Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Information Security Risk Management practice sets

CISM Information Security Risk Management • Complete Question Bank

CISM Information Security Risk Management — All Questions With Answers

Complete CISM Information Security Risk Management question bank — all 0 questions with answers and detailed explanations.

95
Questions
Free
No signup
Certifications/CISM/Practice Test/Information Security Risk Management/All Questions
Question 1mediummultiple choice
Read the full Information Security Risk Management explanation →

A financial institution is implementing a new online banking platform. The risk assessment identified that the authentication module has a high likelihood of exploitation due to weak password policies. The risk owner has decided to implement multi-factor authentication (MFA) to reduce the risk. This is an example of which risk response strategy?

Question 2hardmultiple choice
Read the full Information Security Risk Management explanation →

An organization has a risk appetite that allows for a maximum residual risk level of 'medium' for all operational risks. A new project introduces a risk with inherent risk level 'high' and control effectiveness rated as 'partially effective'. The risk owner proposes to accept the risk. As the CISM, what is the best course of action?

Question 3easymultiple choice
Read the full Information Security Risk Management explanation →

During a risk assessment, a CISM identifies that the organization's data backup process has a single point of failure. The backup server is located in the same data center as the primary server. Which risk response is most appropriate?

Question 4mediummultiple choice
Read the full NAT/PAT explanation →

A multinational corporation is assessing the risk of data breaches from third-party vendors. The CISM is tasked with selecting a risk treatment strategy. The organization has a low risk appetite for data breaches. Which strategy should be prioritized?

Question 5hardmultiple choice
Read the full Information Security Risk Management explanation →

In a risk assessment, a CISM calculates the annualized loss expectancy (ALE) for a specific threat. The single loss expectancy (SLE) is $50,000 and the annualized rate of occurrence (ARO) is 0.2. What is the ALE, and which risk response is most cost-effective if a control costs $12,000 per year and reduces ARO to 0.05?

Question 6easymultiple choice
Read the full Information Security Risk Management explanation →

A company is evaluating its risk management process. The CISM notices that risks are being assessed based on qualitative scales (low, medium, high) but decisions require quantitative data. What is the most effective action to improve the process?

Question 7hardmulti select
Read the full Information Security Risk Management explanation →

Which TWO of the following are key components of an information risk management program, as defined by ISACA? (Select exactly two.)

Question 8mediummulti select
Read the full Information Security Risk Management explanation →

Which THREE of the following are valid risk treatment options according to ISO 31000? (Select exactly three.)

Question 9hardmultiple choice
Read the full Information Security Risk Management explanation →

Refer to the exhibit. A security analyst reviews the firewall configuration and identifies a potential risk. What is the most likely risk?

Exhibit

Refer to the exhibit.

Exhibit:
```
CISCO ASA Firewall Config Snippet
access-list INSIDE extended permit tcp 10.0.0.0 255.255.255.0 any eq 443
access-list INSIDE extended permit udp 10.0.0.0 255.255.255.0 any eq 53
access-list OUTSIDE extended deny ip any any
```
Question 10mediummultiple choice
Read the full Information Security Risk Management explanation →

Refer to the exhibit. A system administrator reviews the log and notices repeated failed SSH attempts from the same IP address. What is the most appropriate risk response?

Exhibit

Refer to the exhibit.

Exhibit:
```
Log Entry:
Jan 15 09:23:45 server1 sshd[1234]: Failed password for root from 10.0.0.5 port 22 ssh2
Jan 15 09:23:47 server1 sshd[1235]: Failed password for admin from 10.0.0.5 port 22 ssh2
Jan 15 09:23:50 server1 sshd[1236]: Failed password for root from 10.0.0.5 port 22 ssh2
Jan 15 09:23:52 server1 sshd[1237]: Failed password for admin from 10.0.0.5 port 22 ssh2
```
Question 11hardmultiple choice
Read the full Information Security Risk Management explanation →

You are the CISM for a mid-sized e-commerce company that processes credit card transactions. The company recently experienced a security incident where an attacker exploited a vulnerability in the web application to gain access to the customer database containing payment card information. The incident response team contained the breach, but the root cause analysis revealed that the vulnerability had been identified in a penetration test six months ago but was not remediated due to competing priorities. The company's risk management framework defines risk appetite as 'moderate' for information security risks. The board is concerned and has asked you to recommend improvements to prevent recurrence. The company has a limited budget and cannot implement all possible controls. Current environment: web application developed in-house, hosted on-premises, with a mix of virtual and physical servers. The security team consists of three people responsible for monitoring, incident response, and vulnerability management. The development team follows an agile methodology with bi-weekly sprints. The company has cyber liability insurance that covers breach response costs up to $2 million. Based on this scenario, what is the most effective course of action?

Question 12mediummultiple choice
Read the full Information Security Risk Management explanation →

An organization has implemented a new web application that processes sensitive customer data. The risk assessment identified a high likelihood of SQL injection attacks due to insufficient input validation. Which of the following is the BEST risk treatment strategy?

Question 13hardmulti select
Read the full Information Security Risk Management explanation →

An organization is conducting a risk assessment for a new cloud-based HR system. Which THREE of the following are key considerations when evaluating the inherent risk?

Question 14easymultiple choice
Read the full Information Security Risk Management explanation →

Based on the exhibit, what is the MOST appropriate next step for the information security manager?

Exhibit

Refer to the exhibit.

```
Risk Assessment Log
Date: 2025-03-01
Asset: Database Server DB-01
Threat: Unauthorized access
Vulnerability: Weak password policy
Current Controls: Password complexity enabled, account lockout after 5 failed attempts
Likelihood: 3 (Moderate)
Impact: 4 (Major)
Risk Level: 12 (High)
Risk Appetite Threshold: 10
```
Question 15hardmultiple choice
Read the full NAT/PAT explanation →

A multinational corporation is migrating its on-premises data center to a hybrid cloud environment. The organization processes highly sensitive financial data subject to strict regulatory requirements (e.g., GDPR, SOX). During the risk assessment, the information security manager discovers that the cloud service provider (CSP) stores data in multiple geographic regions, some of which do not meet the organization's data residency requirements. Additionally, the CSP's encryption key management is not fully under the organization's control, and the incident response plan does not include specific procedures for cloud-based breaches. The organization's risk appetite is low, and the board has mandated that all risks must be mitigated to an acceptable level. Which of the following is the BEST course of action?

Question 16mediummultiple choice
Read the full Information Security Risk Management explanation →

Which of the following is the PRIMARY reason for an information security manager to integrate risk management into the organization's enterprise risk management (ERM) framework?

Question 17hardmultiple choice
Read the full NAT/PAT explanation →

During a risk assessment, an organization identifies a critical vulnerability in a legacy system that cannot be patched. The system's availability is crucial for business operations. Which of the following risk treatment strategies is MOST appropriate?

Question 18mediummulti select
Read the full Information Security Risk Management explanation →

Which of the following are key components of an Information Security Risk Management program? (Select TWO.)

Question 19hardmulti select
Read the full Information Security Risk Management explanation →

An organization has a high residual risk after implementing all feasible controls. According to CISM best practices, which of the following should the information security manager do? (Select TWO.)

Question 20mediummultiple choice
Read the full Information Security Risk Management explanation →

Match each risk assessment activity with the correct phase of the risk management lifecycle:

Activities: 1. Identify assets and threats 2. Determine risk level 3. Select controls to reduce risk 4. Monitor risk over time

Phases: A. Risk Assessment B. Risk Treatment C. Risk Monitoring D. Risk Communication (not used)

Question 21hardmultiple choice
Read the full NAT/PAT explanation →

A security manager is evaluating risk treatment options for a high-risk vulnerability. Drag each option to the correct risk treatment category.

Options: - Apply a vendor patch - Purchase cyber insurance - Decommission the system - Accept the risk with formal sign-off - Install a WAF (Web Application Firewall)

Categories: - Mitigate - Transfer - Avoid - Accept

Answer choices are not available in this preview. Open the full question page for the complete review.
Question 22easymultiple choice
Read the full Information Security Risk Management explanation →

Which of the following is the PRIMARY purpose of an information security risk assessment?

Question 23mediummultiple choice
Read the full Information Security Risk Management explanation →

An information security manager has identified a risk with a high likelihood and high impact. The cost of mitigating the risk exceeds the potential loss. What is the MOST appropriate risk treatment strategy?

Question 24hardmultiple choice
Read the full Information Security Risk Management explanation →

During a risk assessment, a security manager discovers that the residual risk after implementing planned controls is still above the risk appetite threshold. What should the manager do NEXT?

Question 25mediummulti select
Read the full Information Security Risk Management explanation →

Which of the following are key components of an information security risk management program? (Select TWO)

Question 26hardmulti select
Read the full Information Security Risk Management explanation →

A security manager is presenting risk analysis results to the board. Which of the following should the manager include to effectively communicate risk? (Select THREE)

Question 27mediumdrag order
Read the full Information Security Risk Management explanation →

Order the steps for implementing a security awareness training program.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 28mediumdrag order
Read the full Information Security Risk Management explanation →

Order the steps for conducting an internal audit of an information security management system (ISMS) based on ISO 27001.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 29mediumdrag order
Read the full Information Security Risk Management explanation →

Order the steps for implementing a data classification policy in an organization.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 30mediummatching
Read the full Information Security Risk Management explanation →

Match each risk management term to its definition.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Risk level before controls are applied

Risk remaining after controls are implemented

Amount of risk the organization is willing to accept

Acceptable variation around the risk appetite

Process of modifying risk by applying controls

Question 31mediummatching
Read the full Information Security Risk Management explanation →

Match each business continuity term to its definition.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Maximum time to restore a process after disruption

Maximum age of data that must be recovered

Plan to maintain business functions during disruption

Plan to restore IT infrastructure after disaster

Process to identify critical functions and dependencies

Question 32mediummatching
Read the full Information Security Risk Management explanation →

Match each cryptographic term to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Uses same key for encryption and decryption

Uses public/private key pair

One-way transformation producing fixed-size digest

Provides authenticity and non-repudiation

Framework managing digital certificates and keys

Question 33easymultiple choice
Read the full Information Security Risk Management explanation →

An organization is determining the risk treatment for a critical business process that has a high inherent risk. Which of the following is the MOST effective risk treatment strategy when the cost to mitigate exceeds the potential loss?

Question 34mediummultiple choice
Read the full Information Security Risk Management explanation →

A security manager is conducting a risk assessment for a new cloud-based system. The system will store sensitive customer data. Which of the following should be the FIRST step in the risk assessment process?

Question 35hardmultiple choice
Read the full Information Security Risk Management explanation →

After a data breach, the risk manager discovers that the risk assessment for the affected system had not been updated for two years. The organization's risk management policy requires annual reviews. Which of the following is the MOST significant consequence of this noncompliance?

Question 36easymultiple choice
Read the full Information Security Risk Management explanation →

A risk manager is presenting risk treatment options to senior management. Which of the following is the BEST approach to communicate risk in a way that supports informed decision-making?

Question 37mediummultiple choice
Read the full Information Security Risk Management explanation →

A company is implementing a risk management program and needs to define risk appetite. Which of the following is the MOST appropriate statement of risk appetite for a financial institution?

Question 38hardmultiple choice
Read the full Information Security Risk Management explanation →

During a risk assessment, the risk team identifies that a key vendor has access to sensitive data. The vendor's security posture is unclear. Which of the following is the BEST course of action?

Question 39easymultiple choice
Read the full Information Security Risk Management explanation →

Which of the following best describes residual risk?

Question 40mediummultiple choice
Read the full Information Security Risk Management explanation →

A risk manager is evaluating a control that reduces the likelihood of a threat from high to low. The cost of the control is $100,000 annually. The expected loss without the control is $500,000 per year. Which of the following should the risk manager recommend?

Question 41hardmultiple choice
Read the full Information Security Risk Management explanation →

An organization's risk management policy requires a quantitative risk assessment for all new projects. The project team estimates that a data breach could occur once every 5 years with an average loss of $2 million. What is the annualized loss expectancy (ALE)?

Question 42easymulti select
Read the full Information Security Risk Management explanation →

Which TWO of the following are key components of an information security risk assessment? (Choose two.)

Question 43mediummulti select
Read the full Information Security Risk Management explanation →

Which TWO of the following are valid risk treatment options according to ISO 31000? (Choose two.)

Question 44hardmulti select
Read the full Information Security Risk Management explanation →

Which THREE of the following are common challenges when implementing a risk management program in an organization? (Choose three.)

Question 45easymultiple choice
Read the full Information Security Risk Management explanation →

A company is implementing a risk management program and needs to identify the most critical assets. Which of the following is the BEST approach to prioritize assets for risk assessment?

Question 46mediummultiple choice
Read the full NAT/PAT explanation →

During a risk assessment, an organization identifies that its legacy payment system has a high likelihood of exploitation due to unpatched vulnerabilities. The system is critical for daily operations. Which risk treatment option should the organization PRIMARILY consider?

Question 47hardmultiple choice
Read the full NAT/PAT explanation →

A multinational organization is evaluating its risk appetite for a new cloud-based customer relationship management (CRM) system. The system will store personal data across multiple jurisdictions with varying data protection laws. The risk committee has set a risk appetite statement that allows only low residual risk. Which of the following controls is MOST critical to ensure compliance with the risk appetite?

Question 48easymultiple choice
Read the full Information Security Risk Management explanation →

An organization has recently experienced a data breach due to a misconfigured database. The root cause was a lack of proper change management. As part of the risk management process, what should the organization do NEXT after implementing corrective controls?

Question 49mediummultiple choice
Read the full Information Security Risk Management explanation →

A company is developing a risk treatment plan for a set of identified risks. One risk involves a third-party vendor that hosts critical data. The risk owner recommends accepting the risk. Which of the following conditions would BEST support this decision?

Question 50hardmultiple choice
Read the full Information Security Risk Management explanation →

An organization is implementing a quantitative risk analysis for a critical application. The asset value is $2,000,000. The exposure factor (EF) is 0.25, and the annualized rate of occurrence (ARO) is 0.5. What is the annualized loss expectancy (ALE)?

Question 51easymultiple choice
Read the full Information Security Risk Management explanation →

A risk assessment identifies that the organization's email system has a high likelihood of phishing attacks. The current controls include spam filtering and user awareness training. What should the organization do NEXT to manage this risk effectively?

Question 52mediummultiple choice
Read the full Information Security Risk Management explanation →

During a risk assessment, a company discovers that its data backup process is incomplete: backups are performed daily but stored onsite without encryption. The risk owner proposes to accept this risk due to low likelihood of a physical breach. Which of the following is the BEST reason to challenge this acceptance?

Question 53hardmultiple choice
Read the full Information Security Risk Management explanation →

An organization uses the ISO 31000 risk management framework. During the risk evaluation phase, it determines that a certain risk has a low likelihood but very high impact. The organization's risk appetite is moderate. Which of the following is the MOST appropriate risk treatment decision?

Question 54mediummulti select
Read the full Information Security Risk Management explanation →

Which TWO of the following are key components of a risk assessment report according to best practices? (Choose two.)

Question 55hardmulti select
Read the full Information Security Risk Management explanation →

Which THREE of the following are valid methods to identify information security risks? (Choose three.)

Question 56easymulti select
Read the full Information Security Risk Management explanation →

Which TWO of the following are examples of risk mitigation controls? (Choose two.)

Question 57mediummultiple choice
Read the full Information Security Risk Management explanation →

A company is choosing a risk assessment methodology for a new cloud-based application. The CISO prefers a method that uses monetary values and numerical probabilities to compute annual loss expectancy. Which methodology should be selected?

Question 58hardmultiple choice
Read the full Information Security Risk Management explanation →

During a risk assessment, an organization identifies that a legacy system processes credit card data and has a high likelihood of being exploited. The cost to remediate the vulnerability is $500,000, while the potential loss from a breach is $2 million with a 30% annual probability. What is the most appropriate risk treatment decision based on this information?

Question 59easymultiple choice
Read the full Information Security Risk Management explanation →

Which role is primarily responsible for ensuring that information security risks are identified, assessed, and managed within a business unit?

Question 60mediummultiple choice
Read the full Information Security Risk Management explanation →

An organization calculates that the single loss expectancy (SLE) for a server failure is $10,000, and the annualized rate of occurrence (ARO) is 0.5. What is the annualized loss expectancy (ALE)?

Question 61hardmultiple choice
Read the full Information Security Risk Management explanation →

A company has a risk appetite that is 'low' for operational risks. A risk assessment recently identified that a high-speed trading platform has a residual risk rating of 'high' after controls are applied. The cost to further reduce the risk is $1 million, which exceeds the expected benefit. What is the most appropriate action for the risk owner?

Question 62easymultiple choice
Read the full Information Security Risk Management explanation →

Which of the following best describes the difference between risk appetite and risk tolerance?

Question 63mediummultiple choice
Read the full Information Security Risk Management explanation →

After implementing controls, an organization reassesses a risk and finds that the residual risk level exceeds the established risk tolerance. What is the most appropriate next step?

Question 64hardmultiple choice
Read the full Information Security Risk Management explanation →

A security manager is preparing a risk report for the board of directors. Which of the following should be included to best support strategic risk-based decisions?

Question 65easymultiple choice
Read the full Information Security Risk Management explanation →

Which of the following is the primary purpose of a Key Risk Indicator (KRI)?

Question 66mediummulti select
Read the full Information Security Risk Management explanation →

Which TWO of the following are common approaches to information security risk assessment?

Question 67hardmulti select
Read the full Information Security Risk Management explanation →

Which THREE of the following are essential components of an information security risk management framework?

Question 68easymulti select
Read the full Information Security Risk Management explanation →

Which TWO of the following are valid risk response options?

Question 69hardmultiple choice
Read the full Information Security Risk Management explanation →

Which host should be prioritized for risk mitigation based on the vulnerability scan results?

Exhibit

Refer to the exhibit.

Vulnerability Scan Summary Report
11-Jun-2023 04:15:42

Host: 192.168.10.25
Total vulnerabilities: 12
Critical: 2
High: 4
Medium: 3
Low: 3

Host: 192.168.10.30
Total vulnerabilities: 8
Critical: 0
High: 1
Medium: 5
Low: 2

Host: 192.168.10.35
Total vulnerabilities: 20
Critical: 5
High: 6
Medium: 7
Low: 2
Question 70mediummultiple choice
Read the full Information Security Risk Management explanation →

An employee emails a spreadsheet containing employee salaries to all staff by mistake. According to the exhibit, what is the minimum handling requirement that was violated?

Exhibit

Refer to the exhibit.

{
  "dataClassification": {
    "public": {
      "description": "Information that can be disclosed to anyone",
      "handling": "No special protection required"
    },
    "internal": {
      "description": "Information for internal use only",
      "handling": "Must be stored on internal systems, encrypted in transit"
    },
    "confidential": {
      "description": "Sensitive information with legal or contractual obligations",
      "handling": "Must be encrypted at rest and in transit, access on a need-to-know basis"
    },
    "highlyConfidential": {
      "description": "Information that could cause severe reputational damage if disclosed",
      "handling": "All 'confidential' protections plus multifactor authentication, data loss prevention, and quarterly access reviews"
    }
  }
}
Question 71easymultiple choice
Read the full Information Security Risk Management explanation →

Which of the following is the most significant risk in this architecture?

Exhibit

Refer to the exhibit.

Network Architecture Description:
- Internet facing web server (DMZ)
- Application server (internal trust zone)
- Database server (restricted zone)
- All zones separated by firewalls
- Admin access to database server requires VPN + jump host
- All traffic from web server to application server encrypted with TLS 1.3
- Application server has direct access to database using SQL authentication
Question 72mediummultiple choice
Read the full Information Security Risk Management explanation →

A financial institution is implementing a risk management program and needs to select a methodology that balances quantitative and qualitative factors, complies with regulatory requirements, and provides a consistent framework for risk assessment across business units. Which methodology would best meet these requirements?

Question 73easymultiple choice
Read the full Information Security Risk Management explanation →

A data breach has occurred exposing customer personal information. The risk manager needs to select a response to reduce the likelihood of similar incidents. Which risk response is most appropriate?

Question 74hardmultiple choice
Read the full Information Security Risk Management explanation →

After implementing controls, the residual risk is calculated to be at a level that slightly exceeds the risk appetite. The business owner argues that the cost of further mitigation outweighs the benefit. What is the most appropriate action for the risk manager?

Question 75mediummultiple choice
Read the full Information Security Risk Management explanation →

A company is assessing the risk of a critical system outage. The system has a maximum tolerable downtime (MTD) of 2 hours, but the current recovery time objective (RTO) is 4 hours. What is the most appropriate risk treatment?

Question 76easymultiple choice
Read the full Information Security Risk Management explanation →

A company engages a third-party vendor to process customer data. Which of the following is the most critical step in managing the associated risk?

Question 77hardmultiple choice
Read the full Information Security Risk Management explanation →

A risk manager is aggregating risks across the enterprise and finds that multiple individual risks, each with low impact and low probability, could combine to create a significant risk. What is the best approach to address this?

Question 78mediummultiple choice
Read the full Information Security Risk Management explanation →

An organization selects a control to mitigate a risk, but after implementation, the risk level remains unchanged. What should the risk manager do first?

Question 79easymultiple choice
Read the full Information Security Risk Management explanation →

Which of the following is the primary purpose of communicating risk assessment results to senior management?

Question 80hardmultiple choice
Read the full Information Security Risk Management explanation →

A risk manager is establishing risk appetite for a new product line. Which of the following best describes the relationship between risk appetite and risk tolerance?

Question 81easymulti select
Read the full Information Security Risk Management explanation →

Which TWO of the following are risk treatment strategies as defined in ISO 27005?

Question 82easymulti select
Read the full Information Security Risk Management explanation →

Which TWO of the following are examples of key risk indicators (KRIs) for cybersecurity risk?

Question 83mediummulti select
Read the full Information Security Risk Management explanation →

Which THREE of the following are typical steps in a qualitative risk assessment?

Question 84mediummultiple choice
Read the full Information Security Risk Management explanation →

Based on the exhibit, which risk should be addressed first if the organization has limited resources?

Network Topology
+Refer to the exhibit.Risk Register Extract:
Question 85hardmultiple choice
Read the full NAT/PAT explanation →

A multinational corporation is expanding its cloud infrastructure across multiple regions. The risk team has identified that the shared responsibility model for cloud security is not well understood by business units. After a recent audit, several misconfigurations led to a data exposure incident that affected one region. The CISO wants to implement a risk management program that ensures consistent control across all regions. As the risk manager, what is the most effective course of action to reduce the risk of similar incidents?

Question 86hardmultiple choice
Read the full NAT/PAT explanation →

A healthcare organization is merging with another entity and must integrate their IT systems. During due diligence, it is discovered that the acquired company has a high number of unpatched critical vulnerabilities in its electronic health record (EHR) system. The merger timeline is aggressive and the integration team wants to proceed as planned. As the risk manager, what is the best course of action?

Question 87mediummulti select
Read the full Information Security Risk Management explanation →

A financial institution is implementing a risk-based approach to prioritize its information security initiatives. The risk manager has completed a risk assessment and identified several risks with varying impact and likelihood. Which TWO of the following are the most important benefits of using the risk assessment results to determine the order of security projects?

Question 88easymultiple choice
Read the full Information Security Risk Management explanation →

A small accounting firm with 50 employees recently suffered a ransomware attack that encrypted all client data on its file server. The firm had no backup strategy, and the attackers demanded a ransom for decryption. The firm paid the ransom, but many clients left due to loss of trust. The firm’s owner has now hired you as a part-time risk manager. Your first task is to develop a risk management program. What is the most appropriate initial step?

Question 89easymultiple choice
Read the full NAT/PAT explanation →

A regional hospital is required to comply with the Health Insurance Portability and Accountability Act (HIPAA). During an internal audit, it was discovered that patient electronic health records (EHRs) are transmitted over the internet without encryption. The risk manager has been asked to recommend a risk treatment. Which action should be prioritized to address this finding?

Question 90mediummultiple choice
Read the full NAT/PAT explanation →

A large retail chain with hundreds of stores uses point-of-sale (POS) systems that run an outdated operating system. The annual risk assessment identified this as a high-risk issue because the OS is no longer patched and has known vulnerabilities. The business unit manager opposes replacing all POS systems immediately due to cost and potential disruption to operations. As the risk manager, you need to recommend a risk response that balances risk reduction with business continuity. Which strategy is most appropriate?

Question 91hardmultiple choice
Read the full Information Security Risk Management explanation →

A global financial services firm uses a Monte Carlo simulation model to quantify the potential financial impact of cyber events. The model inputs include historical loss data, threat intelligence, and control effectiveness. Over the past year, the model has consistently underestimated actual losses by an average of 40%. The risk manager suspects model risk but the quantitative team argues the model is peer-reviewed. The board is concerned about the accuracy of risk reporting. What is the best course of action for the risk manager?

Question 92hardmultiple choice
Read the full Information Security Risk Management explanation →

A technology startup has grown rapidly and its risk management practices are informal. The CEO has a very high risk appetite and frequently overrides risk management recommendations to accelerate product launches. After a serious data breach involving customer payment information, the board of directors demands a formal risk management program. The risk manager is tasked with changing the risk culture. The startup has limited resources but must meet contractual obligations to protect customer data. What is the most effective first step?

Question 93mediummulti select
Read the full Information Security Risk Management explanation →

An information security manager is implementing a risk management program. Which TWO of the following activities should be performed as part of the risk assessment process?

Question 94hardmultiple choice
Read the full Information Security Risk Management explanation →

Refer to the exhibit. Based on the risk register extract, which risk should the information security manager prioritize for additional treatment?

Exhibit

Risk Register Extract:
Risk ID: R-001
Description: Unauthorized access to sensitive data
Current Controls: Firewall, Access control lists
Inherent Risk: High (Likelihood: 4, Impact: 5)
Residual Risk: Medium (Likelihood: 3, Impact: 4)
Risk Appetite: Low

Risk ID: R-002
Description: Data corruption due to malware
Current Controls: Antivirus software
Inherent Risk: High (Likelihood: 5, Impact: 4)
Residual Risk: High (Likelihood: 4, Impact: 4)
Risk Appetite: Low
Question 95easymultiple choice
Read the full NAT/PAT explanation →

A multinational financial services company is implementing a new regulatory requirement that mandates enhanced encryption for all customer data in transit. The organization currently uses TLS 1.2, but the regulation requires TLS 1.3. The risk owner for the data transmission system is the head of network operations, who believes the current controls are sufficient and argues that upgrading will cause significant downtime and cost. The information security manager has assessed the risk as high due to potential regulatory fines and reputational damage. The risk owner refuses to accept the risk and insists on deferring the upgrade. The organization has a risk appetite statement that accepts moderate residual risk only after explicit approval from the CRO. The escalation process involves the risk management committee. What is the BEST course of action for the information security manager?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

CISM Practice Test 1 — 10 Questions→CISM Practice Test 2 — 10 Questions→CISM Practice Test 3 — 10 Questions→CISM Practice Test 4 — 10 Questions→CISM Practice Test 5 — 10 Questions→CISM Practice Exam 1 — 20 Questions→CISM Practice Exam 2 — 20 Questions→CISM Practice Exam 3 — 20 Questions→CISM Practice Exam 4 — 20 Questions→Free CISM Practice Test 1 — 30 Questions→Free CISM Practice Test 2 — 30 Questions→Free CISM Practice Test 3 — 30 Questions→CISM Practice Questions 1 — 50 Questions→CISM Practice Questions 2 — 50 Questions→CISM Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Information Security ProgramInformation Security Risk ManagementInformation Security GovernanceIncident Management

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Information Security Risk Management setsAll Information Security Risk Management questionsCISM Practice Hub