Sample questions
Certified Information Security Manager CISM practice questions
A financial institution is implementing a new online banking platform. The risk assessment identified that the authentication module has a high likelihood of exploitation due to weak password policies. The risk owner has decided to implement multi-factor authentication (MFA) to reduce the risk. This is an example of which risk response strategy?
Trap 1: Risk avoidance
Risk avoidance would involve not implementing the platform or eliminating the risk entirely, which is not the case here.
Trap 2: Risk acceptance
Risk acceptance would mean acknowledging the risk and not taking any action, which contradicts the implementation of MFA.
Trap 3: Risk transfer
Risk transfer would involve shifting the risk to a third party, such as through insurance, not implementing a control.
- A
Risk avoidance
Why wrong: Risk avoidance would involve not implementing the platform or eliminating the risk entirely, which is not the case here.
- B
Risk mitigation
MFA reduces the likelihood or impact of the risk, which is the definition of risk mitigation.
- C
Risk acceptance
Why wrong: Risk acceptance would mean acknowledging the risk and not taking any action, which contradicts the implementation of MFA.
- D
Risk transfer
Why wrong: Risk transfer would involve shifting the risk to a third party, such as through insurance, not implementing a control.
Which of the following are key components of an information security program? (Select TWO)
Trap 1: A network architecture diagram
This is a technical artifact, not a core program component.
Trap 2: An incident response log
This is an operational record, not a program component.
- B
A network architecture diagram
Why wrong: This is a technical artifact, not a core program component.
- D
An incident response log
Why wrong: This is an operational record, not a program component.
A multinational corporation is implementing an information security governance framework. The board has requested a mechanism to ensure that security investments align with business objectives. Which of the following is the BEST approach to achieve this alignment?
Trap 1: Minimize security spending to maximize ROI.
Cost reduction may compromise necessary security controls.
Trap 2: Adopt a best-practice framework such as NIST CSF and implement all…
May not address specific business needs or risk tolerance.
Trap 3: Focus on regulatory compliance to ensure legal requirements are met.
Compliance is necessary but insufficient for full alignment with business objectives.
- A
Minimize security spending to maximize ROI.
Why wrong: Cost reduction may compromise necessary security controls.
- B
Adopt a best-practice framework such as NIST CSF and implement all controls.
Why wrong: May not address specific business needs or risk tolerance.
- C
Focus on regulatory compliance to ensure legal requirements are met.
Why wrong: Compliance is necessary but insufficient for full alignment with business objectives.
- D
Develop a risk-based prioritization framework linking security initiatives to business risk appetite.
Directly aligns security investments with business objectives through risk management.
A healthcare organization is developing an information security strategy. The board has mandated that the strategy must support innovation while protecting patient data. Which governance approach BEST balances these priorities?
Trap 1: Implement strict access controls and encryption for all data.
Technical controls alone do not address the innovation balance.
Trap 2: Adopt a 'security by design' approach for all new projects.
Important but may not provide the balance needed; too security-centric.
Trap 3: Create a separate innovation sandbox with limited data access.
May limit innovation scope and does not address governance balance.
- A
Implement strict access controls and encryption for all data.
Why wrong: Technical controls alone do not address the innovation balance.
- B
Establish a risk appetite framework that defines acceptable risk levels for innovation initiatives.
Enables informed decision-making balancing innovation and security.
- C
Adopt a 'security by design' approach for all new projects.
Why wrong: Important but may not provide the balance needed; too security-centric.
- D
Create a separate innovation sandbox with limited data access.
Why wrong: May limit innovation scope and does not address governance balance.
A newly appointed CISO wants to establish an information security governance committee. What is the PRIMARY purpose of this committee?
Trap 1: To manage day-to-day security operations.
Operational tasks are handled by security teams, not governance committees.
Trap 2: To implement security controls across the organization.
Implementation is the responsibility of operational teams.
Trap 3: To approve technical security solutions.
Technical approvals are typically delegated to technical boards.
- A
To manage day-to-day security operations.
Why wrong: Operational tasks are handled by security teams, not governance committees.
- B
To implement security controls across the organization.
Why wrong: Implementation is the responsibility of operational teams.
- C
To approve technical security solutions.
Why wrong: Technical approvals are typically delegated to technical boards.
- D
To ensure security strategy aligns with business objectives and provide oversight.
Governance committees bridge security and business strategy.
Which TWO of the following are primary objectives of information security governance? (Choose two.)
Trap 1: Eliminate all information security risks.
Risk elimination is impossible; governance manages risk.
Trap 2: Maximize profitability through security investments.
Profit is a business goal, not governance objective.
Trap 3: Achieve compliance with all applicable regulations.
Compliance is a requirement, but not the primary objective of governance.
- A
Eliminate all information security risks.
Why wrong: Risk elimination is impossible; governance manages risk.
- B
Align security strategy with business goals.
Core objective of governance.
- C
Maximize profitability through security investments.
Why wrong: Profit is a business goal, not governance objective.
- D
Ensure accountability for security decisions.
Essential governance objective.
- E
Achieve compliance with all applicable regulations.
Why wrong: Compliance is a requirement, but not the primary objective of governance.
A financial services firm has a mature information security program but is struggling to demonstrate the value of security investments to the board. Which metric would BEST communicate the effectiveness of the security program in business terms?
Trap 1: Number of security alerts triaged per day.
Operational metric, not a business value indicator.
Trap 2: Time to patch critical vulnerabilities.
Technical metric, not directly showing business value.
Trap 3: Percentage of systems with endpoint protection installed.
Does not reflect business value or risk reduction.
- A
Number of security alerts triaged per day.
Why wrong: Operational metric, not a business value indicator.
- B
Reduction in average cost per security incident over the past year.
Directly ties security program effectiveness to financial impact.
- C
Time to patch critical vulnerabilities.
Why wrong: Technical metric, not directly showing business value.
- D
Percentage of systems with endpoint protection installed.
Why wrong: Does not reflect business value or risk reduction.
You are the CISO of a mid-sized e-commerce company with 500 employees. The company recently suffered a data breach where an attacker exfiltrated customer credit card data from the production database. The investigation revealed that the breach originated from a compromised developer workstation. The developer had been granted direct access to the production database for troubleshooting purposes, a practice that had been in place for years. The security governance framework currently lacks a formal process for managing privileged access. The board has asked for immediate improvements to prevent recurrence. Which course of action BEST addresses the governance gap?
Trap 1: Segment the network to isolate production databases from developer…
Network segmentation is a technical control; the governance gap remains.
Trap 2: Conduct security awareness training for all developers on password…
Training is insufficient; the issue is lack of governance over privileged access.
Trap 3: Deploy endpoint protection and patch management for all…
Technical controls address symptoms, not the governance gap.
- A
Implement a privileged access management (PAM) solution with just-in-time access and session recording.
Addresses the governance gap by formalizing and controlling privileged access.
- B
Segment the network to isolate production databases from developer workstations.
Why wrong: Network segmentation is a technical control; the governance gap remains.
- C
Conduct security awareness training for all developers on password security.
Why wrong: Training is insufficient; the issue is lack of governance over privileged access.
- D
Deploy endpoint protection and patch management for all workstations.
Why wrong: Technical controls address symptoms, not the governance gap.
A company is considering outsourcing its security operations center (SOC). Which governance consideration is MOST critical before finalizing the decision?
Trap 1: The vendor's service level agreements (SLAs) for incident response…
SLAs are operational but governance oversight is paramount.
Trap 2: The vendor's technical expertise and certifications.
Important but not the most critical governance issue.
Trap 3: The cost savings compared to in-house operations.
Cost is important but not the most critical governance consideration.
- A
The vendor's service level agreements (SLAs) for incident response times.
Why wrong: SLAs are operational but governance oversight is paramount.
- B
The vendor's technical expertise and certifications.
Why wrong: Important but not the most critical governance issue.
- C
The cost savings compared to in-house operations.
Why wrong: Cost is important but not the most critical governance consideration.
- D
The ability to maintain oversight and accountability for security outcomes.
Governance requires clear accountability even when services are outsourced.
A security analyst detects unusual outbound network traffic from a database server to an unknown IP address. The traffic uses encrypted connections on port 443. Which type of attack is MOST likely occurring?
Trap 1: SQL injection
SQL injection is typically used to extract data via web application, not encrypted outbound traffic.
Trap 2: Ransomware
Ransomware usually encrypts files locally and demands ransom, not necessarily exfiltrating data.
Trap 3: Denial of service
DoS attacks generate high traffic to overwhelm resources, not stealthy encrypted outbound.
- A
Data exfiltration
Encrypted outbound traffic to an unknown IP is a classic sign of data exfiltration.
- B
SQL injection
Why wrong: SQL injection is typically used to extract data via web application, not encrypted outbound traffic.
- C
Ransomware
Why wrong: Ransomware usually encrypts files locally and demands ransom, not necessarily exfiltrating data.
- D
Denial of service
Why wrong: DoS attacks generate high traffic to overwhelm resources, not stealthy encrypted outbound.
A multinational corporation is assessing the risk of data breaches from third-party vendors. The CISM is tasked with selecting a risk treatment strategy. The organization has a low risk appetite for data breaches. Which strategy should be prioritized?
Trap 1: Mitigate the risk by conducting regular vendor audits.
Mitigation reduces but does not eliminate risk; may still exceed appetite.
Trap 2: Transfer the risk by requiring vendors to have cyber insurance.
Insurance addresses financial impact but not the risk of breach itself.
Trap 3: Accept the risk because third-party risks are unavoidable.
Acceptance is not appropriate when risk appetite is low.
- A
Mitigate the risk by conducting regular vendor audits.
Why wrong: Mitigation reduces but does not eliminate risk; may still exceed appetite.
- B
Avoid the risk by not engaging vendors that cannot meet security requirements.
Avoidance eliminates the risk entirely, fitting low appetite.
- C
Transfer the risk by requiring vendors to have cyber insurance.
Why wrong: Insurance addresses financial impact but not the risk of breach itself.
- D
Accept the risk because third-party risks are unavoidable.
Why wrong: Acceptance is not appropriate when risk appetite is low.
During a simulated phishing exercise, several employees clicked a link and entered their credentials on a fake login page. The security team needs to determine the impact. Which of the following should be the NEXT step?
Trap 1: Implement a security awareness training program
Training is important but not an immediate response to current compromise.
Trap 2: Conduct a forensic analysis of the employees' workstations
Forensic analysis may be done later, but immediate password reset is higher priority.
Trap 3: Block the phishing domain at the web proxy
Blocking the domain is good, but does not protect accounts already compromised.
- A
Reset the affected employees' passwords and enable multi-factor authentication
This mitigates the credential compromise.
- B
Implement a security awareness training program
Why wrong: Training is important but not an immediate response to current compromise.
- C
Conduct a forensic analysis of the employees' workstations
Why wrong: Forensic analysis may be done later, but immediate password reset is higher priority.
- D
Block the phishing domain at the web proxy
Why wrong: Blocking the domain is good, but does not protect accounts already compromised.
Which TWO of the following are best practices for preserving digital evidence during an incident? (Select exactly 2)
Trap 1: Interview witnesses before collecting data
Interviews are part of investigation but do not preserve evidence.
Trap 2: Run antivirus scans on the affected system
Scanning can modify files and timestamps.
Trap 3: Reboot the system to clear memory
Rebooting destroys volatile evidence.
- A
Create a forensic image of the hard drive using a write blocker
Write blocker prevents alteration of original data.
- B
Document the chain of custody
Chain of custody maintains evidence admissibility.
- C
Interview witnesses before collecting data
Why wrong: Interviews are part of investigation but do not preserve evidence.
- D
Run antivirus scans on the affected system
Why wrong: Scanning can modify files and timestamps.
- E
Reboot the system to clear memory
Why wrong: Rebooting destroys volatile evidence.
Based on the SIEM alert exhibit, which immediate action should the incident responder take?
Exhibit
Refer to the exhibit. ``` [Alert] Correlation Rule: Multiple Failed Logins Source IP: 10.0.0.55 Destination IP: 192.168.1.10 Event Count: 150 failed logins to admin account 'jsmith' within 5 minutes Action: Triggered ```
Trap 1: Block the source IP 10.0.0.55 at the firewall
Blocking IP is good but may be a temporary measure; locking account is more direct.
Trap 2: Increase logging level for the destination server
Increasing logging is not an immediate response.
Trap 3: Contact the user 'jsmith' to verify activity
Verification is important but not immediate; the attack is ongoing.
- A
Block the source IP 10.0.0.55 at the firewall
Why wrong: Blocking IP is good but may be a temporary measure; locking account is more direct.
- B
Lock the user account 'jsmith'
Locking the account prevents further brute-force.
- C
Increase logging level for the destination server
Why wrong: Increasing logging is not an immediate response.
- D
Contact the user 'jsmith' to verify activity
Why wrong: Verification is important but not immediate; the attack is ongoing.
During an incident investigation, the security team discovers that an attacker exfiltrated sensitive customer data via encrypted DNS tunneling over a period of three months. The data loss was only noticed after a routine audit. Which of the following weaknesses MOST likely allowed the attacker to remain undetected for so long?
Trap 1: Weak password policies
Weak passwords could lead to initial compromise but not specifically to undetected exfiltration.
Trap 2: Unpatched web server software
Unpatched software may be an entry vector, but DNS tunneling detection is about network monitoring.
Trap 3: Lack of data-at-rest encryption
Data-at-rest encryption protects stored data but does not detect exfiltration.
- A
Inadequate monitoring of DNS traffic for anomalies
Without monitoring DNS traffic for tunneling, exfiltration can go unnoticed for long periods.
- B
Weak password policies
Why wrong: Weak passwords could lead to initial compromise but not specifically to undetected exfiltration.
- C
Unpatched web server software
Why wrong: Unpatched software may be an entry vector, but DNS tunneling detection is about network monitoring.
- D
Lack of data-at-rest encryption
Why wrong: Data-at-rest encryption protects stored data but does not detect exfiltration.
During an incident, the response team collects volatile data from a compromised server. Which of the following should be collected FIRST to minimize loss of evidence?
Trap 1: Contents of hard drive
Hard drive data is non-volatile and can be collected later.
Trap 2: Event logs
Event logs are stored on disk and are less volatile.
Trap 3: Network configuration
Network config can be obtained from backup or reconfigured.
- A
Contents of RAM
RAM is volatile and will be lost if the system is powered off.
- B
Contents of hard drive
Why wrong: Hard drive data is non-volatile and can be collected later.
- C
Event logs
Why wrong: Event logs are stored on disk and are less volatile.
- D
Network configuration
Why wrong: Network config can be obtained from backup or reconfigured.
Which TWO of the following are key indicators of a potential insider threat incident? (Select exactly 2)
Trap 1: Multiple failed login attempts from an external IP address
This indicates external brute-force, not insider.
Trap 2: An increase in network traffic to a known malicious domain
This points to external malware or command and control.
Trap 3: A user updating their password as required by policy
This is normal and expected behavior.
- A
Multiple failed login attempts from an external IP address
Why wrong: This indicates external brute-force, not insider.
- B
An increase in network traffic to a known malicious domain
Why wrong: This points to external malware or command and control.
- C
A user accessing large volumes of data not related to their job function
This suggests data theft or espionage.
- D
An employee logging in during non-business hours and downloading files
Unusual working hours can indicate malicious activity.
- E
A user updating their password as required by policy
Why wrong: This is normal and expected behavior.
A multinational corporation has just detected a ransomware attack that encrypted critical files on a file server. The incident response team has been activated. Which of the following should be the FIRST action taken by the team?
Trap 1: Restore encrypted files from backup
Restoration should occur after containment and forensic analysis.
Trap 2: Reboot the file server to clear the encryption
Rebooting may lose volatile evidence and does not remove encryption.
Trap 3: Notify law enforcement
Notifying law enforcement is important but not the first step; containment is priority.
- A
Restore encrypted files from backup
Why wrong: Restoration should occur after containment and forensic analysis.
- B
Reboot the file server to clear the encryption
Why wrong: Rebooting may lose volatile evidence and does not remove encryption.
- C
Isolate the affected systems from the network
Isolation stops the ransomware from spreading and limits damage.
- D
Notify law enforcement
Why wrong: Notifying law enforcement is important but not the first step; containment is priority.
After a security incident, the incident response team prepares a report detailing the root cause, impact, and lessons learned. Who is the PRIMARY audience for this report?
Trap 1: The affected users
Users may need some communication but not the detailed report.
Trap 2: The IT support team
IT support may need technical details, but the primary audience is management.
Trap 3: External auditors
External auditors may request the report, but it is not the primary audience.
- A
The affected users
Why wrong: Users may need some communication but not the detailed report.
- B
Senior management and the board of directors
They need to make strategic decisions based on the incident.
- C
The IT support team
Why wrong: IT support may need technical details, but the primary audience is management.
- D
External auditors
Why wrong: External auditors may request the report, but it is not the primary audience.
Which TWO actions are appropriate during the containment phase of an incident involving a malware outbreak on multiple workstations?
Trap 1: Contact all users to warn them about the malware
May cause unnecessary alarm and is not containment.
Trap 2: Reimage all affected workstations immediately
Reimaging is remediation, done after containment.
Trap 3: Notify customers about potential data breach
Notification is external communication, not containment.
- A
Contact all users to warn them about the malware
Why wrong: May cause unnecessary alarm and is not containment.
- B
Reimage all affected workstations immediately
Why wrong: Reimaging is remediation, done after containment.
- C
Isolate infected workstations from the network
Isolation stops lateral movement.
- D
Notify customers about potential data breach
Why wrong: Notification is external communication, not containment.
- E
Block known malicious domains and IPs at the firewall
Blocks command-and-control communication.
An organization uses a SIEM to correlate security events. The SIEM generates an alert for a possible brute-force attack against an admin account. The incident response team reviews the alert and finds that the account is a service account with a known password. What should the team do NEXT?
Trap 1: Notify the service owner
Notification is important but not the immediate next step.
Trap 2: Disable the service account
Disabling may disrupt services; changing password is less disruptive.
Trap 3: Investigate the source IP addresses
Investigation can follow, but immediate action is to secure the account.
- A
Notify the service owner
Why wrong: Notification is important but not the immediate next step.
- B
Disable the service account
Why wrong: Disabling may disrupt services; changing password is less disruptive.
- C
Investigate the source IP addresses
Why wrong: Investigation can follow, but immediate action is to secure the account.
- D
Change the password for the service account
Changing the password invalidates the attacker's attempts.
After a security incident, the incident response team identifies that the root cause was a phishing email that bypassed the email filter. The email contained a malicious macro that executed PowerShell commands. Which control would be MOST effective in preventing similar incidents in the future?
Trap 1: Implement network segmentation for sensitive systems
Segmentation limits lateral movement, not initial infection.
Trap 2: Deploy additional antivirus software on endpoints
Antivirus may not detect zero-day malware.
Trap 3: Conduct security awareness training for all employees
Training reduces risk but does not fully prevent macro-based attacks.
- A
Implement network segmentation for sensitive systems
Why wrong: Segmentation limits lateral movement, not initial infection.
- B
Disable macros in documents originating from external sources
This directly prevents the attack vector used in the incident.
- C
Deploy additional antivirus software on endpoints
Why wrong: Antivirus may not detect zero-day malware.
- D
Conduct security awareness training for all employees
Why wrong: Training reduces risk but does not fully prevent macro-based attacks.
A financial institution is designing an incident response plan. They want to ensure that during a ransomware incident, critical transaction systems can be restored within 4 hours. Which metric should be used to measure this requirement?
Trap 1: Mean Time to Repair (MTTR)
MTTR is an average, not a target recovery time.
Trap 2: Mean Time Between Failures (MTBF)
MTBF measures reliability, not recovery.
Trap 3: Recovery Point Objective (RPO)
RPO defines acceptable data loss, not downtime.
- A
Mean Time to Repair (MTTR)
Why wrong: MTTR is an average, not a target recovery time.
- B
Recovery Time Objective (RTO)
RTO defines the maximum acceptable downtime.
- C
Mean Time Between Failures (MTBF)
Why wrong: MTBF measures reliability, not recovery.
- D
Recovery Point Objective (RPO)
Why wrong: RPO defines acceptable data loss, not downtime.
An information security manager is developing a program metric to measure the effectiveness of the security awareness training. Which metric is most appropriate?
Trap 1: Percentage of employees who completed the training.
Completion does not measure learning or behavior change.
Trap 2: Average score on post-training tests.
Test scores measure knowledge retention, but not application in real situations.
Trap 3: Time taken to complete the training modules.
Time is irrelevant to effectiveness; fast completion may indicate skipping content.
- A
Percentage of employees who completed the training.
Why wrong: Completion does not measure learning or behavior change.
- C
Average score on post-training tests.
Why wrong: Test scores measure knowledge retention, but not application in real situations.
- D
Time taken to complete the training modules.
Why wrong: Time is irrelevant to effectiveness; fast completion may indicate skipping content.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.