CISM · topic practice

Information Security Risk Management practice questions

Practise Certified Information Security Manager CISM Information Security Risk Management practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Information Security Risk Management

What the exam tests

What to know about Information Security Risk Management

Information Security Risk Management questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common Information Security Risk Management exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

Information Security Risk Management questions

20 questions · select your answer, then reveal the explanation

A financial institution is implementing a new online banking platform. The risk assessment identified that the authentication module has a high likelihood of exploitation due to weak password policies. The risk owner has decided to implement multi-factor authentication (MFA) to reduce the risk. This is an example of which risk response strategy?

An organization has a risk appetite that allows for a maximum residual risk level of 'medium' for all operational risks. A new project introduces a risk with inherent risk level 'high' and control effectiveness rated as 'partially effective'. The risk owner proposes to accept the risk. As the CISM, what is the best course of action?

During a risk assessment, a CISM identifies that the organization's data backup process has a single point of failure. The backup server is located in the same data center as the primary server. Which risk response is most appropriate?

Question 4mediummultiple choice
Read the full NAT/PAT explanation →

A multinational corporation is assessing the risk of data breaches from third-party vendors. The CISM is tasked with selecting a risk treatment strategy. The organization has a low risk appetite for data breaches. Which strategy should be prioritized?

In a risk assessment, a CISM calculates the annualized loss expectancy (ALE) for a specific threat. The single loss expectancy (SLE) is $50,000 and the annualized rate of occurrence (ARO) is 0.2. What is the ALE, and which risk response is most cost-effective if a control costs $12,000 per year and reduces ARO to 0.05?

A company is evaluating its risk management process. The CISM notices that risks are being assessed based on qualitative scales (low, medium, high) but decisions require quantitative data. What is the most effective action to improve the process?

Which TWO of the following are key components of an information risk management program, as defined by ISACA? (Select exactly two.)

Which THREE of the following are valid risk treatment options according to ISO 31000? (Select exactly three.)

Refer to the exhibit. A security analyst reviews the firewall configuration and identifies a potential risk. What is the most likely risk?

Exhibit

Refer to the exhibit.

Exhibit:
```
CISCO ASA Firewall Config Snippet
access-list INSIDE extended permit tcp 10.0.0.0 255.255.255.0 any eq 443
access-list INSIDE extended permit udp 10.0.0.0 255.255.255.0 any eq 53
access-list OUTSIDE extended deny ip any any
```

Refer to the exhibit. A system administrator reviews the log and notices repeated failed SSH attempts from the same IP address. What is the most appropriate risk response?

Exhibit

Refer to the exhibit.

Exhibit:
```
Log Entry:
Jan 15 09:23:45 server1 sshd[1234]: Failed password for root from 10.0.0.5 port 22 ssh2
Jan 15 09:23:47 server1 sshd[1235]: Failed password for admin from 10.0.0.5 port 22 ssh2
Jan 15 09:23:50 server1 sshd[1236]: Failed password for root from 10.0.0.5 port 22 ssh2
Jan 15 09:23:52 server1 sshd[1237]: Failed password for admin from 10.0.0.5 port 22 ssh2
```

You are the CISM for a mid-sized e-commerce company that processes credit card transactions. The company recently experienced a security incident where an attacker exploited a vulnerability in the web application to gain access to the customer database containing payment card information. The incident response team contained the breach, but the root cause analysis revealed that the vulnerability had been identified in a penetration test six months ago but was not remediated due to competing priorities. The company's risk management framework defines risk appetite as 'moderate' for information security risks. The board is concerned and has asked you to recommend improvements to prevent recurrence. The company has a limited budget and cannot implement all possible controls. Current environment: web application developed in-house, hosted on-premises, with a mix of virtual and physical servers. The security team consists of three people responsible for monitoring, incident response, and vulnerability management. The development team follows an agile methodology with bi-weekly sprints. The company has cyber liability insurance that covers breach response costs up to $2 million. Based on this scenario, what is the most effective course of action?

An organization has implemented a new web application that processes sensitive customer data. The risk assessment identified a high likelihood of SQL injection attacks due to insufficient input validation. Which of the following is the BEST risk treatment strategy?

An organization is conducting a risk assessment for a new cloud-based HR system. Which THREE of the following are key considerations when evaluating the inherent risk?

Based on the exhibit, what is the MOST appropriate next step for the information security manager?

Exhibit

Refer to the exhibit.

```
Risk Assessment Log
Date: 2025-03-01
Asset: Database Server DB-01
Threat: Unauthorized access
Vulnerability: Weak password policy
Current Controls: Password complexity enabled, account lockout after 5 failed attempts
Likelihood: 3 (Moderate)
Impact: 4 (Major)
Risk Level: 12 (High)
Risk Appetite Threshold: 10
```
Question 15hardmultiple choice
Read the full NAT/PAT explanation →

A multinational corporation is migrating its on-premises data center to a hybrid cloud environment. The organization processes highly sensitive financial data subject to strict regulatory requirements (e.g., GDPR, SOX). During the risk assessment, the information security manager discovers that the cloud service provider (CSP) stores data in multiple geographic regions, some of which do not meet the organization's data residency requirements. Additionally, the CSP's encryption key management is not fully under the organization's control, and the incident response plan does not include specific procedures for cloud-based breaches. The organization's risk appetite is low, and the board has mandated that all risks must be mitigated to an acceptable level. Which of the following is the BEST course of action?

Which of the following is the PRIMARY reason for an information security manager to integrate risk management into the organization's enterprise risk management (ERM) framework?

Question 17hardmultiple choice
Read the full NAT/PAT explanation →

During a risk assessment, an organization identifies a critical vulnerability in a legacy system that cannot be patched. The system's availability is crucial for business operations. Which of the following risk treatment strategies is MOST appropriate?

Which of the following are key components of an Information Security Risk Management program? (Select TWO.)

An organization has a high residual risk after implementing all feasible controls. According to CISM best practices, which of the following should the information security manager do? (Select TWO.)

Match each risk assessment activity with the correct phase of the risk management lifecycle:

Activities: 1. Identify assets and threats 2. Determine risk level 3. Select controls to reduce risk 4. Monitor risk over time

Phases: A. Risk Assessment B. Risk Treatment C. Risk Monitoring D. Risk Communication (not used)

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Information Security Risk Management sessions

Start a Information Security Risk Management only practice session

Every question in these sessions is drawn from the Information Security Risk Management domain — nothing else.

Related practice questions

Related CISM topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the CISM exam test about Information Security Risk Management?
Information Security Risk Management questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Information Security Risk Management questions in a focused session?
Yes — the session launcher on this page draws every question from the Information Security Risk Management domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other CISM topics?
Use the topic links above to move to related areas, or go back to the CISM question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the CISM exam covers. They are not copied from any real exam or dump site.