Back to Certified Information Security Manager CISM questions

Scenario-based practice

Hard Difficulty Questions

Practise Certified Information Security Manager CISM practice questions — original exam-style scenarios covering every exam domain, with detailed explanations, wrong-answer analysis, and common exam traps.

20
scenario questions
CISM
exam code
ISACA
vendor

Scenario guide

How to approach hard difficulty questions

These are the questions most candidates get wrong. They require connecting multiple concepts, reading tricky output, or knowing edge-case behaviour that isn't on most study cards. Practising them trains you to operate under uncertainty — a necessary skill on the real exam.

Quick answer

Hard Difficulty Questions questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Related practice questions

Related CISM topic practice pages

Scenario questions usually connect to one or more exam topics. Use these links to review the underlying concepts behind the scenario.

Practice set

Practice scenarios

Question 1hardmultiple choice
Read the full NAT/PAT explanation →

A healthcare organization is developing an information security strategy. The board has mandated that the strategy must support innovation while protecting patient data. Which governance approach BEST balances these priorities?

Question 2hardmultiple choice
Full question →

A financial services firm has a mature information security program but is struggling to demonstrate the value of security investments to the board. Which metric would BEST communicate the effectiveness of the security program in business terms?

Question 3hardmultiple choice
Read the full NAT/PAT explanation →

You are the CISO of a mid-sized e-commerce company with 500 employees. The company recently suffered a data breach where an attacker exfiltrated customer credit card data from the production database. The investigation revealed that the breach originated from a compromised developer workstation. The developer had been granted direct access to the production database for troubleshooting purposes, a practice that had been in place for years. The security governance framework currently lacks a formal process for managing privileged access. The board has asked for immediate improvements to prevent recurrence. Which course of action BEST addresses the governance gap?

Question 4hardmultiple choice
Full question →

A company is considering outsourcing its security operations center (SOC). Which governance consideration is MOST critical before finalizing the decision?

Question 5hardmultiple choice
Read the full DNS explanation →

During an incident investigation, the security team discovers that an attacker exfiltrated sensitive customer data via encrypted DNS tunneling over a period of three months. The data loss was only noticed after a routine audit. Which of the following weaknesses MOST likely allowed the attacker to remain undetected for so long?

Question 6hardmultiple choice
Full question →

An organization uses a SIEM to correlate security events. The SIEM generates an alert for a possible brute-force attack against an admin account. The incident response team reviews the alert and finds that the account is a service account with a known password. What should the team do NEXT?

Question 7hardmultiple choice
Full question →

After a security incident, the incident response team identifies that the root cause was a phishing email that bypassed the email filter. The email contained a malicious macro that executed PowerShell commands. Which control would be MOST effective in preventing similar incidents in the future?

Question 8hardmulti select
Full question →

An organization is designing its information security program and needs to ensure it supports business continuity. Which TWO of the following should be integrated into the program?

Question 9hardmulti select
Full question →

A security manager is evaluating the effectiveness of the security program. Which of the following would be valid indicators of a mature program? (Select two.)

Question 10hardmultiple choice
Full question →

An organization's security team detects an unusual spike in outbound traffic from a database server to an external IP address during a routine security scan. The database server contains sensitive customer data. Which of the following is the MOST appropriate initial response?

Question 11hardmultiple choice
Full question →

Refer to the exhibit. A security analyst reviews the firewall configuration and identifies a potential risk. What is the most likely risk?

Exhibit

Refer to the exhibit.

Exhibit:
```
CISCO ASA Firewall Config Snippet
access-list INSIDE extended permit tcp 10.0.0.0 255.255.255.0 any eq 443
access-list INSIDE extended permit udp 10.0.0.0 255.255.255.0 any eq 53
access-list OUTSIDE extended deny ip any any
```
Question 12hardmultiple choice
Full question →

In a risk assessment, a CISM calculates the annualized loss expectancy (ALE) for a specific threat. The single loss expectancy (SLE) is $50,000 and the annualized rate of occurrence (ARO) is 0.2. What is the ALE, and which risk response is most cost-effective if a control costs $12,000 per year and reduces ARO to 0.05?

Question 13hardmultiple choice
Full question →

Refer to the exhibit. An analyst observes the network traffic between three internal hosts and a web server. Which of the following is the MOST likely interpretation of this traffic?

Exhibit

Refer to the exhibit.

```
[SYN] 12:01:00.001 192.168.1.10:12345 -> 10.0.0.1:80
[SYN-ACK] 12:01:00.002 10.0.0.1:80 -> 192.168.1.10:12345
[ACK] 12:01:00.003 192.168.1.10:12345 -> 10.0.0.1:80
[GET /index.html] 12:01:00.004 192.168.1.10:12345 -> 10.0.0.1:80
[SYN] 12:01:00.005 192.168.1.11:23456 -> 10.0.0.1:80
[SYN-ACK] 12:01:00.006 10.0.0.1:80 -> 192.168.1.11:23456
[ACK] 12:01:00.007 192.168.1.11:23456 -> 10.0.0.1:80
[GET /login.php] 12:01:00.008 192.168.1.11:23456 -> 10.0.0.1:80
[SYN] 12:01:00.009 192.168.1.12:34567 -> 10.0.0.1:80
[SYN-ACK] 12:01:00.010 10.0.0.1:80 -> 192.168.1.12:34567
[ACK] 12:01:00.011 192.168.1.12:34567 -> 10.0.0.1:80
[GET /admin.php] 12:01:00.012 192.168.1.12:34567 -> 10.0.0.1:80
```
Question 14hardmultiple choice
Study the full ACL explanation →

Refer to the exhibit. A security analyst reviews the ACL on the organization's border router. Based on the exhibit, which of the following is the MOST significant governance concern?

Exhibit

Refer to the exhibit.

Access Control List (ACL) on border router:

access-list 100 deny ip 10.0.0.0 0.255.255.255 any
access-list 100 deny ip 172.16.0.0 0.15.255.255 any
access-list 100 deny ip 192.168.0.0 0.0.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 deny ip 0.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
Question 15hardmultiple choice
Read the full NAT/PAT explanation →

During a risk assessment, an organization identifies a critical vulnerability in a legacy system that cannot be patched. The system's availability is crucial for business operations. Which of the following risk treatment strategies is MOST appropriate?

Question 16hardmultiple choice
Read the full NAT/PAT explanation →

A multinational corporation is designing its information security program and must decide how to balance security with business agility. The company operates in highly regulated industries with varying legal requirements. Which of the following approaches BEST aligns with industry best practices for such an environment?

Question 17hardmulti select
Full question →

Which TWO of the following are key responsibilities of an information security governance committee?

Question 18hardmultiple choice
Read the full NAT/PAT explanation →

A multinational corporation is designing its information security governance framework. The board has requested a single metric that best indicates the effectiveness of the security program. Which metric would BEST satisfy this request?

Question 19hardmultiple choice
Full question →

During an audit, it was found that the organization's information security policy is not being followed by business units. Which of the following is the MOST effective way for the information security manager to improve compliance?

Question 20hardmultiple choice
Full question →

After a major security incident, the incident response team completes the containment, eradication, and recovery phases. The CISO is now planning the post-incident activities. Which activity is MOST critical to ensure that lessons learned are effectively incorporated?

These CISM practice questions are part of Courseiva's free ISACA certification practice question bank. Courseiva provides original exam-style CISM questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.