20+ practice questions focused on Incident Management — one of the most tested topics on the Certified Information Security Manager CISM exam. Each question includes a detailed explanation so you learn why the right answer is correct.
Start Incident Management PracticeA multinational corporation has just detected a ransomware attack that encrypted critical files on a file server. The incident response team has been activated. Which of the following should be the FIRST action taken by the team?
Explanation: The first priority in ransomware incident response is containment to prevent the encryption from spreading to other systems. Isolating the affected file server from the network (e.g., disabling the network interface or disconnecting the cable) stops the ransomware from communicating with its command-and-control server and encrypting additional shares. This aligns with the NIST SP 800-61 containment strategy and ensures that the incident response team can safely preserve forensic evidence before any remediation.
During an incident investigation, the security team discovers that an attacker exfiltrated sensitive customer data via encrypted DNS tunneling over a period of three months. The data loss was only noticed after a routine audit. Which of the following weaknesses MOST likely allowed the attacker to remain undetected for so long?
Explanation: The correct answer is A because DNS tunneling exfiltrates data by encoding it within DNS queries and responses, which are often allowed through firewalls without deep inspection. The attacker remained undetected for three months because the security team lacked monitoring of DNS traffic for anomalies, such as unusual query volumes, non-standard record types (e.g., TXT records), or domains with high entropy. Without DNS-specific anomaly detection or a security information and event management (SIEM) system correlating DNS logs, the exfiltration blended into normal traffic.
An organization's incident response plan includes a step to 'contain the incident.' Which of the following actions is an example of containment?
Explanation: Disconnecting an infected workstation from the network is a classic containment action because it immediately isolates the compromised system, preventing the spread of malware or unauthorized lateral movement to other hosts. Containment focuses on limiting the scope and impact of an incident, not on remediation or investigation. This step aligns with the NIST SP 800-61 incident response lifecycle, where containment is performed before eradication and recovery.
During a simulated phishing exercise, several employees clicked a link and entered their credentials on a fake login page. The security team needs to determine the impact. Which of the following should be the NEXT step?
Explanation: When credentials are compromised in a phishing attack, the immediate priority is to contain the breach by invalidating the exposed credentials. Resetting the affected employees' passwords and enabling multi-factor authentication (MFA) prevents attackers from using the harvested credentials for unauthorized access, especially if the credentials are reused across other systems. This aligns with the Incident Response phase of containment before moving to eradication or recovery.
An organization is developing an incident response plan. The CISO wants to ensure that the plan aligns with industry best practices. Which framework should the CISO use as a primary reference?
Explanation: NIST SP 800-61 (Computer Security Incident Handling Guide) is the definitive U.S. government standard for incident response processes, covering preparation, detection, containment, eradication, and recovery. It provides detailed, step-by-step guidance for building an incident response plan, making it the primary reference for aligning with industry best practices.
+15 more Incident Management questions available
Practice all Incident Management questions1. Baseline your knowledge
Start with 10 questions to gauge your current understanding of Incident Management. This tells you whether you need a concept refresher or just practice.
2. Review every explanation
For each question — right or wrong — read the full explanation. Understanding why an answer is correct is more valuable than knowing the answer itself.
3. Focus on exam traps
Incident Management questions on the CISM frequently use trap wording. Look for subtle differences in answers that test your precision, not just general knowledge.
4. Reach 80% consistently
Do repeated sessions until you score 80%+ three times in a row. Then move to mixed-mode practice to test cross-topic recall under realistic conditions.
The exact number varies per candidate. Incident Management is tested as part of the Certified Information Security Manager CISM blueprint. Practicing with targeted Incident Management questions ensures you can handle any format or difficulty that appears.
Yes. Courseiva provides free CISM practice questions across all exam topics and domains. The platform includes topic-based practice, mock exams, missed-question review, bookmarked questions, and readiness tracking — no account required.
Difficulty is subjective, but Incident Management is a high-priority exam concept tested in multiple ways — direct recall, scenario analysis, and command-output interpretation. Consistent practice is the best way to build confidence.
Launch a full Incident Management practice session with instant scoring and detailed explanations.
Start Incident Management Practice →