CISM · topic practice

Incident Management practice questions

Use this page to practise Incident Management questions for this certification. Focus on how the exam tests incident management in scenario format — understanding the why behind each answer builds more durable knowledge than memorising options.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Incident Management

What the exam tests

What to know about Incident Management

Incident Management questions on this certification test your ability to deploy and manage incident management concepts in scenario-based situations.

Core Incident Management concepts and how they apply in real-world cloud scenarios.

How to deploy incident management correctly and verify the outcome.

Troubleshooting incident management issues by interpreting error output and system state.

Cloud best practices and Incident Management design trade-offs tested by this certification.

Watch out for

Common Incident Management exam traps

  • Selecting the most expensive service when a simpler managed option meets the requirement.
  • Forgetting that cloud resources must be explicitly secured — defaults are rarely secure.
  • Choosing a global service fix when the issue is region-specific.
  • Overlooking cost implications of cross-region data transfer in architecture questions.

Practice set

Incident Management questions

20 questions · select your answer, then reveal the explanation

Question 1mediummultiple choice
Read the full NAT/PAT explanation →

A multinational corporation has just detected a ransomware attack that encrypted critical files on a file server. The incident response team has been activated. Which of the following should be the FIRST action taken by the team?

Question 2hardmultiple choice
Read the full DNS explanation →

During an incident investigation, the security team discovers that an attacker exfiltrated sensitive customer data via encrypted DNS tunneling over a period of three months. The data loss was only noticed after a routine audit. Which of the following weaknesses MOST likely allowed the attacker to remain undetected for so long?

An organization's incident response plan includes a step to 'contain the incident.' Which of the following actions is an example of containment?

During a simulated phishing exercise, several employees clicked a link and entered their credentials on a fake login page. The security team needs to determine the impact. Which of the following should be the NEXT step?

An organization is developing an incident response plan. The CISO wants to ensure that the plan aligns with industry best practices. Which framework should the CISO use as a primary reference?

After a security incident, the incident response team prepares a report detailing the root cause, impact, and lessons learned. Who is the PRIMARY audience for this report?

During an incident, the response team collects volatile data from a compromised server. Which of the following should be collected FIRST to minimize loss of evidence?

An organization uses a SIEM to correlate security events. The SIEM generates an alert for a possible brute-force attack against an admin account. The incident response team reviews the alert and finds that the account is a service account with a known password. What should the team do NEXT?

Which of the following is the PRIMARY purpose of an incident response plan?

A security analyst detects unusual outbound network traffic from a database server to an unknown IP address. The traffic uses encrypted connections on port 443. Which type of attack is MOST likely occurring?

During an incident investigation, the team discovers that an attacker used a valid user's credentials to access a sensitive database. The user's account had multi-factor authentication (MFA) enabled. How is this MOST likely possible?

Which TWO of the following are key indicators of a potential insider threat incident? (Select exactly 2)

Which THREE of the following are essential components of an incident response plan? (Select exactly 3)

Which TWO of the following are best practices for preserving digital evidence during an incident? (Select exactly 2)

Which THREE of the following are common challenges in incident response? (Select exactly 3)

Based on the SIEM alert exhibit, which immediate action should the incident responder take?

Exhibit

Refer to the exhibit.

```
[Alert] Correlation Rule: Multiple Failed Logins
Source IP: 10.0.0.55
Destination IP: 192.168.1.10
Event Count: 150 failed logins to admin account 'jsmith' within 5 minutes
Action: Triggered
```

Given the exhibit output from a web server, which connection is MOST suspicious and likely indicates a command-and-control (C2) channel?

Exhibit

Refer to the exhibit.

```
# netstat -an | grep :443
tcp4  0      0  *.443                 *.*                    LISTEN
tcp4  0      0  192.168.1.100.443     10.0.0.1.54321        ESTABLISHED
tcp4  0      0  192.168.1.100.443     10.0.0.2.54322        ESTABLISHED
tcp4  0      0  192.168.1.100.443     203.0.113.5.44333     ESTABLISHED
```

Based on the incident response policy exhibit, which phase should include notifying external stakeholders such as law enforcement?

Exhibit

Refer to the exhibit.

```
Policy: IncidentResponse
- Phase: Detection
  - Action: Alert security team
- Phase: Analysis
  - Action: Determine scope and impact
- Phase: Containment
  - Action: Isolate affected systems
- Phase: Eradication
  - Action: Remove malware
- Phase: Recovery
  - Action: Restore from backup
- Phase: Post-Incident
  - Action: Conduct lessons learned
```

You are the incident response manager for a financial services company. The company has a hybrid infrastructure with on-premises servers and cloud services. At 2:00 AM, the SIEM generates a critical alert: a database server in the DMZ is communicating with a known malicious IP address on port 443. The server contains customer PII. The on-call security analyst reports that the server is running and the connection is active. The incident response plan states that any confirmed compromise of PII must be reported to the regulator within 72 hours. You have the following options: A) Immediately isolate the server by disconnecting it from the network, then begin forensic analysis. B) Leave the server connected to gather more intelligence about the attacker's actions, but block only the malicious IP at the firewall. C) Shut down the server to preserve evidence and prevent data exfiltration. D) Copy the server's disk over the network for forensic analysis before taking any action. Which option is the BEST course of action?

You are a security analyst for a mid-sized e-commerce company. The company uses a cloud-based email service. Several employees report receiving phishing emails that appear to come from the CEO, asking them to purchase gift cards. The emails have a spoofed sender address but pass SPF and DKIM checks because the attacker compromised a legitimate email account. The CEO's account has been locked, but the attacker may have set up forwarding rules. You need to ensure the attacker cannot use the account further. You have the following options: A) Change the CEO's password and enable MFA, then remove any forwarding rules. B) Delete the CEO's email account and create a new one. C) Block all emails from the CEO's email address at the gateway. D) Restore the CEO's mailbox from a backup taken before the compromise. Which option is the BEST course of action?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Incident Management sessions

Start a Incident Management only practice session

Every question in these sessions is drawn from the Incident Management domain — nothing else.

Related practice questions

Related CISM topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the CISM exam test about Incident Management?
Incident Management questions on this certification test your ability to deploy and manage incident management concepts in scenario-based situations.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Incident Management questions in a focused session?
Yes — the session launcher on this page draws every question from the Incident Management domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other CISM topics?
Use the topic links above to move to related areas, or go back to the CISM question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the CISM exam covers. They are not copied from any real exam or dump site.