Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsCISMTopicsIncident Management
Free · No Signup RequiredISACA · CISM

CISM Incident Management Practice Questions

20+ practice questions focused on Incident Management — one of the most tested topics on the Certified Information Security Manager CISM exam. Each question includes a detailed explanation so you learn why the right answer is correct.

Start Incident Management Practice

Exam Domains

Information Security ProgramInformation Security Risk ManagementInformation Security GovernanceIncident ManagementAll domains →

Study Tools

Practice TestMock ExamFlashcardsAll Topics

Sample Incident Management Questions

Practice all 20+ →
1.

A multinational corporation has just detected a ransomware attack that encrypted critical files on a file server. The incident response team has been activated. Which of the following should be the FIRST action taken by the team?

A.Restore encrypted files from backup
B.Reboot the file server to clear the encryption
C.Isolate the affected systems from the network
D.Notify law enforcement

Explanation: The first priority in ransomware incident response is containment to prevent the encryption from spreading to other systems. Isolating the affected file server from the network (e.g., disabling the network interface or disconnecting the cable) stops the ransomware from communicating with its command-and-control server and encrypting additional shares. This aligns with the NIST SP 800-61 containment strategy and ensures that the incident response team can safely preserve forensic evidence before any remediation.

2.

During an incident investigation, the security team discovers that an attacker exfiltrated sensitive customer data via encrypted DNS tunneling over a period of three months. The data loss was only noticed after a routine audit. Which of the following weaknesses MOST likely allowed the attacker to remain undetected for so long?

A.Inadequate monitoring of DNS traffic for anomalies
B.Weak password policies
C.Unpatched web server software
D.Lack of data-at-rest encryption

Explanation: The correct answer is A because DNS tunneling exfiltrates data by encoding it within DNS queries and responses, which are often allowed through firewalls without deep inspection. The attacker remained undetected for three months because the security team lacked monitoring of DNS traffic for anomalies, such as unusual query volumes, non-standard record types (e.g., TXT records), or domains with high entropy. Without DNS-specific anomaly detection or a security information and event management (SIEM) system correlating DNS logs, the exfiltration blended into normal traffic.

3.

An organization's incident response plan includes a step to 'contain the incident.' Which of the following actions is an example of containment?

A.Disconnecting an infected workstation from the network
B.Restoring data from backup
C.Analyzing log files to determine the attack vector
D.Removing malware from the system

Explanation: Disconnecting an infected workstation from the network is a classic containment action because it immediately isolates the compromised system, preventing the spread of malware or unauthorized lateral movement to other hosts. Containment focuses on limiting the scope and impact of an incident, not on remediation or investigation. This step aligns with the NIST SP 800-61 incident response lifecycle, where containment is performed before eradication and recovery.

4.

During a simulated phishing exercise, several employees clicked a link and entered their credentials on a fake login page. The security team needs to determine the impact. Which of the following should be the NEXT step?

A.Reset the affected employees' passwords and enable multi-factor authentication
B.Implement a security awareness training program
C.Conduct a forensic analysis of the employees' workstations
D.Block the phishing domain at the web proxy

Explanation: When credentials are compromised in a phishing attack, the immediate priority is to contain the breach by invalidating the exposed credentials. Resetting the affected employees' passwords and enabling multi-factor authentication (MFA) prevents attackers from using the harvested credentials for unauthorized access, especially if the credentials are reused across other systems. This aligns with the Incident Response phase of containment before moving to eradication or recovery.

5.

An organization is developing an incident response plan. The CISO wants to ensure that the plan aligns with industry best practices. Which framework should the CISO use as a primary reference?

A.ISO 31000
B.NIST Cybersecurity Framework
C.ITIL
D.NIST SP 800-61

Explanation: NIST SP 800-61 (Computer Security Incident Handling Guide) is the definitive U.S. government standard for incident response processes, covering preparation, detection, containment, eradication, and recovery. It provides detailed, step-by-step guidance for building an incident response plan, making it the primary reference for aligning with industry best practices.

+15 more Incident Management questions available

Practice all Incident Management questions

How to master Incident Management for CISM

1. Baseline your knowledge

Start with 10 questions to gauge your current understanding of Incident Management. This tells you whether you need a concept refresher or just practice.

2. Review every explanation

For each question — right or wrong — read the full explanation. Understanding why an answer is correct is more valuable than knowing the answer itself.

3. Focus on exam traps

Incident Management questions on the CISM frequently use trap wording. Look for subtle differences in answers that test your precision, not just general knowledge.

4. Reach 80% consistently

Do repeated sessions until you score 80%+ three times in a row. Then move to mixed-mode practice to test cross-topic recall under realistic conditions.

Frequently asked questions

How many CISM Incident Management questions are on the real exam?

The exact number varies per candidate. Incident Management is tested as part of the Certified Information Security Manager CISM blueprint. Practicing with targeted Incident Management questions ensures you can handle any format or difficulty that appears.

Are these CISM Incident Management practice questions free?

Yes. Courseiva provides free CISM practice questions across all exam topics and domains. The platform includes topic-based practice, mock exams, missed-question review, bookmarked questions, and readiness tracking — no account required.

Is Incident Management one of the harder CISM topics?

Difficulty is subjective, but Incident Management is a high-priority exam concept tested in multiple ways — direct recall, scenario analysis, and command-output interpretation. Consistent practice is the best way to build confidence.

Ready to practice?

Launch a full Incident Management practice session with instant scoring and detailed explanations.

Start Incident Management Practice →

Topic Info

Topic

Incident Management

Exam

CISM

Questions available

20+