Back to Certified Information Security Manager CISM questions

Scenario-based practice

Refer to the Exhibit Practice Questions

Practise Certified Information Security Manager CISM practice questions — original exam-style scenarios covering every exam domain, with detailed explanations, wrong-answer analysis, and common exam traps.

15
scenario questions
CISM
exam code
ISACA
vendor

Scenario guide

How to approach refer to the exhibit practice questions

Practise exhibit-style questions that ask you to read a topology, table, command output or diagram before choosing the best answer.

Quick answer

Exhibit-style questions test whether you can read a topology, command output, diagram or table before choosing the best answer.

How to extract the relevant detail from an exhibit.

How topology, command output or routing information affects the answer.

How to avoid answering from memory before reading the evidence.

How to map the exhibit back to the exam objective.

Related practice questions

Related CISM topic practice pages

Scenario questions usually connect to one or more exam topics. Use these links to review the underlying concepts behind the scenario.

Practice set

Practice scenarios

Question 1mediummultiple choice
Full question →

Based on the SIEM alert exhibit, which immediate action should the incident responder take?

Exhibit

Refer to the exhibit.

```
[Alert] Correlation Rule: Multiple Failed Logins
Source IP: 10.0.0.55
Destination IP: 192.168.1.10
Event Count: 150 failed logins to admin account 'jsmith' within 5 minutes
Action: Triggered
```
Question 2easymultiple choice
Full question →

Based on the exhibit, what is the MOST appropriate next step for the information security manager?

Exhibit

Refer to the exhibit.

```
Risk Assessment Log
Date: 2025-03-01
Asset: Database Server DB-01
Threat: Unauthorized access
Vulnerability: Weak password policy
Current Controls: Password complexity enabled, account lockout after 5 failed attempts
Likelihood: 3 (Moderate)
Impact: 4 (Major)
Risk Level: 12 (High)
Risk Appetite Threshold: 10
```
Question 3easymultiple choice
Full question →

Refer to the exhibit. The security analyst observes these alerts. What is the MOST likely sequence of events?

Exhibit

Refer to the exhibit.

---
Incident Log:
[2025-03-20 08:15:23] ALERT: Multiple failed logins for user 'jsmith' from IP 10.0.0.45
[2025-03-20 08:16:01] ALERT: Successful login for user 'jsmith' from IP 10.0.0.45
[2025-03-20 08:20:45] ALERT: Unusual outbound connection from host 10.0.0.45 to 198.51.100.10:4444
[2025-03-20 08:22:30] ALERT: Large data transfer from host 10.0.0.45 to 198.51.100.10
---
Question 4hardmultiple choice
Full question →

Refer to the exhibit. A security analyst reviews the firewall configuration and identifies a potential risk. What is the most likely risk?

Exhibit

Refer to the exhibit.

Exhibit:
```
CISCO ASA Firewall Config Snippet
access-list INSIDE extended permit tcp 10.0.0.0 255.255.255.0 any eq 443
access-list INSIDE extended permit udp 10.0.0.0 255.255.255.0 any eq 53
access-list OUTSIDE extended deny ip any any
```
Question 5hardmultiple choice
Full question →

Refer to the exhibit. An analyst observes the network traffic between three internal hosts and a web server. Which of the following is the MOST likely interpretation of this traffic?

Exhibit

Refer to the exhibit.

```
[SYN] 12:01:00.001 192.168.1.10:12345 -> 10.0.0.1:80
[SYN-ACK] 12:01:00.002 10.0.0.1:80 -> 192.168.1.10:12345
[ACK] 12:01:00.003 192.168.1.10:12345 -> 10.0.0.1:80
[GET /index.html] 12:01:00.004 192.168.1.10:12345 -> 10.0.0.1:80
[SYN] 12:01:00.005 192.168.1.11:23456 -> 10.0.0.1:80
[SYN-ACK] 12:01:00.006 10.0.0.1:80 -> 192.168.1.11:23456
[ACK] 12:01:00.007 192.168.1.11:23456 -> 10.0.0.1:80
[GET /login.php] 12:01:00.008 192.168.1.11:23456 -> 10.0.0.1:80
[SYN] 12:01:00.009 192.168.1.12:34567 -> 10.0.0.1:80
[SYN-ACK] 12:01:00.010 10.0.0.1:80 -> 192.168.1.12:34567
[ACK] 12:01:00.011 192.168.1.12:34567 -> 10.0.0.1:80
[GET /admin.php] 12:01:00.012 192.168.1.12:34567 -> 10.0.0.1:80
```
Question 6mediummultiple choice
Full question →

Based on the exhibit, which of the following is the MOST likely attack vector?

Exhibit

Refer to the exhibit.

```
[2025-03-10 14:32:15] CRITICAL: File integrity violation on /etc/passwd
[2025-03-10 14:32:15] File: /etc/passwd, Expected hash: a1b2c3d4e5f6, Actual hash: 9z8y7x6w5v4u
[2025-03-10 14:32:16] ALERT: Unauthorized SSH key added to /home/admin/.ssh/authorized_keys
[2025-03-10 14:32:18] ALERT: New user 'backup_agent' created with UID 0
```
Question 7hardmultiple choice
Study the full ACL explanation →

Refer to the exhibit. A security analyst reviews the ACL on the organization's border router. Based on the exhibit, which of the following is the MOST significant governance concern?

Exhibit

Refer to the exhibit.

Access Control List (ACL) on border router:

access-list 100 deny ip 10.0.0.0 0.255.255.255 any
access-list 100 deny ip 172.16.0.0 0.15.255.255 any
access-list 100 deny ip 192.168.0.0 0.0.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 deny ip 0.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
Question 8mediummultiple choice
Full question →

Refer to the exhibit. A system administrator reviews the log and notices repeated failed SSH attempts from the same IP address. What is the most appropriate risk response?

Exhibit

Refer to the exhibit.

Exhibit:
```
Log Entry:
Jan 15 09:23:45 server1 sshd[1234]: Failed password for root from 10.0.0.5 port 22 ssh2
Jan 15 09:23:47 server1 sshd[1235]: Failed password for admin from 10.0.0.5 port 22 ssh2
Jan 15 09:23:50 server1 sshd[1236]: Failed password for root from 10.0.0.5 port 22 ssh2
Jan 15 09:23:52 server1 sshd[1237]: Failed password for admin from 10.0.0.5 port 22 ssh2
```
Question 9hardmultiple choice
Full question →

Based on the exhibit, what is the MOST likely issue?

Exhibit

Refer to the exhibit.

Exhibit:

Firewall Log:
Date Time Source IP Destination IP Port Protocol Action
2023-10-05 10:00:00 10.0.0.15 203.0.113.5 443 TCP ALLOW
2023-10-05 10:01:00 10.0.0.15 203.0.113.5 443 TCP ALLOW
2023-10-05 10:02:00 10.0.0.15 203.0.113.5 443 TCP ALLOW
... (repeated every minute)
2023-10-05 12:00:00 10.0.0.15 203.0.113.5 443 TCP ALLOW

IDS Alert:
Signature: ET TROJAN Win32/Malicious Beacon
Source IP: 10.0.0.15
Destination IP: 203.0.113.5
Time: 2023-10-05 10:00:00
Severity: High
Question 10hardmultiple choice
Full question →

Given the exhibit output from a web server, which connection is MOST suspicious and likely indicates a command-and-control (C2) channel?

Exhibit

Refer to the exhibit.

```
# netstat -an | grep :443
tcp4  0      0  *.443                 *.*                    LISTEN
tcp4  0      0  192.168.1.100.443     10.0.0.1.54321        ESTABLISHED
tcp4  0      0  192.168.1.100.443     10.0.0.2.54322        ESTABLISHED
tcp4  0      0  192.168.1.100.443     203.0.113.5.44333     ESTABLISHED
```
Question 11mediummultiple choice
Read the full Ansible explanation →

Refer to the exhibit. During a ransomware incident, the response team discovers that the backup server is also encrypted. Which phase of the playbook is MOST impacted?

Exhibit

Refer to the exhibit.

---
Incident Response Playbook: Ransomware
Phase 1: Identification - Confirm ransomware via user reports and endpoint alerts.
Phase 2: Containment - Disconnect affected systems from the network. Do not power off.
Phase 3: Eradication - Remove malware using approved tools; reimage if necessary.
Phase 4: Recovery - Restore data from clean backups; verify integrity.
Phase 5: Post-Incident - Conduct lessons learned.
---
Question 12mediummultiple choice
Full question →

Based on the exhibit, what is the MOST likely scenario?

Exhibit

Refer to the exhibit.

Exhibit:

Event Log Entry:
Time: 2023-10-05 14:23:17
Event ID: 4625
Source: Security
User: SYSTEM
Logon Type: 3
Account Name: jdoe
Account Domain: CORP
Failure Reason: Unknown user name or bad password.
Workstation Name: WS-001
IP Address: 192.168.1.50

Event Log Entry:
Time: 2023-10-05 14:24:05
Event ID: 4624
Source: Security
User: SYSTEM
Logon Type: 3
Account Name: jdoe
Account Domain: CORP
Workstation Name: WS-001
IP Address: 192.168.1.50

Event Log Entry:
Time: 2023-10-05 14:25:10
Event ID: 4648
Source: Security
User: jdoe
Logon Type: 2
Account Name: jdoe
Account Domain: CORP
Target Server: FILE-SRV-01
Additional Info: A logon was attempted using explicit credentials.
Workstation Name: WS-001
IP Address: 192.168.1.50
Question 13mediummultiple choice
Full question →

An employee emails a spreadsheet containing employee salaries to all staff by mistake. According to the exhibit, what is the minimum handling requirement that was violated?

Exhibit

Refer to the exhibit.

{
  "dataClassification": {
    "public": {
      "description": "Information that can be disclosed to anyone",
      "handling": "No special protection required"
    },
    "internal": {
      "description": "Information for internal use only",
      "handling": "Must be stored on internal systems, encrypted in transit"
    },
    "confidential": {
      "description": "Sensitive information with legal or contractual obligations",
      "handling": "Must be encrypted at rest and in transit, access on a need-to-know basis"
    },
    "highlyConfidential": {
      "description": "Information that could cause severe reputational damage if disclosed",
      "handling": "All 'confidential' protections plus multifactor authentication, data loss prevention, and quarterly access reviews"
    }
  }
}
Question 14mediummultiple choice
Full question →

Based on the exhibit, which risk should be addressed first if the organization has limited resources?

Network Topology
+Refer to the exhibit.Risk Register Extract:
Question 15easymultiple choice
Full question →

Based on the exhibit, which of the following is true about traffic from the internet to the internal network 10.0.0.0/8?

Exhibit

Refer to the exhibit.

Exhibit:
```
access-list 100 deny ip any 10.0.0.0 0.255.255.255
access-list 100 permit tcp 192.168.1.0 0.0.0.255 host 10.0.0.5 eq 80
access-list 100 deny ip any any
```
The ACL is applied inbound on the external interface of the border router.

These CISM practice questions are part of Courseiva's free ISACA certification practice question bank. Courseiva provides original exam-style CISM questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.