Summer Sale 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: Board70

CISM Exam Dumps - Isaca Certification Questions and Answers

Question # 304

Which of the following BEST indicates the effectiveness of the vendor risk management process?

Options:

A.

Increase in the percentage of vendors certified to a globally recognized security standard

B.

Increase in the percentage of vendors with a completed due diligence review

C.

Increase in the percentage of vendors conducting mandatory security training

D.

Increase in the percentage of vendors that have reported security breaches

Buy Now
Question # 305

Of the following, whose input is of GREATEST importance in the development of an information security strategy?

Options:

A.

Process owners

B.

End users

C.

Security architects.

D.

Corporate auditors

Buy Now
Question # 306

Which of the following is MOST important to emphasize when presenting information to gain senior management support for control enhancements?

Options:

A.

Residual risk exposure

B.

Threats against internal systems

C.

Control gaps within defense-in-depth architecture

D.

Recent data breaches in the same industry sector

Buy Now
Question # 307

Which of the following elements of a service contract would BEST enable an organization to monitor the information security risk associated with a cloud service provider?

Options:

A.

Indemnification clause

B.

Breach detection and notification

C.

Compliance status reporting

D.

Physical access to service provider premises

Buy Now
Question # 308

When developing security processes for handling credit card data on the business unit ' s information system, the information security manager should FIRST:

Options:

A.

ensure alignment with industry encryption standards.

B.

ensure that systems that handle credit card data are segmented.

C.

review industry best practices for handling secure payments.

D.

review corporate policies regarding credit card information.

Buy Now
Question # 309

When integrating security risk management into an organization it is MOST important to ensure:

Options:

A.

business units approve the risk management methodology.

B.

the risk treatment process is defined.

C.

information security policies are documented and understood.

D.

the risk management methodology follows an established framework.

Buy Now
Question # 310

Which of the following security initiatives should be the FIRST step in helping an organization maintain compliance with privacy regulations?

Options:

A.

Developing security awareness training

B.

Implementing security information and event management (SIEM)

C.

Implementing a data classification framework

D.

Installing a data loss prevention (DLP) solution

Buy Now
Question # 311

Which of the following provides the MOST comprehensive understanding of an organization ' s information security posture?

Options:

A.

Security maturity assessment results

B.

Threat analysis of the organization ' s environment

C.

Results of vulnerability assessments

D.

External penetration test findings

Buy Now
Question # 312

Which of the following is an information security manager ' s MOST important course of action when responding to a major security incident that could disrupt the business?

Options:

A.

Follow the escalation process.

B.

Identify the indicators of compromise.

C.

Notify law enforcement.

D.

Contact forensic investigators.

Buy Now
Question # 313

Which of the following is the MOST important issue in a penetration test?

Options:

A.

Having an independent group perform the test

B.

Obtaining permission from audit

C.

Performing the test without the benefit of any insider knowledge

D.

Having a defined goal as well as success and failure criteria

Buy Now
Question # 314

Which of the following is the BEST way to evaluate the effectiveness of physical and environmental security controls implemented for fire-related disasters?

Options:

A.

Conduct evacuation exercises

B.

Review the disaster recovery plan (DRP)

C.

Conduct awareness sessions

D.

Review emergency management team procedures

Buy Now
Question # 315

A new application has entered the production environment with deficient technical security controls. Which of the following is MOST Likely the root cause?

Options:

A.

Inadequate incident response controls

B.

Lack of legal review

C.

Inadequate change control

D.

Lack of quality control

Buy Now
Question # 316

Which of the following would BEST justify spending for a compensating control?

Options:

A.

Root cause analysis

B.

Vulnerability assessment

C.

Emerging risk trends

D.

Risk analysis

Buy Now
Question # 317

Which of the following should be done FIRST to determine the impact of a new regulatory requirement for cloud services?

Options:

A.

Perform a risk assessment

B.

Review the information asset inventory

C.

Determine the applicability

D.

Conduct a gap analysis

Buy Now
Question # 318

In a call center, the BEST reason to conduct a social engineering is to:

Options:

A.

Identify candidates for additional security training.

B.

minimize the likelihood of successful attacks.

C.

gain funding for information security initiatives.

D.

improve password policy.

Buy Now
Question # 319

Which of the following is PRIMARILY determined by asset classification?

Options:

A.

Insurance coverage required for assets

B.

Level of protection required for assets

C.

Priority for asset replacement

D.

Replacement cost of assets

Buy Now
Question # 320

Which of the following BEST supports effective and timely incident response?

Options:

A.

Involving internal and external stakeholders

B.

Having a documented incident response plan in place

C.

Appointing a forensic incident response specialist

D.

Maintaining a SIEM solution

Buy Now
Question # 321

An information security manager learns that a risk owner has approved exceptions to replace key controls with weaker compensating controls to improve process efficiency. Which of the following should be the GREATEST concern?

Options:

A.

Risk levels may be elevated beyond acceptable limits.

B.

Security audits may report more high-risk findings.

C.

The compensating controls may not be cost efficient.

D.

Noncompliance with industry best practices may result.

Buy Now
Question # 322

An information security manager determines there are a significant number of exceptions to a newly released industry-required security standard. Which of the following should be done NEXT?

Options:

A.

Document risk acceptances.

B.

Revise the organization ' s security policy.

C.

Assess the consequences of noncompliance.

D.

Conduct an information security audit.

Buy Now
Question # 323

Which of the following is the BEST indication ofa successful information security culture?

Options:

A.

Penetration testing is done regularly and findings remediated.

B.

End users know how to identify and report incidents.

C.

Individuals are given roles based on job functions.

D.

The budget allocated for information security is sufficient.

Buy Now
Exam Code: CISM
Exam Name: Certified Information Security Manager
Last Update: Jul 6, 2026
Questions: 1135
CISM pdf

CISM PDF

$59.7  $199
CISM Engine

CISM Testing Engine

$67.5  $225
CISM PDF + Engine

CISM PDF + Testing Engine

$74.7  $249