CCNA Information Security Risk Management Questions

75 of 95 questions · Page 1/2 · Information Security Risk Management · Answers revealed

1
MCQmedium

After implementing controls, an organization reassesses a risk and finds that the residual risk level exceeds the established risk tolerance. What is the most appropriate next step?

A.Re-assess the risk using a different methodology
B.Lower the risk tolerance to match the residual risk
C.Seek management approval for acceptance or implement additional controls
D.Ignore the residual risk since controls are already in place
AnswerC

This aligns with risk management process.

Why this answer

Option C is correct because the organization must decide to either accept (with authorization) or further treat the risk. Option A is wrong because ignoring is not acceptable. Option B is wrong because lowering tolerance without justification is not appropriate.

Option D is wrong because re-assessment alone does not resolve the issue.

2
MCQmedium

An employee emails a spreadsheet containing employee salaries to all staff by mistake. According to the exhibit, what is the minimum handling requirement that was violated?

A.HighlyConfidential handling requirements
B.Confidential handling requirements
C.Internal handling requirements
D.Public handling requirements
AnswerB

Salaries are confidential; email lacks encryption and need-to-know.

Why this answer

Option B is correct because salary information is typically classified as 'confidential' or 'highlyConfidential' depending on context, but the exhibit shows 'confidential' requires encryption in transit and need-to-know access. Sending to all staff violates need-to-know. Option A is wrong because 'public' allows disclosure.

Option C is wrong because 'internal' allows internal use, but not to all staff. Option D is wrong because 'highlyConfidential' includes additional controls, but the minimum violated is confidential.

3
MCQmedium

Refer to the exhibit. A system administrator reviews the log and notices repeated failed SSH attempts from the same IP address. What is the most appropriate risk response?

A.Change the password policy to require 12-character passwords.
B.Increase logging verbosity to capture more details.
C.Disable SSH access and use console only.
D.Implement account lockout after 3 failed attempts.
AnswerD

This control directly mitigates brute-force attacks by locking accounts.

Why this answer

Option D is correct because implementing an account lockout policy after 3 failed attempts directly mitigates brute-force SSH attacks by preventing further authentication attempts from the same IP address. This is a standard risk response (risk reduction) that limits the attacker's ability to guess credentials without requiring changes to the SSH protocol or disabling remote access entirely.

Exam trap

The trap here is that candidates confuse preventive controls (password policy) with detective controls (logging) or overcorrect with risk avoidance (disabling SSH), instead of recognizing that a targeted brute-force attack is best addressed with a specific technical control like account lockout that directly blocks the attack pattern.

How to eliminate wrong answers

Option A is wrong because changing the password policy to require 12-character passwords is a preventive control that reduces the likelihood of successful password guessing, but it does not stop repeated failed SSH attempts from the same IP address in real time; the attacker can still attempt unlimited guesses. Option B is wrong because increasing logging verbosity only improves detection and forensic analysis, not prevention or response; it does not stop the ongoing attack or reduce risk. Option C is wrong because disabling SSH access and using console only is an extreme risk avoidance that eliminates remote administration entirely, which is often operationally impractical and not the most appropriate response for a targeted brute-force attempt.

4
MCQhard

An organization's risk management policy requires a quantitative risk assessment for all new projects. The project team estimates that a data breach could occur once every 5 years with an average loss of $2 million. What is the annualized loss expectancy (ALE)?

A.$400,000
B.$10,000,000
C.$500,000
D.$2,000,000
AnswerA

ALE = $2,000,000 * 0.2 = $400,000.

Why this answer

Option A is correct: ALE = SLE x ARO, where SLE = $2M and ARO = 0.2, so ALE = $400,000. Option B is wrong because it uses frequency 1/5 but misapplies. Option C and D are incorrect calculations.

5
Multi-Selecthard

Which THREE of the following are essential components of an information security risk management framework?

Select 3 answers
A.Incident response planning
B.Risk identification
C.Compliance auditing
D.Risk assessment
E.Risk treatment
AnswersB, D, E

First step in risk management.

Why this answer

Options A, B, and D are correct as risk identification, assessment, and treatment are core processes. Option C is wrong because incident response is part of security operations, not the risk management framework itself (though related). Option E is wrong because compliance auditing is a separate assurance activity.

6
MCQmedium

An organization calculates that the single loss expectancy (SLE) for a server failure is $10,000, and the annualized rate of occurrence (ARO) is 0.5. What is the annualized loss expectancy (ALE)?

A.$5,000
B.$10,000
C.$20,000
D.$2,500
AnswerA

Calculation: $10,000 × 0.5 = $5,000.

Why this answer

Option A is correct because ALE = SLE × ARO = $10,000 × 0.5 = $5,000. Option B is wrong because it multiplies by 2. Option C is wrong because it divides by 2.

Option D is wrong because it uses an arbitrary number.

7
Multi-Selecteasy

Which TWO of the following are key components of an information security risk assessment? (Choose two.)

Select 2 answers
A.Threat identification
B.Security policy development
C.Incident response planning
D.Control implementation
E.Asset identification
AnswersA, E

Threats must be identified to assess risk.

Why this answer

Options A and D are correct because risk assessment involves asset identification and threat identification. Option B is incorrect because control implementation is risk treatment, not assessment. Option C is incorrect because incident response planning is post-event.

Option E is incorrect because policy development is governance.

8
Multi-Selecthard

An organization is conducting a risk assessment for a new cloud-based HR system. Which THREE of the following are key considerations when evaluating the inherent risk?

Select 3 answers
A.Organization's risk appetite
B.Likelihood of threat actors targeting the system
C.Effectiveness of existing security controls
D.Sensitivity of the data stored and processed
E.Ease of exploiting vulnerabilities in the system
AnswersB, D, E

Threat likelihood is a core component of inherent risk.

Why this answer

Inherent risk is the risk level before any security controls are applied. When evaluating inherent risk for a new cloud-based HR system, the likelihood of threat actors targeting the system (B) is a key factor because it directly influences the probability of a risk event occurring, independent of any existing or planned controls. This assessment considers the system's exposure, attractiveness to attackers, and the threat landscape specific to cloud HR platforms.

Exam trap

ISACA often tests the distinction between inherent risk and residual risk, trapping candidates who confuse control effectiveness (C) or risk appetite (A) as factors in inherent risk evaluation.

9
MCQhard

A global financial services firm uses a Monte Carlo simulation model to quantify the potential financial impact of cyber events. The model inputs include historical loss data, threat intelligence, and control effectiveness. Over the past year, the model has consistently underestimated actual losses by an average of 40%. The risk manager suspects model risk but the quantitative team argues the model is peer-reviewed. The board is concerned about the accuracy of risk reporting. What is the best course of action for the risk manager?

A.Perform a comprehensive model validation and sensitivity analysis
B.Increase the risk appetite to accommodate the underestimation
C.Replace the quantitative model with a qualitative risk assessment
D.Adjust the model parameters to align with observed losses
AnswerA

Correct; this identifies flaws in the model and ensures reliability.

Why this answer

Option A is correct because performing model validation and sensitivity analysis will help identify assumptions, data quality, or structural issues causing the underestimation. Option B is incorrect because simply adjusting parameters to match past incidents overfits and may not predict future losses accurately. Option C is incorrect because abandoning a quantitative model for qualitative may lose objectivity, though it could be considered if model risk cannot be reduced.

Option D is incorrect because increasing risk appetite does not address the model error; it could mask the problem.

10
MCQmedium

Based on the exhibit, which risk should be addressed first if the organization has limited resources?

A.R001
B.R002
C.R003
D.R004
AnswerA

R001 has the highest risk level (12).

Why this answer

R001 has the highest risk level (12) and should be prioritized for mitigation. The other risks have lower composite scores.

11
MCQhard

An organization has a risk appetite that allows for a maximum residual risk level of 'medium' for all operational risks. A new project introduces a risk with inherent risk level 'high' and control effectiveness rated as 'partially effective'. The risk owner proposes to accept the risk. As the CISM, what is the best course of action?

A.Accept the risk since the risk owner has agreed.
B.Transfer the risk to an insurance company.
C.Insist on additional controls to reduce residual risk to at least 'medium'.
D.Recommend revising the risk appetite to accommodate this risk.
AnswerC

This ensures residual risk aligns with appetite, which is the correct risk management approach.

Why this answer

The organization's risk appetite mandates that residual risk must be at 'medium' or lower. With an inherent risk of 'high' and controls rated 'partially effective', the residual risk remains above the acceptable threshold. Therefore, the best course is to insist on additional controls to bring residual risk down to at least 'medium', ensuring compliance with the risk appetite.

Exam trap

The trap here is that candidates may think the risk owner's acceptance is sufficient, but CISM emphasizes that risk acceptance must be within the risk appetite; otherwise, it is a violation of governance.

How to eliminate wrong answers

Option A is wrong because accepting the risk would violate the organization's risk appetite, which requires residual risk to be at 'medium' or lower; the risk owner's acceptance does not override policy. Option B is wrong because transferring the risk to insurance does not reduce the residual risk level; it only shifts financial impact, and the residual risk remains 'high' or 'medium-high', still exceeding the appetite. Option D is wrong because revising the risk appetite to accommodate a single project undermines the governance framework and sets a dangerous precedent; the risk appetite should be driven by strategic objectives, not by individual risks.

12
MCQmedium

A large retail chain with hundreds of stores uses point-of-sale (POS) systems that run an outdated operating system. The annual risk assessment identified this as a high-risk issue because the OS is no longer patched and has known vulnerabilities. The business unit manager opposes replacing all POS systems immediately due to cost and potential disruption to operations. As the risk manager, you need to recommend a risk response that balances risk reduction with business continuity. Which strategy is most appropriate?

A.Risk avoidance: immediately replace all POS systems with modern ones
B.Risk mitigation: implement compensating controls and schedule a phased upgrade
C.Risk acceptance: accept the risk because the business cannot afford replacement
D.Risk transfer: purchase cyber insurance to cover potential losses from POS attacks
AnswerB

Correct; this balances risk reduction with business continuity.

Why this answer

Option D is correct because risk mitigation through compensating controls (e.g., network segmentation, strict access controls, intrusion detection) combined with a phased upgrade reduces risk while allowing continued operations. Option A is risk avoidance but is too disruptive and costly. Option B is risk transfer via insurance, but insurance does not prevent the incident or reduce the operational impact.

Option C is risk acceptance without action, which is inappropriate for a high-risk issue.

13
MCQhard

An organization is implementing a quantitative risk analysis for a critical application. The asset value is $2,000,000. The exposure factor (EF) is 0.25, and the annualized rate of occurrence (ARO) is 0.5. What is the annualized loss expectancy (ALE)?

A.$250,000
B.$1,000,000
C.$125,000
D.$500,000
AnswerA

ALE = $2,000,000 × 0.25 × 0.5 = $250,000.

Why this answer

Option B is correct because ALE = asset value × EF × ARO = $2,000,000 × 0.25 × 0.5 = $250,000. Option A is wrong because it uses EF only. Option C is wrong because it multiplies by 2 instead of 0.5.

Option D is wrong because it uses incorrect multiplication.

14
Multi-Selecthard

A security manager is presenting risk analysis results to the board. Which of the following should the manager include to effectively communicate risk? (Select THREE)

Select 3 answers
A.Monetary value of potential losses
B.Detailed technical vulnerabilities
C.Likelihood of occurrence expressed as annual probability
D.Anecdotal stories of past incidents
E.Comparison of residual risk to risk appetite
AnswersA, C, E

Why this answer

Monetary value of potential losses (A) is correct because it translates technical risk into financial terms that board members understand, enabling informed decisions on resource allocation for risk mitigation. This aligns with the CISM focus on business-aligned risk communication, where quantitative metrics like Annualized Loss Expectancy (ALE) directly support cost-benefit analysis.

Exam trap

The trap here is that candidates often select 'Detailed technical vulnerabilities' (B) thinking it demonstrates thoroughness, but the board requires business-impact language, not technical depth.

Why the other options are wrong

B

Board members typically lack technical background; focus on business impact.

D

Anecdotes are not quantitative and may skew perception.

15
Multi-Selecteasy

Which TWO of the following are examples of risk mitigation controls? (Choose two.)

Select 2 answers
A.Enforcing least privilege access controls
B.Implementing intrusion detection systems
C.Discontinuing a high-risk business process
D.Purchasing cyber insurance
E.Accepting the risk in a formal statement
AnswersA, B

Access controls reduce the likelihood of unauthorized access.

Why this answer

Options A and C are correct. Implementing intrusion detection systems and enforcing access controls are mitigation measures. Option B is wrong because purchasing insurance is transfer.

Option D is wrong because ignoring the risk is acceptance. Option E is wrong because discontinuing a service is avoidance.

16
MCQhard

Refer to the exhibit. Based on the risk register extract, which risk should the information security manager prioritize for additional treatment?

A.R-001 only
B.Neither risk requires additional treatment
C.R-002 only
D.Both R-001 and R-002
AnswerC

R-002 has a high residual risk exceeding the low risk appetite, so it needs additional treatment.

Why this answer

R-002 has a residual risk rating of 'High', which exceeds the organization's risk appetite of 'Low'. R-001's residual risk is 'Medium', which still may be acceptable depending on further analysis. Therefore, R-002 requires immediate attention.

17
MCQeasy

Which role is primarily responsible for ensuring that information security risks are identified, assessed, and managed within a business unit?

A.Data owner
B.Chief Information Security Officer (CISO)
C.Board of directors
D.Risk owner
AnswerD

Risk owner is accountable for specific risks.

Why this answer

Option D is correct because risk owners are accountable for risk management decisions within their domain. Option A is wrong because the CISO oversees the security program but does not own specific risks. Option B is wrong because the board provides governance, not day-to-day risk management.

Option C is wrong because the data owner is responsible for data classification and protection, not all risks.

18
MCQhard

Refer to the exhibit. A security analyst reviews the firewall configuration and identifies a potential risk. What is the most likely risk?

A.Risk of unauthorized external access to internal services.
B.Risk of denial-of-service attacks from internal hosts.
C.Risk of IP spoofing attacks from the inside network.
D.Risk of data exfiltration via DNS tunneling.
AnswerD

Permissive DNS outbound can be exploited for covert data transfer.

Why this answer

The exhibit shows a firewall rule that permits DNS traffic (UDP/TCP port 53) from the internal network to any external destination. This configuration allows internal hosts to perform DNS queries to external servers, which can be exploited for DNS tunneling—a technique where data is encapsulated within DNS queries and responses to bypass security controls and exfiltrate sensitive information. Since DNS traffic is typically allowed through firewalls, this creates a covert channel for data exfiltration, making option D the most likely risk.

Exam trap

The trap here is that candidates may focus on the firewall rule allowing outbound DNS traffic and incorrectly assume it only poses a risk of unauthorized external access (option A), overlooking the more subtle but critical risk of data exfiltration via DNS tunneling, which is a well-known covert channel in security assessments.

How to eliminate wrong answers

Option A is wrong because the firewall rule permits outbound DNS traffic from internal to external, not inbound traffic from external to internal, so unauthorized external access to internal services is not directly facilitated by this rule. Option B is wrong because denial-of-service attacks from internal hosts would require a different attack vector, such as flooding, and the DNS rule does not inherently enable internal hosts to launch DoS attacks; it merely allows DNS queries. Option C is wrong because IP spoofing attacks from the inside network involve forging source IP addresses, which is not directly related to the DNS rule; spoofing is typically mitigated by ingress/egress filtering, not by DNS-specific firewall rules.

19
MCQhard

During a risk assessment, an organization identifies that a legacy system processes credit card data and has a high likelihood of being exploited. The cost to remediate the vulnerability is $500,000, while the potential loss from a breach is $2 million with a 30% annual probability. What is the most appropriate risk treatment decision based on this information?

A.Risk mitigation by implementing controls to fix the vulnerability
B.Risk transfer by purchasing cyber insurance
C.Risk acceptance because the probability is low
D.Risk avoidance by decommissioning the legacy system
AnswerA

Remediation cost less than ALE.

Why this answer

Option C is correct because the annual loss expectancy (ALE) is $2,000,000 × 0.30 = $600,000, which exceeds the remediation cost of $500,000, making risk mitigation cost-effective. Option A is wrong because acceptance would leave the risk unaddressed when mitigation is cheaper than the expected loss. Option B is wrong because transferring would involve insurance premiums that likely exceed the expected loss.

Option D is wrong because avoidance (removing the system) is more drastic and may not be necessary.

20
MCQmedium

Match each risk assessment activity with the correct phase of the risk management lifecycle: Activities: 1. Identify assets and threats 2. Determine risk level 3. Select controls to reduce risk 4. Monitor risk over time Phases: A. Risk Assessment B. Risk Treatment C. Risk Monitoring D. Risk Communication (not used)

1.Identify assets and threats
2.Determine risk level
3.Select controls to reduce risk
4.Monitor risk over time

Why this answer

In the risk management lifecycle, identifying assets and threats and determining risk level are part of Risk Assessment. Selecting controls is Risk Treatment. Monitoring risk is Risk Monitoring.

Risk Communication is a continuous activity, not a separate phase.

Exam trap

Candidates often confuse 'determine risk level' as part of risk treatment, but it is actually part of assessment. Also, monitoring is often overlooked as a separate phase.

Why the other options are wrong

1

Correct match is A

2

Correct match is A

3

Correct match is B

4

Correct match is C

21
MCQeasy

An organization has recently experienced a data breach due to a misconfigured database. The root cause was a lack of proper change management. As part of the risk management process, what should the organization do NEXT after implementing corrective controls?

A.Perform a residual risk assessment
B.Purchase additional cyber insurance to cover future breaches
C.Conduct security awareness training for all employees
D.Update the information security policy to mandate stricter controls
AnswerA

After implementing controls, the organization must evaluate whether the residual risk meets the risk appetite.

Why this answer

Option D is correct because after implementing controls, the organization should reassess residual risk to ensure it is within appetite. Option A is wrong because updating policies without reassessment may not address the actual risk level. Option B is wrong because training is important but not the immediate next step.

Option C is wrong because transferring risk does not address the control effectiveness.

22
MCQeasy

A regional hospital is required to comply with the Health Insurance Portability and Accountability Act (HIPAA). During an internal audit, it was discovered that patient electronic health records (EHRs) are transmitted over the internet without encryption. The risk manager has been asked to recommend a risk treatment. Which action should be prioritized to address this finding?

A.Implement encryption for all data in transit
B.Accept the risk because the likelihood of interception is low
C.Purchase cyber insurance to cover potential data breach costs
D.Discontinue all electronic transmission of patient data
AnswerA

Correct; encryption is a standard control to protect data in transit.

Why this answer

Option A is correct because implementing encryption for data in transit directly addresses the identified vulnerability and is a mandatory safeguard under HIPAA. Option B is incorrect because accepting this high-risk condition would likely violate regulatory requirements. Option C is overly drastic and would disrupt operations without addressing underlying security.

Option D is incorrect because insurance does not reduce the risk of non-compliance.

23
Multi-Selectmedium

Which TWO of the following are common approaches to information security risk assessment?

Select 2 answers
A.Qualitative
B.Quantitative
C.Penetration testing
D.Vulnerability assessment
E.Business impact analysis
AnswersA, B

Uses descriptive scales.

Why this answer

Options A and D are correct because quantitative and qualitative are the two main types. Quantitative uses numerical values, qualitative uses descriptive ranks. Option B is wrong because vulnerability assessment is a separate activity.

Option C is wrong because it is not an assessment type. Option E is wrong because penetration testing is a specific test, not an assessment methodology.

24
MCQhard

A risk manager is aggregating risks across the enterprise and finds that multiple individual risks, each with low impact and low probability, could combine to create a significant risk. What is the best approach to address this?

A.Ignore the individual risks as they are low priority
B.Use a risk aggregation model to assess cumulative impact and consider enterprise-level controls
C.Accept the risk because the probability of all occurring simultaneously is negligible
D.Treat each individual risk separately with minimal controls
AnswerB

Aggregation provides a holistic view and appropriate mitigation.

Why this answer

Using a risk aggregation model allows the organization to assess the cumulative impact and implement enterprise-level controls. Ignoring or treating individually may miss the combined effect. Accepting as negligible ignores the potential for compounding.

25
MCQmedium

During a risk assessment, an organization identifies that its legacy payment system has a high likelihood of exploitation due to unpatched vulnerabilities. The system is critical for daily operations. Which risk treatment option should the organization PRIMARILY consider?

A.Implement compensating controls to reduce the risk
B.Accept the risk as a cost of doing business
C.Avoid the risk by decommissioning the system
D.Purchase cyber insurance to transfer the risk
AnswerA

Compensating controls like network segmentation and enhanced monitoring can reduce risk while keeping the system operational.

Why this answer

Option B is correct because mitigation through compensating controls reduces risk while maintaining operations. Option A is wrong because avoidance would mean discontinuing the system, which is not feasible. Option C is wrong because transfer shifts financial risk but not operational risk.

Option D is wrong because acceptance without action is inappropriate for high risk.

26
MCQeasy

Which of the following is the primary purpose of communicating risk assessment results to senior management?

A.To comply with regulatory requirements
B.To enable informed decision-making about risk acceptance
C.To assign blame for security failures
D.To justify the security budget
AnswerB

Senior management needs information to make decisions.

Why this answer

The primary purpose is to enable informed decision-making about risk acceptance and resource allocation. Budget justification and compliance are secondary benefits. Assigning blame is not a purpose.

27
MCQhard

A multinational organization is evaluating its risk appetite for a new cloud-based customer relationship management (CRM) system. The system will store personal data across multiple jurisdictions with varying data protection laws. The risk committee has set a risk appetite statement that allows only low residual risk. Which of the following controls is MOST critical to ensure compliance with the risk appetite?

A.Implement data classification and strict role-based access controls
B.Conduct continuous monitoring and logging of all system activities
C.Encrypt all data at rest and in transit using strong algorithms
D.Negotiate service-level agreements (SLAs) with cloud provider for uptime
AnswerA

Data classification and RBAC directly control who can access sensitive data, reducing risk to an acceptable level.

Why this answer

Option C is correct because data classification and access controls ensure that only authorized users access data, addressing both legal and operational risks. Option A is wrong because encryption alone does not manage access. Option B is wrong because SLA enforcement focuses on vendor performance, not direct risk reduction.

Option D is wrong because monitoring identifies issues but does not enforce controls.

28
MCQeasy

A small accounting firm with 50 employees recently suffered a ransomware attack that encrypted all client data on its file server. The firm had no backup strategy, and the attackers demanded a ransom for decryption. The firm paid the ransom, but many clients left due to loss of trust. The firm’s owner has now hired you as a part-time risk manager. Your first task is to develop a risk management program. What is the most appropriate initial step?

A.Purchase a comprehensive cyber insurance policy
B.Fire the IT staff responsible for the security failures
C.Conduct a risk assessment to identify assets, threats, and vulnerabilities
D.Immediately implement a backup and disaster recovery solution
AnswerC

Correct; risk assessment is the first step to understand the risk landscape.

Why this answer

Option D is correct because conducting a risk assessment is the foundational step in any risk management program. It identifies assets, threats, vulnerabilities, and controls. Without a risk assessment, other actions like purchasing insurance or implementing backups may be misdirected or incomplete.

Option A is premature; insurance should be informed by risk assessment. Option B is not a constructive action. Option C is reactive and may not address all risks.

29
Matchingmedium

Match each risk management term to its definition.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Risk level before controls are applied

Risk remaining after controls are implemented

Amount of risk the organization is willing to accept

Acceptable variation around the risk appetite

Process of modifying risk by applying controls

Why these pairings

Key risk management concepts from CISM.

30
MCQmedium

An organization has implemented a new web application that processes sensitive customer data. The risk assessment identified a high likelihood of SQL injection attacks due to insufficient input validation. Which of the following is the BEST risk treatment strategy?

A.Transfer the risk by purchasing cyber insurance
B.Avoid the risk by discontinuing the web application
C.Remediate the risk by implementing parameterized queries and input validation
D.Accept the risk because the likelihood is low after compensating controls
AnswerC

This directly addresses the vulnerability and reduces the risk to an acceptable level.

Why this answer

Option C is correct because parameterized queries (prepared statements) and input validation directly address the root cause of SQL injection by separating SQL logic from user-supplied data. This is a remediation (mitigation) strategy that reduces the likelihood of exploitation to an acceptable level, which aligns with the high-risk scenario described.

Exam trap

The trap here is that candidates often confuse risk transfer (insurance) with risk mitigation, or they incorrectly assume that accepting risk is a default option when the scenario clearly indicates a high-likelihood, high-impact vulnerability that can be directly fixed with a standard coding practice.

How to eliminate wrong answers

Option A is wrong because purchasing cyber insurance transfers the financial impact of a breach, not the technical risk itself; the SQL injection vulnerability remains exploitable, and insurance does not prevent data loss or regulatory penalties. Option B is wrong because avoiding the risk by discontinuing the web application would eliminate business functionality and is disproportionate when a proven technical control (parameterized queries) exists to mitigate the vulnerability. Option D is wrong because accepting the risk is only appropriate when residual risk is low after compensating controls, but the scenario states the likelihood is high and no compensating controls have been implemented; accepting without remediation would leave the organization exposed to a high-probability attack.

31
MCQeasy

Which of the following best describes residual risk?

A.Risk before any controls are applied
B.Risk that remains after implementing controls
C.The likelihood that a control will fail
D.The level of risk an organization is willing to accept
AnswerB

Residual risk is the remaining risk after mitigation.

Why this answer

Option A is correct because residual risk is what remains after controls. Option B is wrong because it describes inherent risk. Option C is wrong because it describes risk appetite.

Option D is wrong because it describes control effectiveness.

32
MCQhard

In a risk assessment, a CISM calculates the annualized loss expectancy (ALE) for a specific threat. The single loss expectancy (SLE) is $50,000 and the annualized rate of occurrence (ARO) is 0.2. What is the ALE, and which risk response is most cost-effective if a control costs $12,000 per year and reduces ARO to 0.05?

A.Accept the risk because the control is not cost-justified.
B.Accept the risk because ALE after control is only $2,500.
C.Implement the control because it reduces ALE to $2,500.
D.Implement the control because ALE is $10,000, and control cost is only $12,000.
AnswerA

The cost of control is greater than the risk reduction benefit, so acceptance is appropriate.

Why this answer

The ALE is calculated as SLE × ARO = $50,000 × 0.2 = $10,000. After implementing the control costing $12,000 per year, the residual ALE is $50,000 × 0.05 = $2,500. The annual cost of the control ($12,000) exceeds the reduction in ALE ($10,000 - $2,500 = $7,500), so the control is not cost-justified.

Therefore, accepting the risk is the most cost-effective response.

Exam trap

The trap here is that candidates often compare the control cost to the original ALE ($10,000) or to the residual ALE ($2,500) instead of comparing it to the reduction in ALE ($7,500), leading to incorrect cost-justification conclusions.

How to eliminate wrong answers

Option B is wrong because it states 'accept the risk because ALE after control is only $2,500' — this is a correct observation about the residual ALE but fails to compare the control cost ($12,000) against the reduction in ALE ($7,500), which is the key cost-benefit analysis. Option C is wrong because it says 'implement the control because it reduces ALE to $2,500' — this ignores that the control cost ($12,000) is greater than the reduction in ALE ($7,500), making it not cost-justified. Option D is wrong because it says 'implement the control because ALE is $10,000, and control cost is only $12,000' — this incorrectly implies that a control cost lower than the original ALE justifies implementation, but the correct comparison is between the control cost and the reduction in ALE (not the original ALE).

33
Drag & Dropmedium

Order the steps for conducting an internal audit of an information security management system (ISMS) based on ISO 27001.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Audits start with scope definition, planning, execution, documentation, and reporting.

34
MCQhard

During a risk assessment, the risk team identifies that a key vendor has access to sensitive data. The vendor's security posture is unclear. Which of the following is the BEST course of action?

A.Ignore the risk because the vendor is known
B.Terminate the vendor relationship immediately
C.Conduct a third-party risk assessment
D.Request the vendor's latest security certification
AnswerC

A formal assessment evaluates the vendor's security controls.

Why this answer

Option D is correct because conducting a third-party risk assessment provides clarity. Option A is wrong because immediately terminating may be disruptive. Option B is wrong because ignoring is not risk management.

Option C is wrong because asking for certification may not be sufficient.

35
Multi-Selecthard

Which THREE of the following are common challenges when implementing a risk management program in an organization? (Choose three.)

Select 3 answers
A.Lack of senior management support
B.Inability to quantify risks in financial terms
C.Too many controls implemented too quickly
D.Resistance to change from business units
E.Overly detailed risk appetite
AnswersA, B, D

Without top-down support, the program may lack resources and authority.

Why this answer

Options A, C, and E are correct. Option B is incorrect because risk appetite should be defined upfront. Option D is incorrect because controls are typically implemented after risk assessment.

36
MCQeasy

A data breach has occurred exposing customer personal information. The risk manager needs to select a response to reduce the likelihood of similar incidents. Which risk response is most appropriate?

A.Avoid the risk by discontinuing online services
B.Transfer the risk through cyber insurance
C.Accept the risk
D.Mitigate the risk by implementing stronger access controls
AnswerD

Addressing the control weakness reduces the likelihood of similar incidents.

Why this answer

Mitigating the risk by implementing stronger access controls directly addresses the root cause and reduces the likelihood of future breaches. Accepting the risk is inappropriate when a breach has already occurred. Transferring via insurance only covers financial loss but does not reduce likelihood.

Avoiding by discontinuing online services is extreme and not immediately necessary.

37
MCQmedium

A company is choosing a risk assessment methodology for a new cloud-based application. The CISO prefers a method that uses monetary values and numerical probabilities to compute annual loss expectancy. Which methodology should be selected?

A.OCTAVE Allegro methodology
B.NIST SP 800-30 Revision 1 risk assessment process
C.Quantitative risk assessment using SLE, ARO, and ALE
D.Qualitative risk assessment using risk matrices
AnswerC

This uses monetary values and probabilities.

Why this answer

Option B is correct because SLE is the expected monetary loss from a single incident, ARO is the annual rate of occurrence, and ALE = SLE × ARO, which yields a quantitative risk value. Option A is wrong because a qualitative method uses rankings like high/medium/low, not monetary values. Option C is wrong because NIST SP 800-30 is a risk assessment guide, not a specific methodology.

Option D is wrong because OCTAVE is a qualitative methodology.

38
Multi-Selecthard

Which TWO of the following are key components of an information risk management program, as defined by ISACA? (Select exactly two.)

Select 2 answers
A.Business continuity plan
B.Risk appetite and tolerance
C.Data classification scheme
D.Risk assessment methodology
E.Vulnerability scanning process
AnswersB, D

Risk appetite defines the amount of risk the organization is willing to accept, essential for risk management.

Why this answer

Options A and D are correct. Risk appetite and risk assessment are core components. Option B is incorrect: data classification is part of information security governance, not specifically risk management program components.

Option C is incorrect: vulnerability scanning is a technical control, not a program component. Option E is incorrect: business continuity planning is a related but separate domain.

39
MCQmedium

A company is assessing the risk of a critical system outage. The system has a maximum tolerable downtime (MTD) of 2 hours, but the current recovery time objective (RTO) is 4 hours. What is the most appropriate risk treatment?

A.Mitigate by reducing the RTO to 1 hour through process automation
B.Transfer the risk by purchasing business interruption insurance
C.Accept the risk because the RTO is shorter than the MTD
D.Avoid the risk by replacing the system with a more reliable one
AnswerA

Reducing RTO to below MTD is the correct mitigation.

Why this answer

Since the current RTO exceeds the MTD, the organization is unable to meet its downtime tolerance. Reducing the RTO to 1 hour (below MTD) through process automation is the appropriate mitigation. Accepting the risk is not viable because the MTD is lower.

Transfer via insurance does not address the RTO gap. Replacing the system is more drastic and may not be cost-effective.

40
Multi-Selectmedium

Which TWO of the following are key components of a risk assessment report according to best practices? (Choose two.)

Select 2 answers
A.Vendor security assessment ratings
B.Risk scenarios with likelihood and impact ratings
C.Detailed results of control testing
D.Risk treatment recommendations
E.Complete asset inventory
AnswersB, D

Risk scenarios with assessments are central to a risk assessment report.

Why this answer

Options A and D are correct. A risk assessment report should include risk scenarios and risk treatment recommendations. Option B is wrong because vendor security ratings are not a universal component.

Option C is wrong because asset inventory is input data, not part of the report. Option E is wrong because control testing results are part of a separate audit report.

41
MCQeasy

A company is implementing a risk management program and needs to identify the most critical assets. Which of the following is the BEST approach to prioritize assets for risk assessment?

A.Use the asset's purchase value to determine priority
B.Assess the business impact of each asset's compromise
C.Perform a vulnerability scan and prioritize based on findings
D.Review historical incident reports for each asset
AnswerB

Assessing business impact directly ties to criticality and is the best method for prioritization.

Why this answer

Option A is correct because asset criticality should be determined based on business impact. Option B is wrong because asset value may not reflect criticality. Option C is wrong because vulnerability scanning identifies weaknesses, not criticality.

Option D is wrong because historical incidents may not reflect current importance.

42
MCQmedium

A financial institution is implementing a new online banking platform. The risk assessment identified that the authentication module has a high likelihood of exploitation due to weak password policies. The risk owner has decided to implement multi-factor authentication (MFA) to reduce the risk. This is an example of which risk response strategy?

A.Risk avoidance
B.Risk mitigation
C.Risk acceptance
D.Risk transfer
AnswerB

MFA reduces the likelihood or impact of the risk, which is the definition of risk mitigation.

Why this answer

Implementing multi-factor authentication (MFA) reduces the likelihood or impact of a security risk by adding additional authentication factors (e.g., something you know, something you have, something you are) beyond a weak password. This directly aligns with risk mitigation, which seeks to decrease the residual risk to an acceptable level through controls. The decision does not eliminate the risk entirely (avoidance), accept it without action, or transfer it to a third party.

Exam trap

The trap here is that candidates confuse 'risk mitigation' with 'risk avoidance' because both involve implementing controls, but avoidance means eliminating the activity or technology entirely, whereas mitigation reduces but does not eliminate the risk.

How to eliminate wrong answers

Option A is wrong because risk avoidance would mean not implementing the online banking platform or removing the authentication module entirely, which is not the case. Option C is wrong because risk acceptance would involve acknowledging the risk and taking no further action, whereas MFA is an active control. Option D is wrong because risk transfer would involve shifting the financial impact of the risk to another party (e.g., via insurance or outsourcing), not implementing a technical control like MFA.

43
MCQhard

After a data breach, the risk manager discovers that the risk assessment for the affected system had not been updated for two years. The organization's risk management policy requires annual reviews. Which of the following is the MOST significant consequence of this noncompliance?

A.Increased audit findings
B.Regulatory fines for noncompliance
C.Inaccurate risk profile leading to uninformed decisions
D.Higher insurance premiums
AnswerC

An outdated risk assessment misrepresents current risks, impairing decision-making.

Why this answer

Option D is correct because outdated risk assessments lead to inaccurate risk profiles, potentially causing management to be unaware of current risks. Option A is wrong while noncompliance may increase audit findings, it is secondary. Option B is wrong because insurance premiums may increase but that is a consequence, not the most significant.

Option C is wrong because regulatory fines are possible but not guaranteed.

44
MCQhard

Which host should be prioritized for risk mitigation based on the vulnerability scan results?

A.192.168.10.25
B.192.168.10.35
C.All hosts should be equally prioritized
D.192.168.10.30
AnswerB

Highest count of critical and high vulnerabilities.

Why this answer

Option C is correct because host 192.168.10.35 has the highest number of critical and high vulnerabilities (5+6=11), indicating the highest risk. Option A is wrong because host 192.168.10.25 has only 2 critical and 4 high (total 6). Option B is wrong because host 192.168.10.30 has 0 critical and 1 high (total 1).

Option D is wrong because even though host 192.168.10.35 has many medium vulnerabilities, the critical and high are most important.

45
MCQhard

A multinational corporation is migrating its on-premises data center to a hybrid cloud environment. The organization processes highly sensitive financial data subject to strict regulatory requirements (e.g., GDPR, SOX). During the risk assessment, the information security manager discovers that the cloud service provider (CSP) stores data in multiple geographic regions, some of which do not meet the organization's data residency requirements. Additionally, the CSP's encryption key management is not fully under the organization's control, and the incident response plan does not include specific procedures for cloud-based breaches. The organization's risk appetite is low, and the board has mandated that all risks must be mitigated to an acceptable level. Which of the following is the BEST course of action?

A.Require the CSP to provide dedicated hardware security modules and restrict data storage to approved regions through contractual terms
B.Accept the risk because the CSP has strong security certifications and the likelihood of a breach is low
C.Cancel the cloud migration and build a new private data center in a compliant location
D.Transfer the risk by purchasing cyber insurance that covers regulatory fines
AnswerA

This directly mitigates the identified risks and aligns with the organization's low risk appetite.

Why this answer

Option C is correct because it directly addresses the root cause (data residency non-compliance and key management) by requiring the CSP to provide dedicated key management and restrict data storage to approved regions. This aligns with the low risk appetite and regulatory requirements. Option A is wrong because accepting the risk contradicts the board's mandate.

Option B is wrong because transferring risk via insurance does not achieve compliance. Option D is wrong because building a private cloud is costly and time-consuming, and not necessarily the best immediate action.

46
MCQmedium

A multinational corporation is assessing the risk of data breaches from third-party vendors. The CISM is tasked with selecting a risk treatment strategy. The organization has a low risk appetite for data breaches. Which strategy should be prioritized?

A.Mitigate the risk by conducting regular vendor audits.
B.Avoid the risk by not engaging vendors that cannot meet security requirements.
C.Transfer the risk by requiring vendors to have cyber insurance.
D.Accept the risk because third-party risks are unavoidable.
AnswerB

Avoidance eliminates the risk entirely, fitting low appetite.

Why this answer

Given the organization's low risk appetite for data breaches, the most appropriate strategy is to avoid the risk entirely by not engaging vendors that cannot meet security requirements. This aligns with the principle that when risk exceeds the acceptable threshold, avoidance is the prioritized treatment. Avoidance eliminates the risk source, whereas other strategies like mitigation or transfer still retain some residual risk that may be unacceptable.

Exam trap

The trap here is that candidates often default to mitigation (audits) as the standard response, failing to recognize that when risk appetite is explicitly low, avoidance is the mandated first-line strategy per ISACA's risk treatment hierarchy.

How to eliminate wrong answers

Option A is wrong because mitigation through regular vendor audits reduces but does not eliminate the risk; residual risk remains, which conflicts with a low risk appetite. Option C is wrong because transferring risk via cyber insurance does not reduce the likelihood or impact of a breach; it only provides financial compensation, leaving the organization exposed to reputational and operational harm. Option D is wrong because acceptance is only appropriate when residual risk falls within the risk appetite; here, the low appetite makes acceptance unacceptable.

47
MCQeasy

A multinational financial services company is implementing a new regulatory requirement that mandates enhanced encryption for all customer data in transit. The organization currently uses TLS 1.2, but the regulation requires TLS 1.3. The risk owner for the data transmission system is the head of network operations, who believes the current controls are sufficient and argues that upgrading will cause significant downtime and cost. The information security manager has assessed the risk as high due to potential regulatory fines and reputational damage. The risk owner refuses to accept the risk and insists on deferring the upgrade. The organization has a risk appetite statement that accepts moderate residual risk only after explicit approval from the CRO. The escalation process involves the risk management committee. What is the BEST course of action for the information security manager?

A.Conduct a detailed cost-benefit analysis to convince the risk owner to upgrade, but do not escalate until the analysis is complete.
B.Accept the risk owner's decision and update the risk register to reflect the deferred treatment with a note of the risk owner's acceptance.
C.Implement a compensating control, such as strong application-layer encryption, to reduce the residual risk to an acceptable level without upgrading TLS.
D.Escalate the issue to the risk management committee for a decision on whether to accept, mitigate, or defer the risk.
AnswerD

This follows the governance process and ensures that the risk is evaluated at the appropriate level with authority to override the risk owner's stance.

Why this answer

Given the risk owner's refusal and the high residual risk exceeding appetite, the security manager should formally escalate to the risk management committee for a final decision, as per the established governance process. This ensures proper oversight and documentation.

48
Multi-Selecthard

Which THREE of the following are valid methods to identify information security risks? (Choose three.)

Select 3 answers
A.Financial audit
B.Business impact analysis (BIA)
C.Threat modeling workshops
D.Vulnerability scanning
E.Penetration testing
AnswersB, C, D

BIA identifies critical processes and potential impact, helping to prioritize risks.

Why this answer

Options A, C, and D are correct. Threat modeling, vulnerability assessments, and business impact analysis are established risk identification methods. Option B is wrong because penetration testing identifies vulnerabilities but is not typically a standalone risk identification method; it's a control test.

Option E is wrong because financial auditing is not a direct risk identification method for information security.

49
MCQhard

A company has a risk appetite that is 'low' for operational risks. A risk assessment recently identified that a high-speed trading platform has a residual risk rating of 'high' after controls are applied. The cost to further reduce the risk is $1 million, which exceeds the expected benefit. What is the most appropriate action for the risk owner?

A.Accept the residual risk with formal sign-off from senior management
B.Adjust the risk appetite to 'moderate' to align with the residual risk
C.Transfer the risk by taking out an insurance policy
D.Approve additional controls to lower residual risk regardless of cost
AnswerA

Since controls are not cost-effective, acceptance is appropriate with proper approval.

Why this answer

Option D is correct because risk acceptance requires explicit approval from senior management when residual risk exceeds appetite. Option A is wrong because risk appetite should not be changed without board approval, and the cost-benefit indicates acceptance is more practical. Option B is wrong because implementing controls that are not cost-effective is not prudent.

Option C is wrong because risk transfer may not be available or cost-effective.

50
MCQhard

A healthcare organization is merging with another entity and must integrate their IT systems. During due diligence, it is discovered that the acquired company has a high number of unpatched critical vulnerabilities in its electronic health record (EHR) system. The merger timeline is aggressive and the integration team wants to proceed as planned. As the risk manager, what is the best course of action?

A.Accept the risk because the vulnerabilities are in the legacy system which will be replaced.
B.Transfer the risk by purchasing cyber insurance for the combined entity.
C.Recommend delaying the integration until vulnerabilities are patched.
D.Proceed with integration but implement compensating controls like network segmentation.
AnswerC

Delay remediates the root cause before exposure increases.

Why this answer

Delaying integration until the critical vulnerabilities are patched is the most prudent action to prevent exploitation during and after integration. Proceeding with compensating controls may not be sufficient given the criticality, and accepting the risk could lead to a major breach. Insurance does not prevent the breach.

51
MCQeasy

Which of the following is the primary purpose of a Key Risk Indicator (KRI)?

A.To provide early warning signals of increasing risk
B.To report on past incidents and losses
C.To measure the effectiveness of security controls
D.To demonstrate compliance with regulations
AnswerA

KRIs indicate potential risk changes.

Why this answer

Option C is correct because KRIs provide early warnings about changes in risk levels. Option A is wrong because that describes a Key Performance Indicator (KPI). Option B is wrong because KRIs measure risk, not compliance.

Option D is wrong because KRIs are predictive, not historical.

52
Multi-Selectmedium

A financial institution is implementing a risk-based approach to prioritize its information security initiatives. The risk manager has completed a risk assessment and identified several risks with varying impact and likelihood. Which TWO of the following are the most important benefits of using the risk assessment results to determine the order of security projects?

Select 2 answers
A.Aligns security spending with business objectives
B.Provides a defensible justification for security investments
C.Eliminates the need for qualitative analysis
D.Ensures compliance with all applicable regulations
E.Reduces the total number of security controls needed
AnswersA, B

Correct; risk assessment helps prioritize based on business impact.

Why this answer

Option A is correct because aligning security spending with business objectives ensures that resources are focused on the most critical risks. Option D is correct because risk assessment results provide objective data to justify security investments to stakeholders. Option B is incorrect because compliance is not the primary benefit; risk assessment may not cover all regulatory requirements.

Option C is incorrect because risk assessment often leads to more controls, not fewer. Option E is incorrect because both quantitative and qualitative analyses have value.

53
MCQhard

You are the CISM for a mid-sized e-commerce company that processes credit card transactions. The company recently experienced a security incident where an attacker exploited a vulnerability in the web application to gain access to the customer database containing payment card information. The incident response team contained the breach, but the root cause analysis revealed that the vulnerability had been identified in a penetration test six months ago but was not remediated due to competing priorities. The company's risk management framework defines risk appetite as 'moderate' for information security risks. The board is concerned and has asked you to recommend improvements to prevent recurrence. The company has a limited budget and cannot implement all possible controls. Current environment: web application developed in-house, hosted on-premises, with a mix of virtual and physical servers. The security team consists of three people responsible for monitoring, incident response, and vulnerability management. The development team follows an agile methodology with bi-weekly sprints. The company has cyber liability insurance that covers breach response costs up to $2 million. Based on this scenario, what is the most effective course of action?

A.Hire two additional security analysts to improve monitoring and incident response.
B.Implement a formal vulnerability management program with defined remediation SLAs based on risk severity.
C.Increase cyber liability insurance coverage to $5 million to cover potential breach costs.
D.Rewrite the web application using a secure development framework to eliminate vulnerabilities.
AnswerB

This directly addresses the failure to remediate known vulnerabilities, ensuring timely fixes.

Why this answer

Option B is correct because a formal vulnerability management program with defined remediation SLAs directly addresses the root cause: the known vulnerability was not patched due to competing priorities. By tying remediation timelines to risk severity (e.g., critical vulnerabilities patched within 7 days, high within 30 days), the company operationalizes its 'moderate' risk appetite and ensures that penetration test findings are acted upon before they can be exploited. This is the most cost-effective approach given the limited budget, as it leverages existing staff and processes rather than requiring new hires or expensive rewrites.

Exam trap

ISACA often tests the misconception that increasing insurance or hiring more staff is the primary solution to a risk management failure, when in fact the core issue is the lack of a process to enforce remediation of known vulnerabilities within the organization's risk appetite.

How to eliminate wrong answers

Option A is wrong because hiring two additional security analysts improves monitoring and incident response but does not fix the underlying issue of unpatched vulnerabilities; the attacker exploited a known vulnerability that should have been remediated, not a detection gap. Option C is wrong because increasing cyber liability insurance to $5 million only transfers financial risk after a breach, it does not prevent recurrence of the vulnerability exploitation and violates the principle of reducing risk to an acceptable level. Option D is wrong because rewriting the web application using a secure development framework is a long-term, high-cost solution that exceeds the limited budget and does not address the immediate need to remediate existing vulnerabilities; it also ignores the fact that the current application is already in production and needs a process for ongoing vulnerability management.

54
MCQhard

During a risk assessment, a security manager discovers that the residual risk after implementing planned controls is still above the risk appetite threshold. What should the manager do NEXT?

A.Implement additional controls immediately
B.Document the risk as accepted
C.Escalate the residual risk to senior management
D.Reassess the risk using a different methodology
AnswerC

Why this answer

When residual risk exceeds the risk appetite threshold after planned controls, the security manager cannot simply accept or ignore it; the risk must be escalated to senior management because they hold the authority to decide whether to accept the risk, allocate additional budget for further controls, or adjust the risk appetite. This aligns with the CISM domain of Information Security Risk Management, where risk acceptance is a management decision, not an operational one.

Exam trap

The trap here is that candidates confuse operational risk acceptance (which a manager can do for low risks) with management-level risk acceptance required when residual risk exceeds the appetite threshold, leading them to incorrectly choose Option B.

Why the other options are wrong

A

While additional controls may be an option, the immediate next step is to escalate and get a decision.

B

Acceptance requires authorization from management, not unilateral action by the security manager.

D

Changing methodology may give different numbers but doesn't address the underlying issue.

55
MCQhard

After implementing controls, the residual risk is calculated to be at a level that slightly exceeds the risk appetite. The business owner argues that the cost of further mitigation outweighs the benefit. What is the most appropriate action for the risk manager?

A.Transfer the risk through insurance
B.Accept the residual risk as a business decision
C.Document the risk and escalate to senior management for acceptance
D.Implement additional controls regardless of cost
AnswerC

Formal escalation ensures informed decision-making and proper risk acceptance.

Why this answer

The risk manager should document the risk and escalate to senior management for formal acceptance. Acceptance requires approval at an appropriate level. Simply accepting without documentation is not proper.

Implementing controls regardless of cost ignores cost-benefit. Transferring via insurance does not address residual risk that already exceeds appetite.

56
Drag & Dropmedium

Order the steps for implementing a security awareness training program.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Training programs start with needs assessment, then content development, delivery, evaluation, and continuous improvement.

57
MCQeasy

Which of the following is the most significant risk in this architecture?

A.Segmentation of network zones
B.Admin access via VPN and jump host
C.Use of TLS 1.3 for encryption
D.Direct SQL authentication from application server to database
AnswerD

If app server is compromised, database can be accessed directly.

Why this answer

Option D is correct because direct SQL authentication from application server to database bypasses the principle of least privilege and can be exploited if the application server is compromised. Option A is wrong because TLS 1.3 is strong encryption. Option B is wrong because separating zones is good practice.

Option C is wrong because VPN + jump host is a security measure.

58
MCQmedium

A security manager is conducting a risk assessment for a new cloud-based system. The system will store sensitive customer data. Which of the following should be the FIRST step in the risk assessment process?

A.Select appropriate security controls
B.Conduct vulnerability scanning
C.Identify potential threat sources
D.Identify and classify information assets
AnswerD

Asset identification is foundational to any risk assessment.

Why this answer

Option A is correct because identifying assets and their value is the first step in risk management. Option B is wrong because threats are identified after assets. Option C is wrong because vulnerability assessment comes after asset identification.

Option D is wrong because control selection follows risk assessment.

59
MCQeasy

Which of the following is the PRIMARY purpose of an information security risk assessment?

A.To eliminate all identified risks
B.To identify and evaluate risks in terms of likelihood and impact
C.To comply with regulatory requirements
D.To assign blame for security incidents
AnswerB

Why this answer

The primary purpose of an information security risk assessment is to identify and evaluate risks in terms of their likelihood and impact. This process enables an organization to prioritize risks and determine appropriate risk treatment options, such as mitigation, transfer, acceptance, or avoidance, based on a clear understanding of the risk landscape. Without this evaluation, any subsequent risk management decisions would lack a defensible basis.

Exam trap

The trap here is that candidates often confuse the purpose of a risk assessment with the purpose of risk treatment or compliance, leading them to select 'comply with regulatory requirements' as the primary purpose, when in fact compliance is a secondary benefit, not the core objective.

Why the other options are wrong

A

Eliminating all risks is impractical and not the primary purpose; risk assessment informs risk treatment decisions.

C

Compliance may be a driver but is not the primary purpose; the core is informed decision-making.

D

Risk assessment is proactive, not punitive.

60
Multi-Selecteasy

Which TWO of the following are examples of key risk indicators (KRIs) for cybersecurity risk?

Select 2 answers
A.Time to patch critical vulnerabilities
B.Number of successful phishing simulations
C.Number of vendors with SOC 2 reports
D.Number of unresolved security incidents
E.Percentage of employees completing security training
AnswersA, D

Patch latency is a key indicator of vulnerability risk.

Why this answer

KRIs measure risk level. Number of unresolved incidents and time to patch critical vulnerabilities are leading indicators of risk. Training completion and phishing simulation success are more like performance indicators.

Vendor SOC2 reports are control indicators.

61
Multi-Selectmedium

An information security manager is implementing a risk management program. Which TWO of the following activities should be performed as part of the risk assessment process?

Select 2 answers
A.Determining acceptable risk levels
B.Analyzing threats and vulnerabilities
C.Monitoring incident response plans
D.Evaluating the effectiveness of existing controls
E.Selecting controls to mitigate risks
AnswersB, D

This is a core activity in risk identification and analysis.

Why this answer

Risk assessment includes the identification and analysis of threats, vulnerabilities, and existing controls. Options C and E are directly part of risk assessment; the others belong to subsequent phases.

62
MCQmedium

An organization selects a control to mitigate a risk, but after implementation, the risk level remains unchanged. What should the risk manager do first?

A.Increase the control strength
B.Re-assess the risk and control effectiveness
C.Report to senior management
D.Accept the risk as residual
AnswerB

Reassessment is necessary to understand the gap.

Why this answer

The first step is to reassess the risk and control effectiveness to determine why the control did not reduce risk. Only then can decisions be made about increasing controls, accepting, or reporting.

63
MCQeasy

A risk assessment identifies that the organization's email system has a high likelihood of phishing attacks. The current controls include spam filtering and user awareness training. What should the organization do NEXT to manage this risk effectively?

A.Accept the risk as it is already controlled
B.Evaluate the residual risk and decide on additional controls
C.Transfer the risk to a cyber insurance provider
D.Conduct another round of user awareness training
AnswerB

The organization should assess whether current controls reduce risk to an acceptable level and implement further measures if needed.

Why this answer

Option C is correct because after evaluating existing controls, the next step is to determine if additional controls are needed to reduce residual risk. Option A is wrong because ignoring residual risk is not acceptable. Option B is wrong because immediate transfer may not be optimal.

Option D is wrong because training alone is not a complete solution.

64
Drag & Dropmedium

Order the steps for implementing a data classification policy in an organization.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Data classification starts with defining categories, then procedures, training, labeling, and monitoring.

65
MCQeasy

An organization is determining the risk treatment for a critical business process that has a high inherent risk. Which of the following is the MOST effective risk treatment strategy when the cost to mitigate exceeds the potential loss?

A.Risk avoidance
B.Risk reduction
C.Risk acceptance
D.Risk transfer
AnswerC

Accepting the risk is justified when mitigation costs outweigh potential loss.

Why this answer

Option B is correct because risk acceptance is appropriate when the cost of mitigation exceeds the potential loss. Option A is wrong because risk avoidance would mean discontinuing the process, which may not be feasible. Option C is wrong because risk transfer (e.g., insurance) might still be costly.

Option D is wrong because risk reduction would require controls that are not cost-effective.

66
MCQmedium

An information security manager has identified a risk with a high likelihood and high impact. The cost of mitigating the risk exceeds the potential loss. What is the MOST appropriate risk treatment strategy?

A.Risk mitigation
B.Risk acceptance
C.Risk transfer
D.Risk avoidance
AnswerB

Why this answer

When mitigation cost exceeds potential loss, risk acceptance is appropriate if the risk is within the organization's risk appetite. Alternatively, risk transfer (e.g., insurance) could be considered, but acceptance is often the primary choice when the cost-benefit is negative.

Exam trap

Candidates may choose 'mitigate' without considering cost-benefit analysis; CISM emphasizes aligning treatment with business value.

Why the other options are wrong

A

Mitigation cost exceeds potential loss, making it inefficient.

C

Transfer (e.g., insurance) may still be expensive; acceptance is more direct when cost of transfer also high.

D

Avoidance would mean discontinuing the activity, which may not be feasible or cost-effective.

67
MCQmedium

During a risk assessment, a company discovers that its data backup process is incomplete: backups are performed daily but stored onsite without encryption. The risk owner proposes to accept this risk due to low likelihood of a physical breach. Which of the following is the BEST reason to challenge this acceptance?

A.The impact of losing both primary and backup data is unacceptably high
B.The risk owner does not have authority to accept risks
C.Encryption is not required as the facility is secure
D.The cost of implementing encrypted offsite backups is minimal
AnswerA

A single event (fire, theft) could destroy both data and backup, leading to catastrophic business impact.

Why this answer

Option D is correct because a complete loss of backup integrity from a single event (e.g., fire) could be catastrophic, making the risk unacceptable. Option A is wrong because cost alone doesn't justify acceptance if impact is high. Option B is wrong because the risk owner's authority doesn't override risk committee.

Option C is wrong because encryption is a mitigation, not a reason to challenge acceptance.

68
MCQeasy

A risk manager is presenting risk treatment options to senior management. Which of the following is the BEST approach to communicate risk in a way that supports informed decision-making?

A.Focus only on high and extreme risks
B.Use technical language to accurately describe vulnerabilities
C.Translate risk into potential financial impact
D.Present risk in qualitative terms only
AnswerC

Financial impact is a common language for business decisions.

Why this answer

Option C is correct because presenting risk in financial terms aligns with business language. Option A is wrong because technical details may overwhelm. Option B is wrong because focusing only on high risks ignores others.

Option D is wrong because qualitative terms lack precision for cost-benefit analysis.

69
Multi-Selecteasy

Which TWO of the following are valid risk response options?

Select 2 answers
A.Risk amplification
B.Risk neutralization
C.Risk mitigation
D.Risk acceptance
E.Risk retention
AnswersC, D

Implementing controls to reduce risk.

Why this answer

Options A and B are correct because risk mitigation (reduce) and risk acceptance are standard responses. Options C and D are wrong because risk amplification and risk neutralization are not standard terms. Option E is wrong because risk retention is a form of acceptance but the term is less common; however, many frameworks use retention as a synonym for acceptance, but the question expects 'acceptance' and 'mitigation' as clear options.

We'll correct: Actually retention is sometimes used as acceptance, but to avoid confusion, we'll stick with mitigation and acceptance as clearly correct. So E is not a standard term in COBIT/ISO 31000.

70
MCQeasy

A company is evaluating its risk management process. The CISM notices that risks are being assessed based on qualitative scales (low, medium, high) but decisions require quantitative data. What is the most effective action to improve the process?

A.Switch to a fully quantitative risk assessment methodology.
B.Use a hybrid approach that includes both qualitative and quantitative assessments.
C.Replace qualitative scales with precise monetary values.
D.Continue using qualitative method since it is simpler.
AnswerB

Provides comprehensive risk information for decision-making.

Why this answer

A hybrid approach (Option B) is most effective because it leverages qualitative scales for initial, rapid risk identification and prioritization, while quantitative data (e.g., ALE, SLE, ARO) provides the monetary rigor needed for cost-benefit analysis and management decisions. This aligns with ISACA's guidance that risk assessment should be tailored to the decision context, not purely one method.

Exam trap

The trap here is that candidates assume 'quantitative' is always superior, ignoring the practical need for a hybrid approach that balances qualitative speed with quantitative rigor for decision-making.

How to eliminate wrong answers

Option A is wrong because a fully quantitative methodology requires extensive historical data, precise probability estimates, and can be resource-prohibitive; it may also create a false sense of precision when data is uncertain. Option C is wrong because replacing qualitative scales with precise monetary values without a structured quantitative model (e.g., Monte Carlo simulation) ignores the inherent uncertainty in risk estimation and can lead to misleadingly exact figures. Option D is wrong because continuing with only qualitative methods fails to provide the objective monetary data required for decisions like insurance coverage or budget allocation, violating the CISM principle of aligning risk management with business needs.

71
MCQmedium

A financial institution is implementing a risk management program and needs to select a methodology that balances quantitative and qualitative factors, complies with regulatory requirements, and provides a consistent framework for risk assessment across business units. Which methodology would best meet these requirements?

A.FAIR
B.OCTAVE
C.ISO 27005
D.NIST SP 800-30
AnswerC

ISO 27005 provides a comprehensive risk management framework that supports both qualitative and quantitative approaches and is widely accepted for regulatory compliance.

Why this answer

ISO 27005 is an international standard for information security risk management that supports both qualitative and quantitative approaches, aligns with various regulations, and provides a consistent framework. OCTAVE is primarily qualitative and not a regulatory standard. FAIR is quantitative but not a comprehensive standard.

NIST SP 800-30 is qualitative and specific to US federal agencies.

72
MCQhard

A security manager is preparing a risk report for the board of directors. Which of the following should be included to best support strategic risk-based decisions?

A.Operational metrics such as number of firewalls and intrusion detection alerts
B.List of all past security incidents and their root causes
C.Detailed vulnerability scan results and patch levels
D.Summary of top risks, risk appetite alignment, and treatment status
AnswerD

Board requires strategic overview.

Why this answer

Option A is correct because the board needs a high-level view of top risks and their status relative to appetite. Option B is wrong because technical details are not appropriate for board level. Option C is wrong because past incidents are historical, not forward-looking.

Option D is wrong because daily operations are too granular.

73
MCQeasy

During a risk assessment, a CISM identifies that the organization's data backup process has a single point of failure. The backup server is located in the same data center as the primary server. Which risk response is most appropriate?

A.Mitigate by moving the backup server to a geographically separate location.
B.Transfer the risk by purchasing business interruption insurance.
C.Avoid the risk by discontinuing the backup process.
D.Accept the risk because the cost of mitigation is high.
AnswerA

This reduces the likelihood of both servers being lost simultaneously.

Why this answer

Moving the backup server to a geographically separate location directly eliminates the single point of failure by ensuring that a localized disaster (e.g., fire, flood, power outage) at the primary data center does not simultaneously destroy both the primary and backup data. This is a classic risk mitigation strategy that reduces the likelihood and impact of data loss, aligning with the principle of geographic redundancy for disaster recovery.

Exam trap

The trap here is that candidates may confuse risk transfer (insurance) with risk mitigation (redundancy), or incorrectly assume that accepting the risk is acceptable when a clear, cost-effective mitigation exists, especially in a CISM scenario where the organization's risk appetite is not explicitly stated as high.

How to eliminate wrong answers

Option B is wrong because purchasing business interruption insurance transfers the financial risk of downtime but does not address the technical single point of failure; the backup data remains vulnerable to the same physical disaster as the primary server. Option C is wrong because discontinuing the backup process would avoid the risk of backup failure but introduces an unacceptable risk of permanent data loss, violating fundamental data protection and business continuity requirements. Option D is wrong because accepting the risk without justification is inappropriate when a cost-effective mitigation (moving the backup server) is available; the cost of mitigation is not inherently high, and the risk of total data loss typically outweighs the expense of geographic separation.

74
Multi-Selectmedium

Which of the following are key components of an information security risk management program? (Select TWO)

Select 2 answers
A.Risk assessment
B.Vulnerability scanning
C.Risk treatment
D.Incident response
AnswersA, C

Why this answer

Risk assessment is a core component of an information security risk management program because it systematically identifies, analyzes, and evaluates risks to information assets. It provides the foundational understanding of threats, vulnerabilities, and impacts necessary for informed decision-making. Without a formal risk assessment, the program lacks the data needed to prioritize and justify security investments.

Exam trap

ISACA often tests the distinction between program-level components (risk assessment, risk treatment) and operational activities (vulnerability scanning, incident response) to see if candidates understand that the risk management program is a strategic, governance framework, not a list of technical tasks.

Why the other options are wrong

B

Vulnerability scanning is a tool used within risk assessment, not a component of the program itself.

D

Incident response is a separate process, not a component of risk management.

75
MCQeasy

A company engages a third-party vendor to process customer data. Which of the following is the most critical step in managing the associated risk?

A.Requiring the vendor to sign a non-disclosure agreement
B.Conducting a due diligence assessment before contracting
C.Performing a vulnerability scan of the vendor's network
D.Including a clause that transfers liability to the vendor
AnswerB

Pre-contract due diligence is the most critical to identify and mitigate risks early.

Why this answer

Conducting due diligence before contracting is essential to identify risks and ensure the vendor meets security requirements. Vulnerability scans are part of due diligence but not the most critical step. NDA and liability clauses are important but secondary to initial assessment.

Page 1 of 2 · 95 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Information Security Risk Management questions.