
New (2026) Download free CISM PDF for ISACA Practice Tests
100% Free CISM Files For passing the exam Quickly
ISACA Information Security Manager Exam Syllabus Topics:
| Topic | Details | Weights |
|---|---|---|
| Information Security Governance | -Establish and/or maintain an information security governance framework and supporting processes to ensure that the information security strategy is aligned with organizational goals and objectives. Task Statements
Knowledge Statements
| 24% |
| Information Security Incident Management | -Plan, establish and manage the capability to detect, investigate, respond to and recover from information security incidents to minimize business impact. Task Statements
Knowledge Statements
| 19% |
| Information Risk Management | -Manage information risk to an acceptable level based on risk appetite in order to meet organizational goals and objectives. Task Statements
Knowledge Statements
| 30% |
| Information Security Program Development and Management | -Develop and maintain an information security program that identifies, manages and protects the organization’s assets while aligning to information security strategy and business goals, thereby supporting an effective security posture. Task Statements
Knowledge Statements
| 27% |
NEW QUESTION # 46
The MOST appropriate owner of customer data stored in a central database, used only by an organization's sales department, would be the:
- A. head of the sales department.
- B. sales department.
- C. database administrator.
- D. chief information officer (CIO).
Answer: A
Explanation:
Explanation
The owner of the information asset should be the person with the decision-making power in the department deriving the most benefit from the asset. In this case, it would be the head of the sales department. The organizational unit cannot be the owner of the asset because that removes personal responsibility. The database administrator is a custodian. The chief information officer (CIO) would not be an owner of this database because the CIO is less likely to be knowledgeable about the specific needs of sales operations and security concerns.
NEW QUESTION # 47
A border router should be placed on which of the following?
- A. IDS server
- B. Web server
- C. Domain boundary
- D. Screened subnet
Answer: C
Explanation:
Explanation
A border router should be placed on a (security) domain boundary. Placing it on a web server or screened subnet, which is a demilitarized zone (DMZ) would not provide any protection. Border routers are positioned on the boundary of the network, but do not reside on a server.
NEW QUESTION # 48
Which of the following should be updated FIRST to account for new regulatory requirements that impact current information security controls?
- A. Control matrix
- B. Business impact analysis (BIA)
- C. Information security policy
- D. Risk register
Answer: C
NEW QUESTION # 49
What should be the FIRST step when investigating an employee suspected of inappropriately downloading proprietary information?
- A. Check for a signed nondisclosure agreement (NDA).
- B. Review system access logs.
- C. Discuss the concern with the employee.
- D. Conduct a forensic examination of the device.
Answer: B
NEW QUESTION # 50
An information security manager is implementing a bring your own device (BYOD) program. Which of the following would BEST ensure that users adhere to the security standards?
- A. Monitor user activities on the network.
- B. Publish the standards on the intranet landing page.
- C. Deploy a device management solution.
- D. Establish an acceptable use policy.
Answer: D
NEW QUESTION # 51
Which of the following roles would represent a conflict of interest for an information security manager?
- A. Assessment of the adequacy of disaster recovery plans
- B. Evaluation of third parties requesting connectivity
- C. Monitoring adherence to physical security controls
- D. Final approval of information security policies
Answer: D
Explanation:
Explanation/Reference:
Explanation:
Since management is ultimately responsible for information security, it should approve information security policy statements; the information security manager should not have final approval. Evaluation of third parties requesting access, assessment of disaster recovery plans and monitoring of compliance with physical security controls are acceptable practices and do not present any conflicts of interest.
NEW QUESTION # 52
The BEST approach in managing a security incident involving a successful penetration should be to:
- A. permit the incident to continue to trace the source.
- B. allow business processes to continue during the response.
- C. allow the security team to assess the attack profile.
- D. examine the incident response process for deficiencies.
Answer: B
Explanation:
Explanation
Since information security objectives should always be linked to the objectives of the business, it is imperative that business processes be allowed to continue whenever possible. Only when there is no alternative should these processes be interrupted. Although it is important to allow the security team to assess the characteristics of an attack, this is subordinate to the needs of the business. Permitting an incident to continue may expose the organization to additional damage. Evaluating the incident management process for deficiencies is valuable but it, too. is subordinate to allowing business processes to continue.
NEW QUESTION # 53
Which of the following analyses will BEST identify the external influences to an organization's information security?
- A. Gap analysis
- B. Business impact analysis (BIA)
- C. Vulnerability analysis
- D. Threat analysis
Answer: D
Explanation:
A threat analysis will best identify the external influences to an organization's information security because it involves identifying and evaluating the sources and likelihood of potential adverse events that could affect the organization's assets, operations, or reputation. External influences include factors such as emerging technologies, social media, business environment, risk tolerance, regulatory requirements, third-party considerations, and threat landscape1. A threat analysis can help the organization to align its information security strategy with its business objectives and risk appetite, and to prioritize and mitigate the most relevant and impactful threats. A business impact analysis (BIA) is a process of assessing the potential consequences of a disruption to the organization's critical business functions or processes. A BIA does not directly identify the external influences to the organization's information security, but rather the impact of those influences on the organization's continuity and recovery. A gap analysis is a process of comparing the current state of the organization's information security with a desired or expected state, based on best practices, standards, or frameworks. A gap analysis does not directly identify the external influences to the organization's information security, but rather the areas of improvement or compliance. A vulnerability analysis is a process of identifying and evaluating the weaknesses or flaws in the organization's information systems or processes that could be exploited by threats. A vulnerability analysis does not directly identify the external influences to the organization's information security, but rather the exposure or susceptibility of the organization to those influences. Reference = CISM Review Manual, 15th Edition, pages 22-232; CISM Exam Content Outline, Domain 1, Knowledge Statement 1.113 Threat analysis is a process that is used to identify and assess the external influences or threats that could potentially affect an organization's information security. It is used to identify potential risks and develop strategies to mitigate or reduce those risks. Threat analysis involves analyzing the environment, identifying potential threats and their potential impacts, and then evaluating the organization's current security measures and developing strategies to address any deficiencies.
NEW QUESTION # 54
An employee of an organization has reported losing a smartphone that contains sensitive information. The BEST step to address this situation is to:
- A. escalate to the user's management.
- B. remotely wipe the device.
- C. disable the user's access to corporate resources.
- D. terminate the device connectivity.
Answer: B
NEW QUESTION # 55
Which of the following is MOST effective in monitoring an organization's existing risk?
- A. Risk management dashboards
- B. Periodic updates to risk register
- C. Vulnerability assessment results
- D. Security information and event management (SIEM) systems
Answer: A
NEW QUESTION # 56
Which of the following BEST helps to enable the desired information security culture within an organization?
- A. Information security awareness training and campaigns
- B. Delegation of information security roles and responsibilities
- C. Effective information security policies and procedures
- D. Incentives for appropriate information security-related behavior
Answer: A
NEW QUESTION # 57
Which of the following BEST determines an information asset's classification?
- A. Value of the information asset in the marketplace
- B. Risk assessment from the data owner
- C. Criticality to a business process
- D. Cost of producing the information asset
Answer: C
NEW QUESTION # 58
How would an organization know if its new information security program is accomplishing its goals?
- A. Employees are receptive to changes that were implemented.
- B. There is an immediate reduction in reported incidents.
- C. Key metrics indicate a reduction in incident impacts.
- D. Senior management has approved the program and is supportive of it.
Answer: C
Explanation:
Explanation
Option A is correct since an effective security program will show a trend in impact reduction. Options B and C may well derive from a performing program, but are not as significant as option
A. Option D may indicate that it is not successful.
NEW QUESTION # 59
Which of the following will ensure confidentiality of content when accessing an email system over the Internet?
- A. Digital signatures
- B. Digital encryption
- C. Data masking
- D. Multi-factor authentication
Answer: B
NEW QUESTION # 60
An organization permits the storage and use of its critical and sensitive information on employee- owned smartphones. Which of the following is the BEST security control?
- A. Establishing the authority to remote wipe
- B. Monitoring now often the smartphone is used
- C. Developing security awareness training
- D. Requiring the backup of the organization s data by the user
Answer: A
NEW QUESTION # 61
Organization XYZ. a lucrative, Internet-only business, recently suffered a power outage that lasted 2 hours. The organization s data center was unavailable in the interim. In order to mitigate risk in the MOST cost-efficient manner, the organization should:
- A. plan to operate at a reduced capacity from the primary place of business.
- B. create an FT hot site with immediate fail-over capability.
- C. set up a duplicate business center in a geographically separate area.
- D. install an uninterruptible power supply (UPS) and generator.
Answer: D
NEW QUESTION # 62
Which of the following BEST provides an information security manager with sufficient assurance that a service provider complies with the organization's information security requirements?
- A. An independent review report indicating compliance with industry standards
- B. Third-party security control self-assessment (CSA) results
- C. Alive demonstration of the third-party supplier's security capabilities
- D. The ability to i third-party supplier's IT systems and processes
Answer: D
Explanation:
A service provider is a third-party supplier that provides IT services or products to an organization. A service provider should comply with the organization's information security requirements, such as policies, standards, procedures, and controls, to ensure the confidentiality, integrity, and availability of the organization's data and systems. The best way to provide an information security manager with sufficient assurance that a service provider complies with the organization's information security requirements is to have the ability to audit the third-party supplier's IT systems and processes. An audit is a systematic and independent examination of evidence to determine the degree of conformity to predetermined criteria. An audit can verify the effectiveness and efficiency of the service provider's security controls, identify any gaps or weaknesses, and provide recommendations for improvement. An audit can also ensure that the service provider adheres to the contractual obligations and service level agreements (SLAs) with the organization. Therefore, option B is the most appropriate answer.
Option A is not the best answer because a live demonstration of the third-party supplier's security capabilities may not be comprehensive, objective, or reliable. A live demonstration may only show the positive aspects of the service provider's security, but not reveal any hidden or potential issues. A live demonstration may also be subject to manipulation or deception by the service provider.
Option C is not the best answer because third-party security control self-assessment (CSA) results may not be accurate, complete, or consistent. A self-assessment is a process where the service provider evaluates its own security controls against a set of criteria or standards. A self-assessment may be biased, subjective, or incomplete, as the service provider may not disclose or report all the relevant information or issues. A self-assessment may also vary in quality and scope depending on the service provider's expertise, resources, and methodology.
Option D is not the best answer because an independent review report indicating compliance with industry standards may not be sufficient or specific for the organization's information security requirements. An independent review is a process where an external party evaluates the service provider's security controls against a set of industry standards or best practices, such as ISO/IEC 27001, NIST CSF, PCI DSS, etc. An independent review report may provide a general overview of the service provider's security posture, but not address the organization's unique or specific security needs, risks, or expectations. An independent review report may also be outdated, limited, or generic, as the industry standards or best practices may not reflect the current or emerging security threats or trends. Reference = CISM Review Manual 15th Edition1, pages 257-258; CISM Review Questions, Answers & Explanations Database - 12 Month Subscription, QID 301.
An independent review report indicating compliance with industry standards BEST provides an information security manager with sufficient assurance that a service provider complies with the organization's information security requirements. This is because an independent review report is an objective and reliable source of evidence that the service provider has implemented and maintained effective security controls that meet the industry standards and best practices. An independent review report can also provide assurance that the service provider has addressed any gaps or weaknesses identified in previous audits or assessments.
NEW QUESTION # 63
An internal review of a web-based application system finds the ability to gain access to all employees' accounts by changing the employee's ID on the URL used for accessing the account. The vulnerability identified is:
- A. broken authentication.
- B. unvalidated input.
- C. cross-site scripting.
- D. structured query language (SQL) injection.
Answer: A
Explanation:
Explanation
The authentication process is broken because, although the session is valid, the application should reauthenticate when the input parameters are changed. The review provided valid employee IDs, and valid input was processed. The problem here is the lack of reauthentication when the input parameters are changed.
Cross-site scripting is not the problem in this case since the attack is not transferred to any other user's browser to obtain the output. Structured query language (SQL) injection is not a problem since input is provided as a valid employee ID and no SQL queries are injected to provide the output.
NEW QUESTION # 64
An organization has implemented controls to mitigate risks resulting from identified vulnerabilities in an application. Which of the following is the BEST way to verify all weaknesses have been addressed?
- A. Prepare compensating controls
- B. Conduct penetration testing
- C. Perform a vulnerability assessment
- D. Conduct an internal audit
Answer: B
Explanation:
Penetration testing simulates real-world attacks to identify any remaining exploitable vulnerabilities after controls are implemented. It validates that mitigation has been successful from an attacker's perspective.
"Penetration testing is essential to verify the effectiveness of remediation efforts and ensure vulnerabilities can no longer be exploited."
- CISM Review Manual 15th Edition, Chapter 2: Risk Management, Section: Security Testing and Evaluation* Vulnerability assessments and audits are valuable, but pen testing provides practical assurance.
NEW QUESTION # 65
An information security manager learns that business unit leaders are encouraging increased use of social media platforms to reach customers. Which of the following should be done FIRST to help mitigate the risk of confidential information being disclosed by employees on social media?
- A. Establish an organization-wide social media policy.
- B. Restrict social media access on corporate devices.
- C. Develop sanctions for misuse of social media sites.
- D. Monitor social media sites visited by employees.
Answer: A
Explanation:
An organization-wide social media policy is a document that defines the rules and guidelines for using social media platforms within the organization. It covers topics such as who can use social media, what they can post, how they should protect confidential information, and what are the consequences for violating the policy. An organization-wide social media policy helps to mitigate the risk of confidential information being disclosed by employees on social media by providing a clear and consistent framework for managing social media activities12.
References = 1: CISM Review Manual (Digital Version), page 271 2: CISM Review Manual (Print Version), page 271
NEW QUESTION # 66
The MOST important factors in determining the scope and timing for testing a business continuity plan are:
- A. manual processing capabilities and the test location
- B. the experience level of personnel and the function location.
- C. prior testing results and the degree of detail of the business continuity plan
- D. the importance of the function to be tested and the cost of testing,
Answer: D
NEW QUESTION # 67
When performing a business impact analysis (BIA), who should be responsible for determining the initial recovery time objective (RTO)?
- A. Information security manager
- B. Business continuity coordinator
- C. External consultant
- D. Information owners
Answer: B
Explanation:
Explanation
When performing a business impact analysis (BIA), it is the responsibility of the business continuity coordinator to determine the initial recovery time objective (RTO). The RTO is a critical component of the BIA and should be determined in cooperation with the information owners. The RTO should reflect the maximum tolerable period of disruption (MTPD) and should be used to guide the development of the recovery strategy.
NEW QUESTION # 68
Which of the following is the MOST important role of the information security manager when the organization is in the process of adopting emerging technologies?
- A. Assessing how peer organizations using the same technologies have been impacted
- B. Developing training for end users to familiarize them with the new technology
- C. Understanding the impact on existing resources
- D. Reviewing vendor contracts and service level agreements (SLAs)
Answer: C
NEW QUESTION # 69
......
CISM Premium Exam Engine - Download Free PDF Questions: https://www.pass4surecert.com/ISACA/CISM-practice-exam-dumps.html
CISM Dumps Questions Study Exam Guide : https://drive.google.com/open?id=1gwTb9rQe7ba77B2H5Bp4IFtSCo_2P11f