

Difficulty IndexLearn — Free ChaptersIT GlossaryFree Tools & LabsStudy GuidesCareer RoadmapsBrowse by VendorCisco Command ReferenceCCNA Scenarios

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Incident Management practice sets

CISM Incident Management • Complete Question Bank

CISM Incident Management — All Questions With Answers

Complete CISM Incident Management question bank — all 0 questions with answers and detailed explanations.

150
Questions
Free
No signup
Certifications/CISM/Practice Test/Incident Management/All Questions
Question 1easymultiple choice
Read the full Incident Management explanation →

An organization's incident response (IR) policy should be approved by which of the following to ensure authority and accountability?

Question 2mediummultiple choice
Read the full Incident Management explanation →

During a P1 (critical) incident, the incident response manager has been providing hourly situation reports (sitreps) to executives. What is the primary reason for involving legal counsel in these communications?

Question 3mediummultiple choice
Read the full Incident Management explanation →

An organization has experienced a ransomware incident that has encrypted critical servers. The incident response team is unable to restore operations within the maximum tolerable downtime (MTD). Which action should be taken next?

Question 4easymultiple choice
Read the full Incident Management explanation →

Which incident severity level requires executive notification and a 24/7 response?

Question 5hardmultiple choice
Read the full Incident Management explanation →

Following a data breach, an organization conducts a root cause analysis using the 5 Whys technique. The analysis identifies that a misconfigured firewall allowed unauthorized access. What is the most important next step to prevent recurrence?

Question 6mediummultiple choice
Read the full Ansible explanation →

An organization's incident response plan includes playbooks for different incident types. Which playbook should be used for an incident involving unauthorized access to a user's account due to phishing?

Question 7easymultiple choice
Read the full Incident Management explanation →

Which of the following is typically a member of the crisis management team (CMT) during a major cybersecurity incident?

Question 8mediummultiple choice
Read the full Incident Management explanation →

As part of post-incident activities, an organization schedules a lessons learned meeting. When should this meeting ideally take place?

Question 9hardmultiple choice
Read the full Incident Management explanation →

During a data breach investigation, legal counsel instructs the forensics team to preserve evidence under attorney-client privilege. Which of the following actions is most critical to maintain that privilege?

Question 10mediummultiple choice
Read the full Ansible explanation →

An organization is updating its incident response playbook after a ransomware attack. Which of the following should be included as a key step in the ransomware playbook?

Question 11easymultiple choice
Read the full Incident Management explanation →

Which of the following is the primary purpose of having a pre-established forensic retainer agreement?

Question 12hardmultiple choice
Read the full Incident Management explanation →

After a supply chain attack, the incident response team identifies that a third-party vendor's compromised credentials were used to access the organization's network. Which incident category should this be classified under?

Question 13mediummulti select
Read the full Incident Management explanation →

Which TWO of the following are essential components of an incident response programme?

Question 14mediummulti select
Read the full Incident Management explanation →

Which THREE of the following should be included in an incident communication template?

Question 15hardmulti select
Read the full Incident Management explanation →

Which TWO of the following are appropriate actions for preserving evidence during a cybersecurity incident?

Question 16mediummultiple choice
Read the full Incident Management explanation →

During a major security incident classified as P1, which of the following is the MOST appropriate communication frequency to the executive team?

Question 17mediummultiple choice
Read the full Incident Management explanation →

An organization's incident response team has contained a ransomware incident. What is the NEXT step according to the incident management program?

Question 18hardmultiple choice
Read the full Incident Management explanation →

An organization has just experienced a data breach involving personal data of EU residents. Under GDPR, what is the maximum time frame for notifying the supervisory authority?

Question 19easymultiple choice
Read the full Incident Management explanation →

Which of the following is the PRIMARY purpose of an incident response plan?

Question 20mediummultiple choice
Read the full Incident Management explanation →

During a DDoS attack classified as P2, what is the EXPECTED response time and notification level?

Question 21hardmultiple choice
Read the full Incident Management explanation →

An organization is conducting a root cause analysis after an insider threat incident. Which of the following tools is MOST appropriate for identifying the underlying management governance failure?

Question 22mediummultiple choice
Read the full Incident Management explanation →

When should an incident response transition to business continuity and disaster recovery (BC/DR) activation?

Question 23easymultiple choice
Read the full Incident Management explanation →

Which of the following is the FIRST step when engaging an external forensics firm for an incident?

Question 24mediummultiple choice
Read the full Ansible explanation →

An organization has experienced a credential compromise incident. Which playbook should the incident response team primarily use?

Question 25hardmultiple choice
Read the full Incident Management explanation →

During a major incident, the crisis management team (CMT) has been activated. Which of the following is the PRIMARY responsibility of the communications lead on the CMT?

Question 26easymultiple choice
Read the full Incident Management explanation →

What is the PRIMARY purpose of conducting a lessons learned meeting after an incident?

Question 27mediummultiple choice
Read the full Incident Management explanation →

An organization's incident response team has identified that a data breach involves customer personal information. Which of the following should be done FIRST to preserve evidence for potential litigation?

Question 28mediummulti select
Read the full Incident Management explanation →

Which TWO of the following are essential components of an incident response plan? (Select two.)

Question 29hardmulti select
Read the full Incident Management explanation →

Which TWO of the following are key roles on the crisis management team (CMT) for a major cybersecurity incident? (Select two.)

Question 30mediummulti select
Read the full Incident Management explanation →

Which THREE of the following are incident severity levels defined in a typical incident management program? (Select three.)

Question 31mediummultiple choice
Read the full Incident Management explanation →

During a P1 incident, the incident response team identifies that the root cause is a misconfigured firewall. According to best practices, which of the following should be the PRIMARY focus of the root cause analysis?

Question 32hardmultiple choice
Read the full Incident Management explanation →

An organization has experienced a ransomware attack that has encrypted critical servers. The incident response team is unable to contain the incident within the maximum tolerable downtime (MTD). Who has the authority to declare a disaster and activate the business continuity plan?

Question 33easymultiple choice
Read the full Incident Management explanation →

Which of the following is the PRIMARY purpose of having a pre-established contract with a digital forensics firm before an incident occurs?

Question 34mediummultiple choice
Read the full Incident Management explanation →

During a data breach investigation, the incident response team discovers that a backup was encrypted by ransomware. The team needs to determine the sequence of events leading to the encryption. Which of the following documentation is MOST critical to preserve for potential litigation?

Question 35mediummultiple choice
Read the full Incident Management explanation →

An organization's incident response team is handling a P2 incident involving an insider threat. The team has identified the employee responsible. The communications lead is preparing a notification to affected parties. Which of the following should be included in the notification?

Question 36hardmultiple choice
Read the full Incident Management explanation →

Following a major security incident, the lessons learned meeting is scheduled. Which of the following outcomes is MOST important to ensure the effectiveness of future incident response?

Question 37easymultiple choice
Read the full Incident Management explanation →

Which incident severity level requires executive notification and a 24/7 response?

Question 38mediummultiple choice
Read the full Incident Management explanation →

During a DDoS attack, the incident response team is struggling to mitigate the attack. The team decides to engage the organization's ISP and a DDoS mitigation service. Which of the following should be done FIRST?

Question 39mediummultiple choice
Read the full Incident Management explanation →

An organization is subject to GDPR and experiences a data breach involving personal data. What is the maximum timeframe to notify the supervisory authority?

Question 40hardmultiple choice
Read the full Incident Management explanation →

Following a credential compromise incident, the incident response team is conducting root cause analysis using the 5 Whys technique. The first 'why' reveals that the password was weak. The second 'why' reveals that the password policy allowed simple passwords. What should be the focus of the third 'why'?

Question 41easymultiple choice
Read the full Ansible explanation →

An incident response team is conducting an exercise to test its playbook for a ransomware incident. Which of the following is the PRIMARY benefit of such an exercise?

Question 42mediummultiple choice
Read the full Incident Management explanation →

During a P1 incident, the incident response manager is preparing an executive sitrep. Which of the following should be included to preserve legal privilege?

Question 43mediummulti select
Read the full Incident Management explanation →

An organization is updating its incident response plan. Which TWO components should be included to ensure effective evidence handling? (Select TWO.)

Question 44hardmulti select
Read the full Incident Management explanation →

During a major cybersecurity incident, the crisis management team (CMT) is activated. Which THREE roles are typically part of the CMT? (Select THREE.)

Question 45easymulti select
Read the full Ansible explanation →

An incident response team is creating playbooks for different incident types. Which TWO incident types should have a dedicated playbook? (Select TWO.)

Question 46mediummultiple choice
Read the full Incident Management explanation →

During a major cybersecurity incident classified as P1, the incident response team has been activated. The crisis management team (CMT) is also convened. Which of the following is the PRIMARY responsibility of the CMT during this incident?

Question 47easymultiple choice
Read the full Ansible explanation →

An organization's incident response plan includes a ransomware playbook. After detecting ransomware on a critical server, which of the following should be the FIRST action according to best practices?

Question 48hardmultiple choice
Read the full Incident Management explanation →

During a post-incident root cause analysis, the team uses the '5 Whys' technique and identifies a technical vulnerability as the cause. According to CISM best practices, what should be the NEXT level of analysis?

Question 49mediummultiple choice
Read the full Incident Management explanation →

An incident has been declared as P2 (high severity). According to the incident classification, what is the expected response timeframe and notification requirement?

Question 50mediummultiple choice
Read the full Incident Management explanation →

In the context of incident management, which of the following is the PRIMARY purpose of conducting lessons learned meetings within two weeks of incident resolution?

Question 51hardmultiple choice
Read the full Incident Management explanation →

During a data breach investigation, an organization engages an external forensics firm. To preserve attorney-client privilege, which of the following is the BEST practice?

Question 52easymultiple choice
Read the full Incident Management explanation →

What is the PRIMARY reason for having an incident response team roster and contact list readily available?

Question 53mediummultiple choice
Read the full Incident Management explanation →

After a DDoS attack, the incident response team determines that the incident cannot be resolved within the maximum tolerable downtime (MTD). According to best practices, what should happen next?

Question 54hardmultiple choice
Read the full Incident Management explanation →

An organization is required to report a material cybersecurity incident to the SEC within 4 business days (proposed rule). However, the incident is still under investigation. What is the BEST course of action?

Question 55mediummultiple choice
Read the full Incident Management explanation →

Which of the following incident types is MOST likely to require activation of the crisis management team (CMT) due to potential regulatory and reputational impact?

Question 56easymultiple choice
Read the full Incident Management explanation →

In the incident response team structure, who is typically responsible for coordinating communication with external stakeholders such as customers and the media?

Question 57hardmultiple choice
Read the full Incident Management explanation →

An organization maintains evidence handling procedures for incident response. A forensic investigator needs to collect a hard drive from a compromised server. Which of the following is the MOST critical step to ensure admissibility in court?

Question 58mediummulti select
Read the full Incident Management explanation →

An organization is updating its incident response plan. Which TWO components are essential to include for effective insider threat management? (Select TWO.)

Question 59mediummulti select
Read the full Incident Management explanation →

After a data breach involving customer PII, the incident response team is conducting a root cause analysis. Which THREE factors should be examined according to CISM best practices? (Select THREE.)

Question 60hardmulti select
Read the full Ansible explanation →

An organization is preparing for a potential supply chain incident. According to CISM best practices, which THREE elements should be included in the supply chain incident playbook? (Select THREE.)

Question 61mediummultiple choice
Read the full Incident Management explanation →

An organization has experienced a ransomware attack that encrypted critical servers. The incident has been classified as P1. Which of the following is the FIRST action the incident response team should take according to the IR plan?

Question 62easymultiple choice
Read the full Incident Management explanation →

Which of the following is the PRIMARY purpose of conducting a lessons learned meeting after an incident?

Question 63hardmultiple choice
Read the full Incident Management explanation →

During a major data breach investigation, legal counsel advises the incident response team to preserve attorney-client privilege over communications with external forensic investigators. Which of the following actions BEST supports this objective?

Question 64mediummultiple choice
Read the full Incident Management explanation →

An organization's incident response team is handling a P2 insider threat incident involving unauthorized access to customer data. According to the incident classification, which of the following is the MOST appropriate notification and response timeframe?

Question 65easymultiple choice
Read the full Incident Management explanation →

Which of the following is the PRIMARY reason for having a pre-established forensic retainer agreement before an incident occurs?

Question 66mediummultiple choice
Read the full Incident Management explanation →

During a P1 incident, the crisis management team (CMT) has been activated. The CEO asks for an hourly sitrep. Which of the following is the MOST appropriate content for the sitrep?

Question 67hardmultiple choice
Read the full Incident Management explanation →

An organization has experienced a DDoS attack that is overwhelming its internet-facing services. The incident response team has implemented mitigations, but services remain degraded. The maximum tolerable downtime (MTD) for the affected services is 4 hours, and 3 hours have passed. Which of the following should the incident manager do NEXT?

Question 68mediummultiple choice
Read the full Incident Management explanation →

Which of the following is the BEST approach for sharing threat intelligence indicators of compromise (IoCs) after an incident?

Question 69easymultiple choice
Read the full Incident Management explanation →

Which of the following is the PRIMARY reason for including communication templates in the incident response plan?

Question 70mediummultiple choice
Read the full Incident Management explanation →

An organization is conducting a root cause analysis after a data breach. Which of the following sequences BEST aligns with the 5 Whys approach from a CISM perspective?

Question 71hardmultiple choice
Read the full Incident Management explanation →

During a P1 incident involving a ransomware attack, the crisis management team has been activated. The communications lead is drafting an all-staff internal communication. Which of the following should be INCLUDED in this communication?

Question 72mediummultiple choice
Read the full Incident Management explanation →

Which of the following is the PRIMARY role of the executive sponsor in the incident response team structure?

Question 73easymultiple choice
Read the full Incident Management explanation →

Which of the following incident categories would typically require the involvement of the crisis management team?

Question 74mediummultiple choice
Read the full Incident Management explanation →

An organization's incident response plan requires that evidence be preserved for potential litigation. Which of the following actions is MOST critical to ensure the admissibility of digital evidence?

Question 75hardmultiple choice
Read the full Incident Management explanation →

After a data breach involving personal data of EU residents, the incident manager must ensure compliance with GDPR notification requirements. Within how many hours must the organization notify the relevant supervisory authority of the breach?

Question 76mediummulti select
Read the full Incident Management explanation →

Which TWO of the following are essential components of an incident response (IR) plan? (Select TWO)

Question 77mediummulti select
Read the full Incident Management explanation →

Which THREE of the following are typical roles in an incident response team? (Select THREE)

Question 78hardmulti select
Read the full Incident Management explanation →

Which TWO of the following are key considerations when managing an external forensics firm during an incident? (Select TWO)

Question 79easymultiple choice
Read the full Incident Management explanation →

Which component of an incident response programme provides detailed step-by-step instructions for handling a specific type of incident?

Question 80mediummultiple choice
Read the full Incident Management explanation →

During a P1 (critical) incident, the incident response manager is coordinating response activities. Who is primarily responsible for activating the crisis management team (CMT)?

Question 81hardmultiple choice
Read the full Incident Management explanation →

Following a ransomware incident where data was encrypted and exfiltrated, the root cause analysis reveals that the initial access occurred through a phishing email that bypassed email filters due to a misconfiguration. The misconfiguration was not identified because the security team lacked a formal process to review firewall rule changes. Which of the following is the most appropriate management/governance failure to document in the lessons learned?

Question 82mediummultiple choice
Read the full Incident Management explanation →

An organization has experienced a data breach involving personal data of EU residents. Under GDPR, what is the maximum time frame within which the organization must notify the relevant supervisory authority?

Question 83easymultiple choice
Read the full Incident Management explanation →

Which incident severity level requires executive notification and 24/7 response, and has major business impact?

Question 84mediummultiple choice
Read the full Incident Management explanation →

During a major incident, the incident response team discovers that the incident cannot be resolved within the maximum tolerable downtime (MTD). Which of the following actions should be taken next?

Question 85hardmultiple choice
Read the full Incident Management explanation →

An organization is engaging an external forensics firm to investigate a suspected data breach. Which of the following is the most important step to ensure that evidence remains admissible in legal proceedings?

Question 86easymultiple choice
Read the full Incident Management explanation →

Which role in the incident response team structure is responsible for coordinating all response activities and making decisions about incident severity classification?

Question 87mediummultiple choice
Read the full Incident Management explanation →

A security analyst detects a series of failed login attempts followed by a successful login from an unusual geographic location. The account is a standard user account. Which incident category best describes this scenario?

Question 88hardmultiple choice
Read the full Incident Management explanation →

After a major incident, the lessons learned meeting is scheduled. According to best practices, when should this meeting typically be held after incident resolution?

Question 89mediummultiple choice
Read the full Incident Management explanation →

During a P1 incident involving a ransomware attack, the incident response manager needs to communicate with executives. Which of the following is the most appropriate approach for executive communication?

Question 90mediummultiple choice
Read the full Incident Management explanation →

An organization is updating its incident response plan after a lessons learned meeting. Which of the following is the primary purpose of updating the plan based on lessons learned?

Question 91hardmultiple choice
Read the full Incident Management explanation →

A company experiences a DDoS attack that overwhelms its internet-facing services. The incident response team implements mitigation measures. During which phase of incident response is it most appropriate to collect and preserve evidence for potential legal action?

Question 92easymultiple choice
Read the full Incident Management explanation →

Which type of incident response exercise involves a facilitated discussion of a hypothetical scenario to review plans and procedures?

Question 93mediummultiple choice
Read the full Incident Management explanation →

An organization has a policy to share indicators of compromise (IoCs) with an Information Sharing and Analysis Center (ISAC). This activity is most closely associated with which phase of incident management?

Question 94mediummulti select
Read the full Incident Management explanation →

Which TWO of the following are essential components of an incident response programme that should be established before an incident occurs? (Select TWO.)

Question 95mediummulti select
Read the full Incident Management explanation →

Which TWO of the following are appropriate criteria for escalating an incident to the crisis management team (CMT)? (Select TWO.)

Question 96hardmulti select
Read the full Incident Management explanation →

Which THREE of the following are key activities during the post-incident phase of incident management? (Select THREE.)

Question 97easymultiple choice
Read the full Incident Management explanation →

Which component of an incident response programme provides detailed step-by-step instructions for handling a specific type of incident, such as ransomware or data breach?

Question 98mediummultiple choice
Read the full Incident Management explanation →

During a P1 (critical) security incident, which of the following is the MOST appropriate frequency for providing executive status updates?

Question 99hardmultiple choice
Read the full Incident Management explanation →

An organization has experienced a ransomware incident that has encrypted critical servers. The incident response team is working on containment. Which communication should the incident manager prioritize FIRST?

Question 100mediummultiple choice
Read the full Incident Management explanation →

Which post-incident activity involves identifying the technical cause, the process failure that allowed it, and the management/governance failure that permitted the process failure?

Question 101easymultiple choice
Read the full Incident Management explanation →

Which incident severity level is characterized by major business impact, requires executive notification, and demands 24/7 response?

Question 102mediummultiple choice
Read the full Incident Management explanation →

An organization's incident response team has contained a data breach. Legal counsel has advised that litigation is likely. Which of the following actions should the team take to preserve evidence?

Question 103hardmultiple choice
Read the full Incident Management explanation →

During a major cybersecurity incident, the crisis management team (CMT) has been activated. Which of the following is the PRIMARY responsibility of the CEO as a member of the CMT?

Question 104easymultiple choice
Read the full Incident Management explanation →

What is the recommended timeframe for holding a lessons learned meeting after an incident has been resolved?

Question 105mediummultiple choice
Read the full Incident Management explanation →

Which of the following is a key reason to have a forensic retainer in place before an incident occurs?

Question 106hardmultiple choice
Read the full Incident Management explanation →

An incident response team is handling a supply chain compromise that has affected a critical business process. The estimated recovery time exceeds the maximum tolerable downtime (MTD). What should the incident manager do NEXT?

Question 107mediummultiple choice
Read the full Incident Management explanation →

Which of the following is a key objective of sharing threat intelligence, such as indicators of compromise (IoCs), with an Information Sharing and Analysis Center (ISAC)?

Question 108easymultiple choice
Read the full Incident Management explanation →

Which incident category involves unauthorized access to systems or data by an individual within the organization?

Question 109mediummultiple choice
Read the full Incident Management explanation →

An organization has experienced a P2 incident. According to standard incident severity definitions, which response timeframe is typically expected?

Question 110hardmultiple choice
Read the full Incident Management explanation →

A security analyst suspects a credential compromise involving an executive's account. The analyst has isolated the system. What should be the NEXT step according to best practices?

Question 111mediummultiple choice
Read the full Incident Management explanation →

Which of the following is the PRIMARY reason to include legal counsel in the incident response team?

Question 112mediummulti select
Read the full Incident Management explanation →

Which TWO of the following are required components of an incident response programme according to best practices? (Select two.)

Question 113hardmulti select
Read the full Incident Management explanation →

Which THREE of the following are appropriate members of a crisis management team (CMT) for a major cybersecurity incident? (Select three.)

Question 114mediummulti select
Read the full Incident Management explanation →

Which TWO of the following are typical notification deadlines for regulatory reporting of a data breach? (Select two.)

Question 115hardmulti select
Read the full Incident Management explanation →

Which THREE of the following are objectives of a lessons learned meeting after an incident? (Select three.)

Question 116easymultiple choice
Read the full Incident Management explanation →

Which component of an incident response program is most likely to include step-by-step technical actions for addressing a specific type of security incident?

Question 117mediummultiple choice
Read the full Incident Management explanation →

During a P1 (critical) security incident involving a ransomware attack that has encrypted critical servers, which role is primarily responsible for coordinating the overall response and ensuring timely communication to executive leadership?

Question 118hardmultiple choice
Read the full Incident Management explanation →

During a data breach investigation, the legal counsel advises the incident response team to ensure that communications with external forensic experts are protected by attorney-client privilege. Which action best preserves this privilege?

Question 119mediummultiple choice
Read the full Incident Management explanation →

After a P2 (high) incident is resolved, the incident response team conducts a lessons learned meeting. Which timeframe is most appropriate for holding this meeting?

Question 120mediummultiple choice
Read the full Incident Management explanation →

When an incident cannot be resolved within the maximum tolerable downtime (MTD), what is the appropriate action regarding business continuity and disaster recovery (BC/DR)?

Question 121easymultiple choice
Read the full Incident Management explanation →

Which incident category typically involves an employee intentionally or accidentally causing harm to the organization's information systems?

Question 122hardmultiple choice
Read the full Incident Management explanation →

During a P1 incident, the crisis management team (CMT) is activated and meets within the first hour. Which communication practice is most appropriate for the CMT to follow when providing updates to the board of directors?

Question 123mediummultiple choice
Read the full Incident Management explanation →

Which of the following is the primary purpose of conducting a root cause analysis (RCA) after a security incident?

Question 124easymultiple choice
Read the full Incident Management explanation →

In the context of incident severity classification, which of the following best describes a P3 (medium) incident?

Question 125mediummultiple choice
Read the full Incident Management explanation →

An organization is updating its incident response plan after a major incident. Which post-incident activity should be performed to ensure the plan reflects lessons learned?

Question 126hardmultiple choice
Read the full Incident Management explanation →

A company discovers a credential compromise affecting multiple user accounts. According to best practices, what is the first step the incident response team should take?

Question 127mediummultiple choice
Read the full Incident Management explanation →

Under the proposed SEC rules for cybersecurity incident disclosure, what is the timeframe for reporting a material cybersecurity incident?

Question 128easymultiple choice
Read the full Incident Management explanation →

Which of the following is an example of an external stakeholder that should be included in the incident response plan's vendor contacts list?

Question 129mediummulti select
Read the full Incident Management explanation →

Which TWO of the following are key responsibilities of the crisis management team (CMT) during a major cybersecurity incident?

Question 130hardmulti select
Read the full Incident Management explanation →

Which THREE of the following are essential elements of a forensic evidence handling procedure to ensure admissibility in court?

Question 131easymultiple choice
Read the full Incident Management explanation →

Which component of the incident response programme provides step-by-step technical instructions for handling a specific type of security incident?

Question 132mediummultiple choice
Read the full Incident Management explanation →

During a P1 (critical) incident involving a ransomware attack that has encrypted critical systems, the incident manager needs to provide updates to executives. What is the recommended frequency for situation reports (sitreps)?

Question 133hardmultiple choice
Read the full Incident Management explanation →

A security analyst discovers that an employee's credentials were used to access a sensitive database containing customer PII. The analyst immediately disables the account and begins remediation. Which incident category best describes this scenario?

Question 134mediummultiple choice
Read the full Incident Management explanation →

Following containment of a ransomware incident, the incident response team is conducting a root cause analysis. Which method involves repeatedly asking 'why' to drill down to underlying causes?

Question 135easymultiple choice
Read the full Incident Management explanation →

What is the primary purpose of having a pre-established forensic retainer agreement with an external forensics firm?

Question 136mediummultiple choice
Read the full Incident Management explanation →

During a major incident, the crisis management team (CMT) has been activated. Which of the following is typically NOT a member of the CMT?

Question 137hardmultiple choice
Read the full Incident Management explanation →

An incident response team is handling a P2 (high) incident. According to the incident severity classification, which of the following is the expected response timeframe?

Question 138easymultiple choice
Read the full Incident Management explanation →

Which document outlines the overall strategy, roles, and responsibilities for incident response across the organization?

Question 139mediummultiple choice
Read the full Incident Management explanation →

After a data breach incident, the incident response team must preserve evidence for potential litigation. Which of the following actions should be taken FIRST?

Question 140hardmultiple choice
Read the full Incident Management explanation →

An organization is required to notify regulators of a material cybersecurity incident within 4 business days. Which regulation imposes this requirement?

Question 141mediummultiple choice
Read the full Incident Management explanation →

During a DDoS attack, the incident response team determines that the attack cannot be mitigated within the maximum tolerable downtime (MTD). What should happen next?

Question 142easymultiple choice
Read the full Incident Management explanation →

Which of the following is the primary reason for conducting a lessons learned meeting after an incident?

Question 143mediummultiple choice
Read the full Incident Management explanation →

An organization has just experienced a P1 incident. Which of the following communication steps should occur FIRST?

Question 144hardmultiple choice
Read the full Incident Management explanation →

During a forensic investigation, the external forensics firm discovers evidence that may indicate criminal activity. The incident manager wants to ensure attorney-client privilege is maintained. What should be done?

Question 145mediummultiple choice
Read the full Incident Management explanation →

Which incident severity level requires executive notification and a 24/7 response?

Question 146mediummulti select
Read the full Incident Management explanation →

Which TWO of the following are components of an incident response programme?

Question 147hardmulti select
Read the full Incident Management explanation →

Which TWO of the following are incident categories in an incident management programme?

Question 148easymulti select
Read the full Incident Management explanation →

Which THREE of the following are typical roles in an incident response team?

Question 149mediummultiple choice
Read the full Incident Management explanation →

An organization has experienced a ransomware attack that has encrypted critical servers and is causing major business disruption. According to incident severity levels, which priority should this incident be assigned?

Question 150mediummultiple choice
Read the full Incident Management explanation →

During a major cybersecurity incident, the incident response team determines that the incident cannot be resolved within the maximum tolerable downtime (MTD). Which of the following actions should be taken next?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

CISM Practice Test 1 — 25 Questions→CISM Practice Test 2 — 25 Questions→CISM Practice Test 3 — 25 Questions→CISM Practice Test 4 — 25 Questions→CISM Practice Test 5 — 25 Questions→CISM Practice Exam 1 — 20 Questions→CISM Practice Exam 2 — 20 Questions→CISM Practice Exam 3 — 20 Questions→CISM Practice Exam 4 — 20 Questions→Free CISM Practice Test 1 — 30 Questions→Free CISM Practice Test 2 — 30 Questions→Free CISM Practice Test 3 — 30 Questions→CISM Practice Questions 1 — 50 Questions→CISM Practice Questions 2 — 50 Questions→CISM Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Information Security ProgramIncident ManagementInformation Security ProgrammeInformation Security GovernanceInformation Security Risk Management

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Incident Management setsAll Incident Management questionsCISM Practice Hub