Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Free Resources

Difficulty IndexLearn — Free ChaptersIT GlossaryFree Tools & LabsStudy GuidesCareer RoadmapsBrowse by VendorCisco Command ReferenceCCNA Scenarios

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Information Security Programme practice sets

CISM Information Security Programme • Complete Question Bank

CISM Information Security Programme — All Questions With Answers

Complete CISM Information Security Programme question bank — all 0 questions with answers and detailed explanations.

165
Questions
Free
No signup
Certifications/CISM/Practice Test/Information Security Programme/All Questions
Question 1mediummultiple choice
Read the full Information Security Programme explanation →

A CISO is evaluating the reporting structure for the information security team. Which reporting line is generally considered MOST effective for ensuring independence and organizational influence?

Question 2mediummultiple choice
Read the full Information Security Programme explanation →

An organization is implementing a security controls framework and needs to prioritize which controls to implement first. According to CIS Controls v8, which approach aligns with the principle of 'implementation groups'?

Question 3hardmultiple choice
Read the full Information Security Programme explanation →

During a third-party risk assessment, the security team discovers that a critical vendor's sub-supplier (nth party) has access to sensitive data. The vendor contract does not address nth-party risk. What is the BEST course of action?

Question 4easymultiple choice
Read the full Information Security Programme explanation →

Which of the following is a LEADING indicator of security performance?

Question 5mediummultiple choice
Read the full Information Security Programme explanation →

An information security manager is designing a security awareness program. Which approach BEST addresses the different learning needs of various employee groups?

Question 6hardmultiple choice
Read the full Information Security Programme explanation →

A security manager needs to justify an increase in the security budget. Which metric is MOST compelling to demonstrate the value of security investments to the board?

Question 7mediummultiple choice
Read the full Information Security Programme explanation →

Which control family from NIST SP 800-53 is MOST directly associated with ensuring that users have appropriate access rights?

Question 8mediummultiple choice
Read the full Information Security Programme explanation →

An organization is designing a security operations center (SOC). Which of the following functions is PRIMARILY responsible for analyzing alerts and determining if they represent genuine threats?

Question 9easymultiple choice
Read the full Information Security Programme explanation →

What is the PRIMARY purpose of a security champions program?

Question 10mediummultiple choice
Read the full Information Security Programme explanation →

A security manager is selecting a controls framework for a new organization. Which framework provides the most granular control families and is widely used for US federal agencies?

Question 11hardmultiple choice
Read the full Information Security Programme explanation →

A company maintains a security scorecard for the executive team. Which metric is MOST appropriate to include as a leading indicator on a one-page dashboard?

Question 12mediummultiple choice
Read the full Information Security Programme explanation →

In the context of defense-in-depth, which control provides protection at the network layer to prevent unauthorized access?

Question 13mediummulti select
Read the full Information Security Programme explanation →

An organization is designing a vendor tiering process for its third-party risk management program. Which TWO factors are MOST appropriate for determining a vendor's risk tier?

Question 14hardmulti select
Read the full Information Security Programme explanation →

A security manager is developing a set of objectives and key results (OKRs) for the security program. Which THREE would be considered effective security OKRs?

Question 15mediummulti select
Read the full Information Security Programme explanation →

Which TWO budget components are considered 'services' in a typical security budget?

Question 16mediummultiple choice
Read the full Information Security Programme explanation →

A CISO is designing the security organization for a financial services firm. Which reporting structure is most likely to ensure the independence and authority of the information security function?

Question 17easymultiple choice
Read the full Information Security Programme explanation →

Which of the following security team roles is primarily responsible for designing and implementing security solutions to protect an organization's systems and data?

Question 18hardmultiple choice
Read the full Information Security Programme explanation →

An organization is implementing a security controls framework and must decide on prioritization. According to defense-in-depth principles, which approach should be taken first?

Question 19mediummultiple choice
Read the full Information Security Programme explanation →

Which of the following is a leading indicator for security performance?

Question 20mediummultiple choice
Read the full Information Security Programme explanation →

A security awareness program includes phishing simulations. Which metric best measures the long-term effectiveness of the program?

Question 21easymultiple choice
Read the full Information Security Programme explanation →

In a vendor tiering system for third-party risk management, which factor is most critical for determining the tier?

Question 22hardmultiple choice
Read the full Information Security Programme explanation →

An organization's security budget is 12% of the IT budget. Which of the following best describes the maturity of this security program?

Question 23mediummultiple choice
Read the full Information Security Programme explanation →

A security manager is designing an executive security report. Which content is most appropriate for a one-page C-suite dashboard?

Question 24mediummultiple choice
Read the full Information Security Programme explanation →

Which control selection framework includes implementation groups (IG1, IG2, IG3) that help organizations prioritize controls based on their risk profile?

Question 25hardmultiple choice
Read the full Information Security Programme explanation →

A company wants to establish a security champions program. What is the primary benefit of embedding security champions in development teams?

Question 26easymultiple choice
Read the full Information Security Programme explanation →

Which of the following is a key objective of a Security Operations Center (SOC)?

Question 27mediummultiple choice
Read the full Information Security Programme explanation →

An organization is implementing a data security program. Which of the following is the most effective approach to protect sensitive data at rest?

Question 28mediummulti select
Read the full Information Security Programme explanation →

A CISO is evaluating security metrics for reporting to the board. Which TWO of the following are leading indicators?

Question 29hardmulti select
Read the full Information Security Programme explanation →

A company is designing a third-party risk management (TPRM) program. Which THREE of the following are essential components of the ongoing monitoring phase for a critical vendor?

Question 30easymulti select
Read the full Information Security Programme explanation →

Which TWO of the following are typical components of a security awareness program?

Question 31easymultiple choice
Read the full Information Security Programme explanation →

Which of the following is a leading indicator of security program effectiveness?

Question 32mediummultiple choice
Read the full Information Security Programme explanation →

An organization is implementing a security controls framework and needs to prioritize controls for a small business with limited resources. Which implementation group from CIS Controls v8 should be addressed first?

Question 33mediummultiple choice
Read the full Information Security Programme explanation →

A CISO is designing a security scorecard for the board of directors. Which metric is most appropriate to include for a one-page executive dashboard?

Question 34hardmultiple choice
Read the full Information Security Programme explanation →

An organization is designing a third-party risk management (TPRM) program. They have identified a vendor that stores sensitive customer data. According to best practices, what should be the minimum requirement for this vendor's contract?

Question 35easymultiple choice
Read the full Information Security Programme explanation →

Which control family in NIST SP 800-53 addresses the identification and authentication of users?

Question 36mediummultiple choice
Read the full Information Security Programme explanation →

A security architect is designing a defense-in-depth strategy. Which combination of controls best exemplifies this approach?

Question 37mediummultiple choice
Read the full Information Security Programme explanation →

In a security awareness program, which training approach is most appropriate for software developers?

Question 38hardmultiple choice
Read the full Information Security Programme explanation →

A CISO is preparing the security budget for the next fiscal year. The current IT budget is $10 million. For a mature security program, what is the recommended security budget range?

Question 39mediummultiple choice
Read the full Information Security Programme explanation →

An organization is implementing a security champions program. Which of the following is the primary benefit of such a program?

Question 40mediummultiple choice
Read the full Information Security Programme explanation →

Which metric is considered a lagging indicator of security program performance?

Question 41hardmultiple choice
Read the full Information Security Programme explanation →

A company is assessing nth-party risk from a critical cloud provider. Which approach should be taken to manage this risk effectively?

Question 42easymultiple choice
Read the full Information Security Programme explanation →

Which role is primarily responsible for designing and reviewing an organization's security architecture?

Question 43mediummulti select
Read the full Information Security Programme explanation →

An organization is defining objectives and key results (OKRs) for the security program. Which TWO of the following are examples of leading indicators that could be used as key results?

Question 44hardmulti select
Read the full Information Security Programme explanation →

A company is implementing a vendor tiering system for third-party risk management. Which TWO factors should be used to determine the tier of a vendor?

Question 45easymulti select
Read the full Information Security Programme explanation →

Which THREE of the following are components of a security operations center (SOC)?

Question 46mediummultiple choice
Read the full Information Security Programme explanation →

An organization is redesigning its information security program to better align with business objectives. The CISO reports to the CIO, but business leaders feel security decisions are too IT-centric. Which reporting structure would best address this concern?

Question 47easymultiple choice
Read the full Information Security Programme explanation →

Which security control framework is organized into Implementation Groups (IG1, IG2, IG3) based on organizational risk profile and resources?

Question 48hardmultiple choice
Read the full Information Security Programme explanation →

A security manager is developing metrics for the C-suite dashboard. Which combination of metrics would provide the best view of security program effectiveness, including both leading and lagging indicators?

Question 49mediummultiple choice
Read the full Information Security Programme explanation →

During a third-party risk assessment, the security team discovers that a critical vendor has subcontracted data processing to another company without notification. This represents which type of risk?

Question 50mediummultiple choice
Read the full Information Security Programme explanation →

An organization wants to implement a defense-in-depth strategy for its web application. Which set of controls best exemplifies this approach?

Question 51easymultiple choice
Read the full Information Security Programme explanation →

Which role is primarily responsible for developing and maintaining the organization's security architecture?

Question 52hardmultiple choice
Read the full Information Security Programme explanation →

A security manager needs to justify an increase in the security budget to the board. The current budget is 0.15% of revenue. Which approach would most effectively demonstrate the need for additional funding?

Question 53mediummultiple choice
Read the full Information Security Programme explanation →

Which of the following is a leading indicator for measuring the effectiveness of a security awareness program?

Question 54mediummultiple choice
Read the full Information Security Programme explanation →

An organization is implementing a security champions program. What is the primary purpose of this initiative?

Question 55mediummultiple choice
Read the full Information Security Programme explanation →

When selecting security controls, a company must prioritize which controls first?

Question 56hardmultiple choice
Read the full Information Security Programme explanation →

A company uses a SaaS provider that processes sensitive customer data. The provider undergoes annual SOC 2 audits. Which additional step is essential to manage nth-party risk?

Question 57easymultiple choice
Read the full Information Security Programme explanation →

What is the primary function of a Security Operations Center (SOC)?

Question 58mediummulti select
Read the full Information Security Programme explanation →

Which TWO metrics are considered leading indicators for information security program performance?

Question 59mediummulti select
Read the full Information Security Programme explanation →

Which THREE components are essential for a comprehensive third-party risk management (TPRM) program?

Question 60hardmulti select
Read the full Information Security Programme explanation →

Which TWO are key elements of a security awareness program designed to change employee behavior?

Question 61easymultiple choice
Read the full Information Security Programme explanation →

An information security manager is designing the reporting structure for the CISO. Which reporting structure is most likely to ensure independence and adequate authority for the security function?

Question 62easymultiple choice
Read the full Information Security Programme explanation →

Which of the following is a leading indicator for measuring the effectiveness of a security awareness program?

Question 63mediummultiple choice
Read the full Information Security Programme explanation →

A large organization is implementing a security controls framework and wants to prioritize controls that provide the greatest risk reduction with the least operational friction. Which approach should the security manager adopt?

Question 64mediummultiple choice
Read the full Information Security Programme explanation →

A security manager is developing metrics for the executive dashboard. Which combination of metrics provides a balanced view of security program performance?

Question 65mediummultiple choice
Read the full Information Security Programme explanation →

An organization is implementing a third-party risk management (TPRM) program. Which approach best addresses nth-party risk?

Question 66mediummultiple choice
Read the full Information Security Programme explanation →

Which of the following best describes the role of a security architect in a security program?

Question 67easymultiple choice
Read the full Information Security Programme explanation →

Which of the following is a key objective of implementing a security champions program?

Question 68hardmultiple choice
Read the full Information Security Programme explanation →

A security manager needs to justify an increase in the security budget. Which approach provides the strongest quantitative justification?

Question 69hardmultiple choice
Read the full Information Security Programme explanation →

A company has implemented a security awareness program with quarterly phishing simulations. The click rate has remained at 15% for the past two quarters. What is the most effective next step?

Question 70mediummultiple choice
Read the full Information Security Programme explanation →

Which control framework is most appropriate for an organization that wants a prioritized set of controls based on implementation groups (IG1, IG2, IG3)?

Question 71easymultiple choice
Read the full Information Security Programme explanation →

What is the primary purpose of a vulnerability management program?

Question 72hardmultiple choice
Read the full Information Security Programme explanation →

An organization's SOC team is measured on mean time to detect (MTTD) and mean time to respond (MTTR). The security manager notices that MTTD is low but MTTR is high. What is the most likely cause?

Question 73mediummulti select
Read the full Information Security Programme explanation →

A security manager is selecting controls for a new application. Which TWO controls are most important to include in a defense-in-depth strategy? (Select TWO)

Question 74mediummulti select
Read the full Information Security Programme explanation →

Which THREE elements are essential components of a third-party risk management (TPRM) program? (Select THREE)

Question 75hardmulti select
Read the full Information Security Programme explanation →

A security manager is developing OKRs for the security team. Which TWO key results are appropriate leading indicators? (Select TWO)

Question 76easymultiple choice
Read the full Information Security Programme explanation →

Which of the following is the BEST reporting structure for a CISO to ensure independent oversight and alignment with business strategy?

Question 77mediummultiple choice
Read the full Information Security Programme explanation →

An organization is implementing a defense-in-depth strategy. Which of the following control combinations BEST exemplifies this approach?

Question 78hardmultiple choice
Read the full Information Security Programme explanation →

A financial institution uses CIS Controls v8 and must prioritize implementation. The organization has limited resources and high exposure to ransomware. Which implementation group should be addressed FIRST?

Question 79mediummultiple choice
Read the full Information Security Programme explanation →

A CISO wants to present a high-level security status to the board using a one-page dashboard. Which of the following metrics is MOST appropriate for this audience?

Question 80mediummultiple choice
Read the full Information Security Programme explanation →

A company is designing its security awareness program. Which approach BEST addresses the need for role-based training?

Question 81easymultiple choice
Read the full Information Security Programme explanation →

Which of the following is a leading indicator of security program effectiveness?

Question 82hardmultiple choice
Read the full Information Security Programme explanation →

During third-party risk assessment, a vendor is found to have access to sensitive customer data. The vendor's own supply chain includes a critical fourth-party component. What is the BEST way to address this nth-party risk?

Question 83mediummultiple choice
Read the full Information Security Programme explanation →

An organization's security budget is 8% of the IT budget. Industry benchmarks suggest 10-15% for mature programs. Which of the following should the CISO do FIRST to justify an increase?

Question 84mediummultiple choice
Read the full Information Security Programme explanation →

In a security operations center (SOC), which function is PRIMARILY responsible for analyzing alerts and determining whether they represent actual security incidents?

Question 85easymultiple choice
Read the full Information Security Programme explanation →

Which of the following is the PRIMARY purpose of a security champions program?

Question 86hardmultiple choice
Read the full Information Security Programme explanation →

An organization uses ISO 27001 Annex A as its control framework. During a risk assessment, a control weakness is identified that could lead to a high-impact data breach. However, implementing the recommended control is cost-prohibitive. Which approach BEST addresses this situation?

Question 87mediummultiple choice
Read the full Information Security Programme explanation →

A CISO is evaluating a cloud provider's security posture. Which of the following should be the MOST important consideration in the vendor risk assessment?

Question 88mediummulti select
Read the full Information Security Programme explanation →

A security manager is designing a metrics dashboard for the CISO. Which TWO metrics are leading indicators of security performance? (Select TWO)

Question 89hardmulti select
Read the full Information Security Programme explanation →

An organization is implementing a vendor tiering program for third-party risk management. Which TWO criteria should be used to classify vendors into high, medium, or low risk tiers? (Select TWO)

Question 90mediummulti select
Read the full Information Security Programme explanation →

A security awareness program includes phishing simulations. Which THREE factors should be considered when designing the simulation frequency and difficulty? (Select THREE)

Question 91easymultiple choice
Read the full Information Security Programme explanation →

Which of the following is a leading indicator of security program effectiveness?

Question 92easymultiple choice
Read the full Information Security Programme explanation →

When implementing security controls, which approach ensures that multiple layers of defense are applied so that if one control fails, others compensate?

Question 93mediummultiple choice
Read the full Information Security Programme explanation →

An organization's CISO reports to the CIO. The CISO is concerned that security initiatives are often deprioritized due to conflicts of interest. Which reporting structure would best address this concern?

Question 94mediummultiple choice
Read the full Information Security Programme explanation →

A company is selecting a security control framework. They want a prioritized set of controls that are implementation group-based and address common cyber threats. Which framework best meets these requirements?

Question 95mediummultiple choice
Read the full Information Security Programme explanation →

A security awareness manager is designing role-based training. Which training is most appropriate for software developers?

Question 96mediummultiple choice
Read the full Information Security Programme explanation →

In a vendor risk assessment, a third-party vendor will have access to sensitive customer data. According to TPRM best practices, what should the organization do first?

Question 97mediummultiple choice
Read the full Information Security Programme explanation →

A security dashboard is being designed for the C-suite. Which metric is most appropriate for a one-page executive summary?

Question 98mediummultiple choice
Read the full Information Security Programme explanation →

An organization wants to establish a security champions program. What is the primary benefit of embedding security advocates in development teams?

Question 99hardmultiple choice
Read the full Information Security Programme explanation →

A mature security program allocates 12% of IT budget to security. Which combination of budget components is most balanced for a program seeking to improve detection and response capabilities?

Question 100hardmultiple choice
Read the full Information Security Programme explanation →

A security manager is evaluating OKRs for the vulnerability management team. Which key result best aligns with an objective to reduce risk from vulnerabilities?

Question 101hardmultiple choice
Read the full Information Security Programme explanation →

When designing phishing simulations, which approach best balances user learning and operational disruption?

Question 102hardmultiple choice
Read the full Information Security Programme explanation →

A company is implementing a third-party risk management program and needs to prioritize vendors for assessment. Which factor should be given the highest weight?

Question 103mediummulti select
Read the full Information Security Programme explanation →

Which TWO of the following are key components of a security operations center (SOC)? (Select TWO)

Question 104mediummulti select
Read the full Information Security Programme explanation →

An organization is selecting security controls from NIST SP 800-53. Which TWO control families are most directly related to access control? (Select TWO)

Question 105hardmulti select
Read the full Information Security Programme explanation →

A security manager is building a business case for additional security budget. Which THREE justifications are most effective for obtaining executive approval? (Select THREE)

Question 106easymultiple choice
Read the full Information Security Programme explanation →

A CISO is deciding on the organizational structure for the information security team. Which reporting structure is most likely to ensure the security function has sufficient independence and authority?

Question 107mediummultiple choice
Read the full Information Security Programme explanation →

An organization is implementing a defense-in-depth strategy. Which of the following is the BEST example of a compensating control?

Question 108hardmultiple choice
Read the full Information Security Programme explanation →

An information security manager is developing a security scorecard for the board. Which combination of metrics BEST provides a balanced view of security program effectiveness?

Question 109mediummultiple choice
Read the full Information Security Programme explanation →

A company is designing a security awareness program. Which approach is MOST effective for ensuring that employees apply security principles in their daily work?

Question 110easymultiple choice
Read the full Information Security Programme explanation →

Which control framework is structured around Implementation Groups (IG1, IG2, IG3) to help organizations prioritize security controls based on risk?

Question 111hardmultiple choice
Read the full Information Security Programme explanation →

An organization's third-party risk management program has been in place for two years. Which of the following is the MOST critical action to ensure the program remains effective?

Question 112mediummultiple choice
Read the full Information Security Programme explanation →

A company is developing security metrics to present to the C-suite. Which metric is a leading indicator of security performance?

Question 113mediummultiple choice
Read the full Information Security Programme explanation →

An information security manager is asked to justify an increase in the security budget. Which approach BEST demonstrates the value of the security program?

Question 114easymultiple choice
Read the full Information Security Programme explanation →

Which security team role is primarily responsible for defining and maintaining security architecture standards?

Question 115hardmultiple choice
Read the full Information Security Programme explanation →

An organization with a mature security program allocates 12% of its IT budget to security. Which factor is MOST likely to support this level of investment?

Question 116mediummultiple choice
Read the full Information Security Programme explanation →

A SOC analyst receives an alert about a potential malware infection on a critical server. Which step should the analyst take FIRST?

Question 117mediummultiple choice
Read the full Information Security Programme explanation →

When selecting security controls based on NIST SP 800-53, which control family is MOST directly related to protecting the confidentiality of data?

Question 118easymulti select
Read the full Information Security Programme explanation →

Which TWO of the following are components of a typical vulnerability management program?

Question 119mediummulti select
Read the full Information Security Programme explanation →

Which THREE of the following are key activities in a third-party risk management (TPRM) program?

Question 120hardmulti select
Read the full Information Security Programme explanation →

Which TWO of the following are characteristics of a security champions program that contribute to its effectiveness?

Question 121easymultiple choice
Read the full Information Security Programme explanation →

In designing a security programme for a mid-sized enterprise, the CISO is deciding which security framework to adopt for control selection. Which of the following frameworks is specifically structured around implementation groups (IG1, IG2, IG3) to help organizations prioritize controls based on risk and maturity?

Question 122mediummultiple choice
Read the full Information Security Programme explanation →

A security awareness program includes phishing simulations. After six months, the click rate has decreased from 15% to 8%, but the number of reported phishing emails has also dropped. The CISO wants to measure the effectiveness of the program. Which metric would best indicate sustained improvement in security behavior?

Question 123mediummultiple choice
Read the full Information Security Programme explanation →

An organization is implementing a vendor risk management program. A vendor that provides cloud-based HR services will have access to employee PII. According to industry best practices, what should be the first step in the vendor lifecycle?

Question 124hardmultiple choice
Read the full Information Security Programme explanation →

A CISO is preparing an executive dashboard for the board of directors. Which combination of metrics would provide the most meaningful overview of the security programme's effectiveness?

Question 125mediummultiple choice
Read the full Information Security Programme explanation →

In a defence-in-depth strategy, which control is considered a compensating control when a critical application cannot be patched immediately due to operational constraints?

Question 126easymultiple choice
Read the full Information Security Programme explanation →

Which role within a security team is primarily responsible for designing and reviewing security architectures to ensure alignment with business requirements and security standards?

Question 127mediummultiple choice
Read the full Information Security Programme explanation →

An organization is developing a security scorecard for the CISO. Which of the following is a leading indicator that would be most useful for predicting future security incidents?

Question 128hardmultiple choice
Read the full Information Security Programme explanation →

A CISO is planning the security programme budget and wants to justify the investment to the CFO. The organization has a moderate risk appetite and an IT budget of $10 million. What is the most appropriate budget range for the security programme based on industry benchmarks?

Question 129easymultiple choice
Read the full Information Security Programme explanation →

Which of the following is the primary objective of a security champions programme?

Question 130mediummultiple choice
Read the full Information Security Programme explanation →

In a third-party risk management programme, what is the primary purpose of vendor tiering?

Question 131hardmultiple choice
Read the full Information Security Programme explanation →

During a security architecture review, the security architect identifies that a new application stores sensitive customer data in plaintext in the database. The application owner argues that performance requirements prevent encryption. What is the most appropriate compensating control to reduce risk?

Question 132mediummultiple choice
Read the full Information Security Programme explanation →

An organization wants to measure the effectiveness of its security awareness programme. Which metric is a leading indicator of improved security culture?

Question 133mediummulti select
Read the full Information Security Programme explanation →

A CISO is developing key risk indicators (KRIs) for the security programme. Which TWO of the following are lagging indicators? (Select TWO.)

Question 134hardmulti select
Read the full Information Security Programme explanation →

A multinational organization is implementing a vendor risk management programme. Which THREE of the following should be included in the programme to effectively manage nth-party risk? (Select THREE.)

Question 135easymulti select
Read the full Information Security Programme explanation →

In designing a security operations centre (SOC), which TWO functions are core to the SOC's responsibilities? (Select TWO.)

Question 136easymultiple choice
Read the full Information Security Programme explanation →

Which of the following is the PRIMARY purpose of a security awareness program?

Question 137mediummultiple choice
Read the full Information Security Programme explanation →

An organization is implementing a defense-in-depth strategy. Which of the following control combinations BEST exemplifies this principle?

Question 138mediummultiple choice
Read the full Information Security Programme explanation →

A CISO is presenting security metrics to the board. Which of the following metrics would be MOST relevant for a one-page executive dashboard?

Question 139hardmultiple choice
Read the full Information Security Programme explanation →

An organization uses CIS Controls v8. They are a small business with limited cybersecurity resources. Which implementation group (IG) should they prioritize?

Question 140mediummultiple choice
Read the full Information Security Programme explanation →

A security manager is selecting controls for a new application. Which of the following is the BEST approach for prioritization?

Question 141easymultiple choice
Read the full Information Security Programme explanation →

Which of the following is a LEADING indicator of security performance?

Question 142mediummultiple choice
Read the full Information Security Programme explanation →

A company is designing a third-party risk management (TPRM) program. Which factor should PRIMARILY determine the tier of a vendor?

Question 143hardmultiple choice
Read the full Information Security Programme explanation →

An information security manager needs to justify a budget increase. Which approach would be MOST effective for gaining executive approval?

Question 144mediummultiple choice
Read the full Information Security Programme explanation →

Which of the following BEST describes the role of a security architect in a security program?

Question 145easymultiple choice
Read the full Information Security Programme explanation →

Which of the following is the PRIMARY benefit of a security champions program?

Question 146hardmultiple choice
Read the full Information Security Programme explanation →

An organization uses ISO 27001 Annex A controls. During a risk assessment, they identify a need for a compensating control because the primary control is not feasible. What should the security manager do FIRST?

Question 147mediummultiple choice
Read the full Information Security Programme explanation →

Which of the following metrics would be MOST useful for measuring the effectiveness of a phishing simulation program?

Question 148mediummulti select
Read the full Information Security Programme explanation →

An organization is developing a vendor risk management program. Which TWO of the following should be included in the vendor onboarding risk assessment?

Question 149hardmulti select
Read the full Information Security Programme explanation →

A security manager is developing a security scorecard for the CISO. Which THREE of the following metrics are considered LEADING indicators?

Question 150mediummulti select
Read the full Information Security Programme explanation →

An organization is designing a security awareness program. Which TWO of the following should be included for developers?

Question 151easymultiple choice
Read the full Information Security Programme explanation →

A security manager is designing a security awareness program for a mid-sized organization. Which of the following is the MOST effective approach to ensure that training is relevant to different employee roles?

Question 152mediummultiple choice
Read the full Information Security Programme explanation →

An organization is implementing a security controls framework based on NIST SP 800-53. The CISO wants to prioritize controls that will provide the greatest risk reduction for critical assets. Which approach should be used to select the initial set of controls?

Question 153mediummultiple choice
Read the full Information Security Programme explanation →

A security manager is developing a security scorecard for the C-suite. Which combination of metrics would be MOST appropriate for a one-page dashboard?

Question 154hardmultiple choice
Read the full Information Security Programme explanation →

An organization with a mature security program is reviewing its budget allocation. The board has asked the CISO to justify a proposed increase. Which of the following provides the STRONGEST justification for the security budget?

Question 155easymulti select
Read the full Information Security Programme explanation →

A security architect is designing a defense-in-depth strategy for a financial institution. Which TWO of the following are essential components of a defense-in-depth approach?

Question 156mediummulti select
Read the full Information Security Programme explanation →

A CISO is establishing a vendor risk management (TPRM) program. Which THREE of the following are key components of an effective TPRM program?

Question 157mediummulti select
Read the full Information Security Programme explanation →

A security manager is designing a security awareness program. Which TWO metrics are leading indicators of program effectiveness?

Question 158mediummulti select
Read the full Information Security Programme explanation →

An organization is implementing CIS Controls v8. Which THREE of the following are implementation groups (IGs) defined in the CIS Controls?

Question 159mediummulti select
Read the full Information Security Programme explanation →

A CISO is building a security operations center (SOC). Which TWO of the following are primary functions of a SOC?

Question 160hardmulti select
Read the full Information Security Programme explanation →

An organization is implementing a security champions program to improve application security. Which THREE of the following are key success factors for such a program?

Question 161hardmulti select
Read the full Information Security Programme explanation →

A security manager is designing a security budget for a mid-sized company. Which TWO of the following are typical components of a security budget?

Question 162easymulti select
Read the full Information Security Programme explanation →

A security architect is selecting controls for an e-commerce platform. Which TWO of the following are examples of compensating controls?

Question 163mediummulti select
Read the full Information Security Programme explanation →

A CISO is evaluating metrics for an executive security report. Which TWO of the following are lagging indicators?

Question 164hardmulti select
Read the full Information Security Programme explanation →

An organization is implementing an identity and access management (IAM) program. Which THREE of the following are key components of a mature IAM program?

Question 165mediummulti select
Read the full Information Security Programme explanation →

A security manager is designing a vulnerability management program. Which TWO of the following are essential processes?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

CISM Practice Test 1 — 25 Questions→CISM Practice Test 2 — 25 Questions→CISM Practice Test 3 — 25 Questions→CISM Practice Test 4 — 25 Questions→CISM Practice Test 5 — 25 Questions→CISM Practice Exam 1 — 20 Questions→CISM Practice Exam 2 — 20 Questions→CISM Practice Exam 3 — 20 Questions→CISM Practice Exam 4 — 20 Questions→Free CISM Practice Test 1 — 30 Questions→Free CISM Practice Test 2 — 30 Questions→Free CISM Practice Test 3 — 30 Questions→CISM Practice Questions 1 — 50 Questions→CISM Practice Questions 2 — 50 Questions→CISM Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Information Security ProgramIncident ManagementInformation Security ProgrammeInformation Security GovernanceInformation Security Risk Management

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Information Security Programme setsAll Information Security Programme questionsCISM Practice Hub