Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Information Security Governance practice sets

CISM Information Security Governance • Complete Question Bank

CISM Information Security Governance — All Questions With Answers

Complete CISM Information Security Governance question bank — all 0 questions with answers and detailed explanations.

92
Questions
Free
No signup
Certifications/CISM/Practice Test/Information Security Governance/All Questions
Question 1mediummultiple choice
Read the full NAT/PAT explanation →

A multinational corporation is implementing an information security governance framework. The board has requested a mechanism to ensure that security investments align with business objectives. Which of the following is the BEST approach to achieve this alignment?

Question 2easymultiple choice
Read the full Information Security Governance explanation →

A newly appointed CISO wants to establish an information security governance committee. What is the PRIMARY purpose of this committee?

Question 3hardmultiple choice
Read the full Information Security Governance explanation →

A financial services firm has a mature information security program but is struggling to demonstrate the value of security investments to the board. Which metric would BEST communicate the effectiveness of the security program in business terms?

Question 4mediummultiple choice
Read the full Information Security Governance explanation →

During a merger, the acquiring company's CISO must integrate the security governance of the target company. The target company has no formal security governance. What is the FIRST step the CISO should take?

Question 5easymultiple choice
Read the full Information Security Governance explanation →

An organization's security governance committee has approved a new security policy. What is the NEXT critical step to ensure the policy's effectiveness?

Question 6hardmultiple choice
Read the full NAT/PAT explanation →

A healthcare organization is developing an information security strategy. The board has mandated that the strategy must support innovation while protecting patient data. Which governance approach BEST balances these priorities?

Question 7easymultiple choice
Read the full Information Security Governance explanation →

Which of the following is the PRIMARY role of the board of directors in information security governance?

Question 8mediummultiple choice
Read the full Information Security Governance explanation →

An organization has a decentralized security governance model. The CISO is struggling to enforce consistent security policies across business units. What is the BEST approach to improve consistency?

Question 9hardmultiple choice
Read the full Information Security Governance explanation →

A company is considering outsourcing its security operations center (SOC). Which governance consideration is MOST critical before finalizing the decision?

Question 10mediummulti select
Read the full Information Security Governance explanation →

Which TWO of the following are key components of an information security governance framework? (Choose two.)

Question 11hardmulti select
Read the full Information Security Governance explanation →

Which THREE of the following are essential roles in an effective information security governance structure? (Choose three.)

Question 12easymulti select
Read the full Information Security Governance explanation →

Which TWO of the following are primary objectives of information security governance? (Choose two.)

Question 13hardmultiple choice
Read the full NAT/PAT explanation →

You are the CISO of a mid-sized e-commerce company with 500 employees. The company recently suffered a data breach where an attacker exfiltrated customer credit card data from the production database. The investigation revealed that the breach originated from a compromised developer workstation. The developer had been granted direct access to the production database for troubleshooting purposes, a practice that had been in place for years. The security governance framework currently lacks a formal process for managing privileged access. The board has asked for immediate improvements to prevent recurrence. Which course of action BEST addresses the governance gap?

Question 14mediummultiple choice
Read the full Information Security Governance explanation →

You are the IT governance officer at a regional bank with 1,200 employees. The bank has a security policy that requires annual security awareness training for all staff. However, the compliance rate is only 60%. The board is concerned about regulatory risk and wants to improve compliance. The current training is a generic online module that takes 30 minutes to complete. Employees complain that the training is boring and not relevant to their roles. The training is managed by the HR department, which sends reminders but does not enforce consequences. Which of the following is the BEST course of action to improve training compliance and governance?

Question 15mediummultiple choice
Read the full Information Security Governance explanation →

An organization is implementing a new cloud-based ERP system. Which of the following is the MOST important action for the information security manager to ensure alignment with the organization's risk appetite?

Question 16hardmultiple choice
Read the full NAT/PAT explanation →

A multinational corporation is designing its information security governance framework. The board has requested a single metric that best indicates the effectiveness of the security program. Which metric would BEST satisfy this request?

Question 17easymultiple choice
Read the full Information Security Governance explanation →

An information security manager is developing a security strategy for a financial institution. Which of the following should be the PRIMARY driver for selecting security controls?

Question 18hardmultiple choice
Read the full Information Security Governance explanation →

During an audit, it was found that the organization's information security policy is not being followed by business units. Which of the following is the MOST effective way for the information security manager to improve compliance?

Question 19mediummultiple choice
Read the full Information Security Governance explanation →

An organization has decided to adopt a risk-based approach to information security. What is the FIRST step the information security manager should take to implement this approach?

Question 20hardmulti select
Read the full Information Security Governance explanation →

Which TWO of the following are key responsibilities of an information security governance committee?

Question 21mediummulti select
Read the full Information Security Governance explanation →

Which THREE of the following are essential components of an information security governance framework?

Question 22hardmultiple choice
Read the full Information Security Governance explanation →

You are the information security manager for a mid-sized e-commerce company with 500 employees. The company recently experienced a data breach where an attacker exploited a vulnerability in a third-party payment processing API, resulting in the exposure of 10,000 customer credit card numbers. The breach was detected by an external forensics team 90 days after the initial compromise. The board is concerned about the company's ability to detect and respond to incidents. Currently, the company has a part-time security team of three people who focus on firewall management and antivirus updates. There is no formal incident response plan, and security monitoring is limited to basic log review once a week. The CISO has asked you to recommend a course of action to improve the security posture, with a focus on governance and oversight. Which of the following is the BEST course of action?

Question 23mediummultiple choice
Read the full NAT/PAT explanation →

A multinational corporation is implementing a risk-based approach to information security governance. The chief information security officer (CISO) has been asked to prioritize security initiatives based on business impact. Which of the following actions should the CISO take FIRST to align security governance with business objectives?

Question 24easymulti select
Read the full Information Security Governance explanation →

A security audit has identified several governance weaknesses. Which TWO of the following are most likely to indicate a lack of effective information security governance? (Choose two.)

Question 25hardmultiple choice
Study the full ACL explanation →

Refer to the exhibit. A security analyst reviews the ACL on the organization's border router. Based on the exhibit, which of the following is the MOST significant governance concern?

Exhibit

Refer to the exhibit.

Access Control List (ACL) on border router:

access-list 100 deny ip 10.0.0.0 0.255.255.255 any
access-list 100 deny ip 172.16.0.0 0.15.255.255 any
access-list 100 deny ip 192.168.0.0 0.0.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 deny ip 0.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
Question 26mediumdrag order
Read the full Information Security Governance explanation →

Arrange the steps for responding to a data breach involving personally identifiable information (PII).

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 27mediumdrag order
Read the full NAT/PAT explanation →

Arrange the steps for deploying a security patch to critical servers in a production environment.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 28mediummatching
Read the full Information Security Governance explanation →

Match each security control type to its example.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Firewall blocking unauthorized traffic

Intrusion detection system alerting on anomalies

Restoring system from backup after breach

Security warning banners on login

Additional authentication for legacy systems

Question 29mediummatching
Read the full Information Security Governance explanation →

Match each security metric to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Average time to detect an incident

Average time to remediate an incident

Average time between system failures

Contractual commitment for service levels

Indicator of risk level change

Question 30easymultiple choice
Read the full Information Security Governance explanation →

A company's information security manager is tasked with ensuring that security initiatives align with business goals. Which of the following best demonstrates this alignment?

Question 31easymultiple choice
Read the full Information Security Governance explanation →

An organization has recently experienced a data breach due to an insider threat. The board has requested an update on governance improvements. Which of the following should the information security manager recommend first?

Question 32easymultiple choice
Read the full Information Security Governance explanation →

An information security manager is evaluating the effectiveness of the organization's security governance. Which of the following metrics would best indicate that governance processes are functioning properly?

Question 33mediummultiple choice
Read the full NAT/PAT explanation →

A multinational corporation is establishing an information security governance framework. The board has approved a top-down approach where security policies are created at the corporate level and adapted locally. Which of the following is a key benefit of this approach?

Question 34mediummultiple choice
Read the full Information Security Governance explanation →

After a security incident, the board holds the CISO accountable. The CISO argues that the incident was caused by a failure in the third-party risk management process. Which of the following governance deficiencies is most likely the root cause?

Question 35mediummultiple choice
Read the full Information Security Governance explanation →

An information security manager is preparing a report for the board on the state of information security governance. Which of the following elements is most important to include in the report?

Question 36hardmultiple choice
Read the full Information Security Governance explanation →

A financial institution is restructuring its information security governance to comply with a new regulatory requirement that mandates a formal risk appetite statement. The board has conflicting views on the level of risk to accept. Which of the following should the information security manager do to facilitate the definition of risk appetite?

Question 37hardmultiple choice
Read the full Information Security Governance explanation →

A company's information security manager notices that several business units have implemented shadow IT systems that bypass the central security governance. Which of the following governance strategies would most effectively address this issue in the long term?

Question 38hardmultiple choice
Read the full Information Security Governance explanation →

During a merger, the acquiring company's board insists on integrating the target company's information security governance into its own within 90 days. However, the target has a significantly different risk culture and lacks documented policies. What is the most critical governance risk in this scenario?

Question 39easymulti select
Read the full Information Security Governance explanation →

Which TWO of the following are primary responsibilities of the board of directors in information security governance?

Question 40mediummulti select
Read the full Information Security Governance explanation →

Which TWO of the following are key indicators that an organization's information security governance is effective?

Question 41hardmulti select
Read the full Information Security Governance explanation →

Which THREE of the following are essential components of a mature information security governance framework?

Question 42easymultiple choice
Read the full Information Security Governance explanation →

Refer to the exhibit. A security manager notices that several contractors have been granted access to a financial system without documented exceptions. Based on the policy, what is the most likely governance deficiency?

Exhibit

Refer to the exhibit.

```
Policy: Access Control
Effective Date: 2024-01-01
Review Date: 2024-12-31
Owner: CISO
Scope: All employees and contractors

Statement: Access to internal systems must be granted based on the principle of least privilege. Exceptions must be approved by the data owner and documented.
```
Question 43mediummultiple choice
Read the full Information Security Governance explanation →

Refer to the exhibit. An information security manager reviews the risk register and sees that Risk ID R001 has a residual risk of High with a treatment of Accept. Which of the following best explains why this situation may indicate a governance failure?

Exhibit

Refer to the exhibit.

```
Risk Register Excerpt:
Risk ID: R001
Risk Description: Unauthorized disclosure of sensitive customer data due to weak encryption.
Inherent Risk: High
Control Effectiveness: Partially effective
Residual Risk: High
Risk Owner: CISO
Risk Treatment: Accept
```
Question 44hardmultiple choice
Read the full Information Security Governance explanation →

Refer to the exhibit. The audit finding reveals a deficiency in which critical aspect of information security governance?

Exhibit

Refer to the exhibit.

```
Audit Finding Report:
Audit ID: A-2025-003
Date: 2025-03-15
Scope: Information Security Governance

Finding: The organization's information security strategy does not include measurable objectives aligned with business goals. The strategy document states: 'To protect information assets from threats.' There are no defined key performance indicators (KPIs) or targets.

Recommendation: Develop a security strategy with specific, measurable objectives linked to business outcomes.
```
Question 45easymultiple choice
Read the full Information Security Governance explanation →

An organization is developing its information security strategy. Which of the following should be the PRIMARY driver for defining security objectives?

Question 46mediummultiple choice
Read the full Information Security Governance explanation →

A large enterprise is implementing a new governance framework. The board has approved a risk appetite statement. What is the MOST important next step for the information security manager?

Question 47hardmultiple choice
Read the full Information Security Governance explanation →

A global company is establishing an information security governance committee. Which membership composition BEST ensures alignment between security and business strategy?

Question 48easymultiple choice
Read the full Information Security Governance explanation →

An information security manager is asked to report on the effectiveness of the security program. Which metric would BEST indicate governance effectiveness?

Question 49mediummultiple choice
Read the full Information Security Governance explanation →

After a merger, two companies with different security cultures are being integrated. What is the BEST approach for the information security manager to achieve a unified governance structure?

Question 50hardmultiple choice
Read the full Information Security Governance explanation →

A financial institution is designing its information security governance to comply with multiple regulations. The board has limited risk appetite. Which approach BEST ensures effective governance while minimizing conflict?

Question 51easymultiple choice
Read the full Information Security Governance explanation →

An information security manager is developing a security scorecard for the board. Which of the following should be included to BEST demonstrate governance performance?

Question 52mediummultiple choice
Read the full Information Security Governance explanation →

A company is restructuring its security governance due to rapid growth. The CISO reports to the CIO. What is the PRIMARY risk of this reporting structure?

Question 53hardmultiple choice
Read the full Information Security Governance explanation →

An organization's governance framework requires regular reporting to the board. Which reporting frequency and format is MOST effective for a board with limited security expertise?

Question 54mediummulti select
Read the full Information Security Governance explanation →

Which TWO of the following are essential components of an effective information security governance framework? (Select exactly two.)

Question 55hardmulti select
Read the full Information Security Governance explanation →

Which THREE of the following are key indicators of a mature information security governance process? (Select exactly three.)

Question 56easymulti select
Read the full Information Security Governance explanation →

Which TWO of the following are primary responsibilities of the board of directors with regard to information security governance? (Select exactly two.)

Question 57mediummultiple choice
Read the full Information Security Governance explanation →

Given the exhibit, what is the MOST appropriate action for the information security manager?

Exhibit

Refer to the exhibit.

```
SECURITY GOVERNANCE REPORT - Q4 20XX
=======================================
Risk Appetite: Moderate (defined by board)
Key Risk Indicator: % Systems with critical vulnerabilities > 30 days old
Current Value: 8%
Threshold: <5% (Red), 5-10% (Yellow), >10% (Green)
Status: YELLOW
Action Plan: Accelerate patching for high-risk assets
```
Question 58hardmultiple choice
Read the full Information Security Governance explanation →

Based on the exhibit, which role is missing from the governance policy that would be essential for enforcing accountability?

Exhibit

Refer to the exhibit.

```
$ cat governance_policy.json
{
  "policyName": "Information Security Governance Policy",
  "version": "2.0",
  "scope": "All business units and subsidiaries",
  "roles": {
    "board": "Approve risk appetite and review security performance quarterly",
    "ceo": "Provide strategic direction and resources",
    "ciso": "Develop and implement security program",
    "businessManagers": "Ensure compliance within their units",
    "internalAudit": "Independent assurance on governance effectiveness"
  },
  "processes": {
    "riskAssessment": "Annual risk assessment and quarterly updates",
    "strategyAlignment": "Annual review of security strategy with business strategy",
    "reporting": "Quarterly dashboard to board, monthly to management"
  }
}
```
Question 59easymultiple choice
Read the full Information Security Governance explanation →

Given the exhibit, what is the MOST significant governance gap in the described architecture?

Exhibit

Refer to the exhibit.

```
NETWORK ARCHITECTURE DESCRIPTION
- Internet edge: Firewall cluster (active-active) with IPS
- DMZ: Web servers, external-facing applications
- Internal network segregated into VLANs by business unit
- Management network for system administrators
- Security Operations Center (SOC) monitors all traffic
- Remote access via VPN with multi-factor authentication
- Data centers: Tier 3 physical security and environmental controls
```
Question 60easymultiple choice
Read the full Information Security Governance explanation →

A CISO is developing an information security governance framework for a financial institution. Which of the following is the PRIMARY purpose of such a framework?

Question 61mediummultiple choice
Read the full NAT/PAT explanation →

A multinational corporation is designing an information security strategy to support its global operations. Which approach best ensures that the strategy is actionable and measurable?

Question 62hardmultiple choice
Read the full Information Security Governance explanation →

An organization's information security governance committee has not met for the past six months. Which of the following is the most significant risk associated with this situation?

Question 63easymultiple choice
Read the full Information Security Governance explanation →

An organization plans to implement ISO/IEC 27001 to formalize its information security management system. Which step is most critical to ensure successful implementation?

Question 64mediummultiple choice
Read the full NAT/PAT explanation →

A multinational corporation must comply with both GDPR and CCPA. Which governance approach is most effective?

Question 65hardmultiple choice
Read the full Information Security Governance explanation →

During an internal audit, it is discovered that business units frequently purchase cloud services without involving the IT security department. Which governance deficiency does this scenario most clearly demonstrate?

Question 66easymultiple choice
Read the full Information Security Governance explanation →

Which of the following is the best indicator that an organization has effective information security governance?

Question 67mediummultiple choice
Read the full Information Security Governance explanation →

A company's security steering committee includes representatives from Human Resources, Legal, and Risk Management, but not from Business Operations. What is the most likely consequence of this membership gap?

Question 68hardmultiple choice
Read the full Information Security Governance explanation →

After a merger, the combined organization has two different risk tolerance levels: one entity is risk-averse, the other is risk-taking. What is the best governance action?

Question 69easymulti select
Read the full Information Security Governance explanation →

Which TWO of the following are key elements of an information security governance framework, as defined by COBIT?

Question 70mediummulti select
Read the full Information Security Governance explanation →

Which THREE of the following are responsibilities of the board of directors regarding information security governance?

Question 71hardmulti select
Read the full Information Security Governance explanation →

Which THREE of the following are challenges in implementing information security governance in a decentralized organization?

Question 72mediummultiple choice
Read the full VPN explanation →

Refer to the exhibit. A security administrator reports that the VPN tunnel to the remote peer (10.1.1.1) intermittently fails. Based on the configuration, which of the following is the most likely cause?

Exhibit

Exhibit:
!
crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
 lifetime 86400
!
crypto ipsec transform-set TS esp-aes esp-sha-hmac
!
crypto map VPN 10 ipsec-isakmp
 set peer 10.1.1.1
 set transform-set TS
 match address 101
!
interface FastEthernet0/0
 crypto map VPN
!
Question 73easymultiple choice
Read the full Information Security Governance explanation →

Refer to the exhibit. A company implements this data classification scheme. Which risk is most likely introduced by this scheme?

Exhibit

Exhibit:
{
  "classification_scheme": {
    "labels": [
      {"id": "P", "name": "Public"},
      {"id": "C", "name": "Confidential"},
      {"id": "R", "name": "Restricted"},
      {"id": "U", "name": "Unclassified"}
    ]
  }
}
Question 74hardmultiple choice
Read the full Information Security Governance explanation →

Refer to the exhibit. This error log indicates a failure in which component of information security governance?

Exhibit

Exhibit:
[ERROR] [2025-04-01 14:23:45] GRC Policy Update Failed: Insufficient privileges for user 'jdoe' to modify policy 'SOX-101'. Required role: 'PolicyAdmin', user roles: ['Auditor','ComplianceReader'].
Question 75hardmultiple choice
Read the full NAT/PAT explanation →

A multinational corporation is experiencing significant security incidents due to inconsistent security policies across subsidiaries. The CISO proposes implementing a centralized governance model. However, business unit leaders argue that local regulations require autonomy. Which approach best balances governance with local compliance?

Question 76mediummultiple choice
Read the full Information Security Governance explanation →

A company has recently adopted COBIT 2019 as its governance framework. The board is requesting a concise report on the effectiveness of the security program. Which reporting structure best aligns with COBIT's guidance?

Question 77easymultiple choice
Read the full Information Security Governance explanation →

During an internal audit, it was found that the security policy does not address the use of personal devices for work. Which governance action should be taken first?

Question 78mediummultiple choice
Read the full Information Security Governance explanation →

An organization's security steering committee meets quarterly but lacks decision-making authority. Projects are delayed due to lack of prioritization. What is the most effective improvement?

Question 79hardmultiple choice
Read the full Information Security Governance explanation →

A financial institution is integrating a newly acquired fintech startup. The startup has a very different security culture. What governance approach best ensures integration without stifling innovation?

Question 80easymultiple choice
Read the full Information Security Governance explanation →

A small business cannot afford a dedicated security team. Which governance model is most appropriate?

Question 81mediummulti select
Read the full Information Security Governance explanation →

Which TWO of the following are essential components of an information security governance framework according to ISACA's COBIT?

Question 82hardmulti select
Read the full Information Security Governance explanation →

Which TWO of the following are key indicators that an organization's information security governance is inadequate?

Question 83easymulti select
Read the full Information Security Governance explanation →

Which THREE elements are typically included in a security governance charter?

Question 84hardmultiple choice
Read the full Information Security Governance explanation →

Acme Corp, a global manufacturer, has a decentralized security governance model. Each business unit manages its own security, resulting in inconsistent policies and repeated audit findings. The new CISO proposes a federated model where a central team sets minimum standards and each unit can add local controls. However, the European unit's head insists on full autonomy due to GDPR strictness. The board is concerned about compliance costs. What should the CISO do first?

Question 85mediummultiple choice
Read the full Information Security Governance explanation →

TechStart, a cloud-based startup, has rapidly grown from 50 to 500 employees. It lacks a formal security governance structure. The CEO asks the CISO to develop one. The CISO finds that the company's culture values speed over compliance. The board expects a governance framework within three months. What is the most practical approach?

Question 86easymultiple choice
Read the full NAT/PAT explanation →

A hospital chain has separate security teams for each facility. There is no central coordination, leading to duplicate efforts and inconsistent patient data protection. The system's CISO wants to improve governance with minimal disruption. What should he do?

Question 87mediummultiple choice
Read the full Information Security Governance explanation →

BankOne has a mature security governance program but recently failed a regulatory audit because the board had not formally approved the risk appetite statement. The CISO argues that risk appetite is reviewed annually and was verbally approved. To prevent recurrence, what governance change is most effective?

Question 88hardmultiple choice
Read the full Information Security Governance explanation →

A government agency is criticized for poor security governance after a data breach. An external review finds that security policies are not aligned with agency's mission. The director wants to implement a governance framework that ties security to strategic objectives. Which framework is most suitable?

Question 89easymultiple choice
Read the full Information Security Governance explanation →

A retail company's security governance includes a policy that all software must be approved by a security committee. This delays critical business applications. The CIO complains. How should the CISO adjust governance?

Question 90easymulti select
Read the full Information Security Governance explanation →

Which TWO of the following are typically considered key components of an information security governance framework?

Question 91mediummultiple choice
Read the full Information Security Governance explanation →

Refer to the exhibit. An organization is implementing access controls for a new data repository that will store financial reports classified as Category C. Which of the following is the MOST appropriate control to include?

Exhibit

Refer to the exhibit.

```
Security Policy – Data Classification

Category A: Public – No restrictions on disclosure.
Category B: Internal – Limited to employees; no external sharing without approval.
Category C: Confidential – Access on a need-to-know basis; encryption required for transmission.
Category D: Restricted – Highest sensitivity; requires encryption at rest and in transit, dual control for access, and quarterly audits.
```
Question 92hardmultiple choice
Read the full NAT/PAT explanation →

A global financial services firm with 15,000 employees has recently experienced a significant data breach due to inadequate oversight of third-party vendors. The breach originated from a cloud service provider that had been granted elevated access without a formal risk assessment or contract review. The board has directed the CISO to overhaul the information security governance framework to prevent recurrence. Currently, the organization has a decentralized security model where each business unit manages its own vendor relationships. The CISO proposes a centralized governance body. Which of the following is the BEST course of action to establish effective governance over third-party risk?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

CISM Practice Test 1 — 10 Questions→CISM Practice Test 2 — 10 Questions→CISM Practice Test 3 — 10 Questions→CISM Practice Test 4 — 10 Questions→CISM Practice Test 5 — 10 Questions→CISM Practice Exam 1 — 20 Questions→CISM Practice Exam 2 — 20 Questions→CISM Practice Exam 3 — 20 Questions→CISM Practice Exam 4 — 20 Questions→Free CISM Practice Test 1 — 30 Questions→Free CISM Practice Test 2 — 30 Questions→Free CISM Practice Test 3 — 30 Questions→CISM Practice Questions 1 — 50 Questions→CISM Practice Questions 2 — 50 Questions→CISM Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Information Security ProgramInformation Security Risk ManagementInformation Security GovernanceIncident Management

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Information Security Governance setsAll Information Security Governance questionsCISM Practice Hub