CISM · topic practice

Incident Management practice questions

Practise Certified Information Security Manager CISM Incident Management practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Incident Management

What the exam tests

What to know about Incident Management

Incident Management questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common Incident Management exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

Incident Management questions

20 questions · select your answer, then reveal the explanation

An organization's incident response (IR) policy should be approved by which of the following to ensure authority and accountability?

During a P1 (critical) incident, the incident response manager has been providing hourly situation reports (sitreps) to executives. What is the primary reason for involving legal counsel in these communications?

An organization has experienced a ransomware incident that has encrypted critical servers. The incident response team is unable to restore operations within the maximum tolerable downtime (MTD). Which action should be taken next?

Which incident severity level requires executive notification and a 24/7 response?

Following a data breach, an organization conducts a root cause analysis using the 5 Whys technique. The analysis identifies that a misconfigured firewall allowed unauthorized access. What is the most important next step to prevent recurrence?

Question 6mediummultiple choice
Read the full Ansible explanation →

An organization's incident response plan includes playbooks for different incident types. Which playbook should be used for an incident involving unauthorized access to a user's account due to phishing?

Which of the following is typically a member of the crisis management team (CMT) during a major cybersecurity incident?

As part of post-incident activities, an organization schedules a lessons learned meeting. When should this meeting ideally take place?

During a data breach investigation, legal counsel instructs the forensics team to preserve evidence under attorney-client privilege. Which of the following actions is most critical to maintain that privilege?

Question 10mediummultiple choice
Read the full Ansible explanation →

An organization is updating its incident response playbook after a ransomware attack. Which of the following should be included as a key step in the ransomware playbook?

Which of the following is the primary purpose of having a pre-established forensic retainer agreement?

After a supply chain attack, the incident response team identifies that a third-party vendor's compromised credentials were used to access the organization's network. Which incident category should this be classified under?

Which TWO of the following are essential components of an incident response programme?

Which THREE of the following should be included in an incident communication template?

Which TWO of the following are appropriate actions for preserving evidence during a cybersecurity incident?

During a major security incident classified as P1, which of the following is the MOST appropriate communication frequency to the executive team?

An organization's incident response team has contained a ransomware incident. What is the NEXT step according to the incident management program?

An organization has just experienced a data breach involving personal data of EU residents. Under GDPR, what is the maximum time frame for notifying the supervisory authority?

Which of the following is the PRIMARY purpose of an incident response plan?

During a DDoS attack classified as P2, what is the EXPECTED response time and notification level?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Incident Management sessions

Start a Incident Management only practice session

Every question in these sessions is drawn from the Incident Management domain — nothing else.

Related practice questions

Related CISM topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the CISM exam test about Incident Management?
Incident Management questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Incident Management questions in a focused session?
Yes — the session launcher on this page draws every question from the Incident Management domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other CISM topics?
Use the topic links above to move to related areas, or go back to the CISM question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the CISM exam covers. They are not copied from any real exam or dump site.