New (2026) Download free CISM PDF for ISACA Practice Tests [Q46-Q69]

Share

New (2026) Download free CISM PDF for ISACA Practice Tests

100% Free CISM Files For passing the exam Quickly


ISACA Information Security Manager Exam Syllabus Topics:

TopicDetailsWeights
Information Security Governance

-Establish and/or maintain an information security governance framework and supporting processes to ensure that the information security strategy is aligned with organizational goals and objectives.

Task Statements

  1. Establish and/or maintain an information security strategy in alignment with organizational goals and objectives to guide the establishment and/or ongoing management of the information security program.
  2. Establish and/or maintain an information security governance framework to guide activities that support the information security strategy.
  3. Integrate information security governance into corporate governance to ensure that organizational goals and objectives are supported by the information security program.
  4. Establish and maintain information security policies to guide the development of standards, procedures and guidelines in alignment with enterprise goals and objectives.
  5. Develop business cases to support investments in information security.
  6. Identify internal and external influences to the organization (e.g., emerging technologies, social media, business environment, risk tolerance, regulatory requirements, third-party considerations, threat landscape) to ensure that these factors are continually addressed by the information security strategy.
  7. Gain ongoing commitment from senior leadership and other stakeholders to support the successful implementation of the information security strategy.
  8. Define, communicate, and monitor information security responsibilities throughout the organization (e.g., data owners, data custodians, end-users, privileged or high-risk users) and lines of authority.
  9. Establish, monitor, evaluate and report key information security metrics to provide management with accurate and meaningful information regarding the effectiveness of the information security strategy.

Knowledge Statements

  1. Knowledge of techniques used to develop an information security strategy (e.g., SWOT [strengths, weaknesses, opportunities, threats] analysis, gap analysis, threat research)
  2. Knowledge of the relationship of information security to business goals, objectives, functions, processes and practices.
  3. Knowledge of available information security governance frameworks.
  4. Knowledge of globally recognized standards, frameworks and industry best practices related to information security governance and strategy development.
  5. Knowledge of the fundamental concepts of governance and how they relate to information security.
  6. Knowledge of methods to assess, plan, design and implement an information security governance framework.
  7. Knowledge of methods to integrate information security governance into corporate governance.
  8. Knowledge of contributing factors and parameters (e.g., organizational structure and culture, tone at the top, regulations) for information security policy development
  9. Knowledge of content in, and techniques to develop, business cases.
  10. Knowledge of strategic budgetary planning and reporting methods.
  11. Knowledge of the internal and external influences to the organization (e.g., emerging technologies, social media, business environment, risk tolerance, regulatory requirements, third-party considerations, threat landscape) and how they impact the information security strategy.
  12. Knowledge of key information needed to obtain commitment from senior leadership and support from other stakeholders (e.g., how information security supports organizational goals and objectives, criteria for determining successful implementation, business impact).
  13. Knowledge of methods and considerations for communicating with senior leadership and other stakeholders (e.g., organizational culture, channels of communication, highlighting essential aspects of information security).
  14. Knowledge of roles and responsibilities of the information security manager.
  15. Knowledge of organizational structures, lines of authority and escalation points.
  16. Knowledge of information security responsibilities of staff across the organization (e.g., data owners, end-users, privileged or high-risk users)
  17. Knowledge of processes to monitor performance of information security responsibilities.
  18. Knowledge of methods to establish new, or utilize existing, reporting and communication channels throughout an organization.
  19. Knowledge of methods to select, implement and interpret key information security metrics (e.g., key performance indicators [KPIs] or key risk indicators [KRIs]).
24%
Information Security Incident Management

-Plan, establish and manage the capability to detect, investigate, respond to and recover from information security incidents to minimize business impact.

Task Statements

  1. Establish and maintain an organizational definition of, and severity hierarchy for, information security incidents to allow accurate classification and categorization of and response to incidents.
  2. Establish and maintain an incident response plan to ensure an effective and timely response to information security incidents.
  3. Develop and implement processes to ensure the timely identification of information security incidents that could impact the business.
  4. Establish and maintain processes to investigate and document information security incidents in order to determine the appropriate response and cause while adhering to legal, regulatory and organizational requirements.
  5. Establish and maintain incident notification and escalation processes to ensure that the appropriate stakeholders are involved in incident response management.
  6. Organize, train and equip incident response teams to respond to information security incidents in an effective and timely manner.
  7. Test, review and revise (as applicable) the incident response plan periodically to ensure an effective response to information security incidents and to improve response capabilities.
  8. Establish and maintain communication plans and processes to manage communication with internal and external entities.
  9. Conduct post-incident reviews to determine the root cause of information security incidents, develop corrective actions, reassess risk, evaluate response effectiveness and take appropriate remedial actions.
  10. Establish and maintain integration among the incident response plan, business continuity plan and disaster recovery plan.

Knowledge Statements

  1. Knowledge of incident management concepts and practices.
  2. Knowledge of the components of an incident response plan.
  3. Knowledge of business continuity planning (BCP) and disaster recovery planning (DRP) and their relationship to the incident response plan.
  4. Knowledge of incident classification/categorization methods.
  5. Knowledge of incident containment methods to minimize adverse operational impact.
  6. Knowledge of notification and escalation processes.
  7. Knowledge of the roles and responsibilities in identifying and managing information security incidents.
  8. Knowledge of the types and sources of training, tools and equipment required to adequately equip incident response teams.
  9. Knowledge of forensic requirements and capabilities for collecting, preserving and presenting evidence (e.g., admissibility, quality and completeness of evidence, chain of custody).
  10. Knowledge of internal and external incident reporting requirements and procedures.
  11. Knowledge of post-incident review practices and investigative methods to identify root causes and determine corrective actions.
  12. Knowledge of techniques to quantify damages, costs and other business impacts arising from information security incidents.
  13. Knowledge of technologies and processes to detect, log, analyze and document information security events.
  14. Knowledge of internal and external resources available to investigate information security incidents.
  15. Knowledge of methods to identify and quantify the potential impact of changes made to the operating environment during the incident response process.
  16. Knowledge of techniques to test the incident response plan.
  17. Knowledge of applicable regulatory, legal and organization requirements.
  18. Knowledge of key indicators/metrics to evaluate the effectiveness of the incident response plan.
19%
Information Risk Management

-Manage information risk to an acceptable level based on risk appetite in order to meet organizational goals and objectives.

Task Statements

  1. Establish and/or maintain a process for information asset classification to ensure that measures taken to protect assets are proportional to their business value.
  2. Identify legal, regulatory, organizational and other applicable requirements to manage the risk of noncompliance to acceptable levels.
  3. Ensure that risk assessments, vulnerability assessments and threat analyses are conducted consistently, at appropriate times, and to identify and assess risk to the organization’s information.
  4. Identify, recommend or implement appropriate risk treatment/response options to manage risk to acceptable levels based on organizational risk appetite.
  5. Determine whether information security controls are appropriate and effectively manage risk to an acceptable level.
  6. Facilitate the integration of information risk management into business and IT processes (e.g., systems development, procurement, project management) to enable a consistent and comprehensive information risk management program across the organization.
  7. Monitor for internal and external factors (e.g., key risk indicators [KRIs], threat landscape, geopolitical, regulatory change) that may require reassessment of risk to ensure that changes to existing, or new, risk scenarios are identified and managed appropriately.
  8. Report noncompliance and other changes in information risk to facilitate the risk management decision-making process.
  9. Ensure that information security risk is reported to senior management to support an understanding of potential impact on the organizational goals and objectives.

Knowledge Statements

  1. Knowledge of methods to establish an information asset classification model consistent with business objectives.
  2. Knowledge of considerations for assigning ownership of information assets and risk.
  3. Knowledge of methods to identify and evaluate the impact of internal or external events on information assets and the business.
  4. Knowledge of methods used to monitor internal or external risk factors.
  5. Knowledge of information asset valuation methodologies.
  6. Knowledge of legal, regulatory, organizational and other requirements related to information security.
  7. Knowledge of reputable, reliable and timely sources of information regarding emerging information security threats and vulnerabilities.
  8. Knowledge of events that may require risk reassessments and changes to information security program elements.
  9. Knowledge of information threats, vulnerabilities and exposures and their evolving nature.
  10. Knowledge of risk assessment and analysis methodologies.
  11. Knowledge of methods used to prioritize risk scenarios and risk treatment/response options.
  12. Knowledge of risk reporting requirements (e.g., frequency, audience, content).
  13. Knowledge of risk treatment/response options (avoid, mitigate, accept or transfer) and methods to apply them.
  14. Knowledge of control baselines and standards and their relationships to risk assessments.
  15. Knowledge of information security controls and the methods to analyze their effectiveness.
  16. Knowledge of gap analysis techniques as related to information security.
  17. Knowledge of techniques for integrating information security risk management into business and IT processes.
  18. Knowledge of compliance reporting requirements and processes.
  19. Knowledge of cost/benefit analysis to assess risk treatment options.
30%
Information Security Program Development and Management

-Develop and maintain an information security program that identifies, manages and protects the organization’s assets while aligning to information security strategy and business goals, thereby supporting an effective security posture.

Task Statements

  1. Establish and/or maintain the information security program in alignment with the information security strategy.
  2. Align the information security program with the operational objectives of other business functions (e.g., human resources [HR], accounting, procurement and IT) to ensure that the information security program adds value to and protects the business.
  3. Identify, acquire and manage requirements for internal and external resources to execute the information security program.
  4. Establish and maintain information security processes and resources (including people and technologies) to execute the information security program in alignment with the organization’s business goals.
  5. Establish, communicate and maintain organizational information security standards, guidelines, procedures and other documentation to guide and enforce compliance with information security policies.
  6. Establish, promote and maintain a program for information security awareness and training to foster an effective security culture.
  7. Integrate information security requirements into organizational processes (e.g., change control, mergers and acquisitions, system development, business continuity, disaster recovery) to maintain the organization’s security strategy.
  8. Integrate information security requirements into contracts and activities of third parties (e.g., joint ventures, outsourced providers, business partners, customers) and monitor adherence to established requirements in order to maintain the organization’s security strategy.
  9. Establish, monitor and analyze program management and operational metrics to evaluate the effectiveness and efficiency of the information security program.
  10. Compile and present reports to key stakeholders on the activities, trends and overall effectiveness of the IS program and the underlying business processes in order to communicate security performance.

Knowledge Statements

  1. Knowledge of methods to align information security program requirements with those of other business functions
  2. Knowledge of methods to identify, acquire, manage and define requirements for internal and external resources
  3. Knowledge of current and emerging information security technologies and underlying concepts
  4. Knowledge of methods to design and implement information security controls
  5. Knowledge of information security processes and resources (including people and technologies) in alignment with the organization’s business goals and methods to apply them
  6. Knowledge of methods to develop information security standards, procedures and guidelines
  7. Knowledge of internationally recognized regulations, standards, frameworks and best practices related to information security program development and management
  8. Knowledge of methods to implement and communicate information security policies, standards, procedures and guidelines
  9. Knowledge of training, certifications and skill set development for information security personnel
  10. Knowledge of methods to establish and maintain effective information security awareness and training programs
  11. Knowledge of methods to integrate information security requirements into organizational processes (e.g., access management, change management, audit processes)
  12. Knowledge of methods to incorporate information security requirements into contracts, agreements and third-party management processes
  13. Knowledge of methods to monitor and review contracts and agreements with third parties and associated change processes as required
  14. Knowledge of methods to design, implement and report operational information security metrics
  15. Knowledge of methods for testing the effectiveness and efficiency of information security controls
  16. Knowledge of techniques to communicate information security program status to key stakeholders
27%

 

NEW QUESTION # 46
The MOST appropriate owner of customer data stored in a central database, used only by an organization's sales department, would be the:

  • A. head of the sales department.
  • B. sales department.
  • C. database administrator.
  • D. chief information officer (CIO).

Answer: A

Explanation:
Explanation
The owner of the information asset should be the person with the decision-making power in the department deriving the most benefit from the asset. In this case, it would be the head of the sales department. The organizational unit cannot be the owner of the asset because that removes personal responsibility. The database administrator is a custodian. The chief information officer (CIO) would not be an owner of this database because the CIO is less likely to be knowledgeable about the specific needs of sales operations and security concerns.


NEW QUESTION # 47
A border router should be placed on which of the following?

  • A. IDS server
  • B. Web server
  • C. Domain boundary
  • D. Screened subnet

Answer: C

Explanation:
Explanation
A border router should be placed on a (security) domain boundary. Placing it on a web server or screened subnet, which is a demilitarized zone (DMZ) would not provide any protection. Border routers are positioned on the boundary of the network, but do not reside on a server.


NEW QUESTION # 48
Which of the following should be updated FIRST to account for new regulatory requirements that impact current information security controls?

  • A. Control matrix
  • B. Business impact analysis (BIA)
  • C. Information security policy
  • D. Risk register

Answer: C


NEW QUESTION # 49
What should be the FIRST step when investigating an employee suspected of inappropriately downloading proprietary information?

  • A. Check for a signed nondisclosure agreement (NDA).
  • B. Review system access logs.
  • C. Discuss the concern with the employee.
  • D. Conduct a forensic examination of the device.

Answer: B


NEW QUESTION # 50
An information security manager is implementing a bring your own device (BYOD) program. Which of the following would BEST ensure that users adhere to the security standards?

  • A. Monitor user activities on the network.
  • B. Publish the standards on the intranet landing page.
  • C. Deploy a device management solution.
  • D. Establish an acceptable use policy.

Answer: D


NEW QUESTION # 51
Which of the following roles would represent a conflict of interest for an information security manager?

  • A. Assessment of the adequacy of disaster recovery plans
  • B. Evaluation of third parties requesting connectivity
  • C. Monitoring adherence to physical security controls
  • D. Final approval of information security policies

Answer: D

Explanation:
Explanation/Reference:
Explanation:
Since management is ultimately responsible for information security, it should approve information security policy statements; the information security manager should not have final approval. Evaluation of third parties requesting access, assessment of disaster recovery plans and monitoring of compliance with physical security controls are acceptable practices and do not present any conflicts of interest.


NEW QUESTION # 52
The BEST approach in managing a security incident involving a successful penetration should be to:

  • A. permit the incident to continue to trace the source.
  • B. allow business processes to continue during the response.
  • C. allow the security team to assess the attack profile.
  • D. examine the incident response process for deficiencies.

Answer: B

Explanation:
Explanation
Since information security objectives should always be linked to the objectives of the business, it is imperative that business processes be allowed to continue whenever possible. Only when there is no alternative should these processes be interrupted. Although it is important to allow the security team to assess the characteristics of an attack, this is subordinate to the needs of the business. Permitting an incident to continue may expose the organization to additional damage. Evaluating the incident management process for deficiencies is valuable but it, too. is subordinate to allowing business processes to continue.


NEW QUESTION # 53
Which of the following analyses will BEST identify the external influences to an organization's information security?

  • A. Gap analysis
  • B. Business impact analysis (BIA)
  • C. Vulnerability analysis
  • D. Threat analysis

Answer: D

Explanation:
A threat analysis will best identify the external influences to an organization's information security because it involves identifying and evaluating the sources and likelihood of potential adverse events that could affect the organization's assets, operations, or reputation. External influences include factors such as emerging technologies, social media, business environment, risk tolerance, regulatory requirements, third-party considerations, and threat landscape1. A threat analysis can help the organization to align its information security strategy with its business objectives and risk appetite, and to prioritize and mitigate the most relevant and impactful threats. A business impact analysis (BIA) is a process of assessing the potential consequences of a disruption to the organization's critical business functions or processes. A BIA does not directly identify the external influences to the organization's information security, but rather the impact of those influences on the organization's continuity and recovery. A gap analysis is a process of comparing the current state of the organization's information security with a desired or expected state, based on best practices, standards, or frameworks. A gap analysis does not directly identify the external influences to the organization's information security, but rather the areas of improvement or compliance. A vulnerability analysis is a process of identifying and evaluating the weaknesses or flaws in the organization's information systems or processes that could be exploited by threats. A vulnerability analysis does not directly identify the external influences to the organization's information security, but rather the exposure or susceptibility of the organization to those influences. Reference = CISM Review Manual, 15th Edition, pages 22-232; CISM Exam Content Outline, Domain 1, Knowledge Statement 1.113 Threat analysis is a process that is used to identify and assess the external influences or threats that could potentially affect an organization's information security. It is used to identify potential risks and develop strategies to mitigate or reduce those risks. Threat analysis involves analyzing the environment, identifying potential threats and their potential impacts, and then evaluating the organization's current security measures and developing strategies to address any deficiencies.


NEW QUESTION # 54
An employee of an organization has reported losing a smartphone that contains sensitive information. The BEST step to address this situation is to:

  • A. escalate to the user's management.
  • B. remotely wipe the device.
  • C. disable the user's access to corporate resources.
  • D. terminate the device connectivity.

Answer: B


NEW QUESTION # 55
Which of the following is MOST effective in monitoring an organization's existing risk?

  • A. Risk management dashboards
  • B. Periodic updates to risk register
  • C. Vulnerability assessment results
  • D. Security information and event management (SIEM) systems

Answer: A


NEW QUESTION # 56
Which of the following BEST helps to enable the desired information security culture within an organization?

  • A. Information security awareness training and campaigns
  • B. Delegation of information security roles and responsibilities
  • C. Effective information security policies and procedures
  • D. Incentives for appropriate information security-related behavior

Answer: A


NEW QUESTION # 57
Which of the following BEST determines an information asset's classification?

  • A. Value of the information asset in the marketplace
  • B. Risk assessment from the data owner
  • C. Criticality to a business process
  • D. Cost of producing the information asset

Answer: C


NEW QUESTION # 58
How would an organization know if its new information security program is accomplishing its goals?

  • A. Employees are receptive to changes that were implemented.
  • B. There is an immediate reduction in reported incidents.
  • C. Key metrics indicate a reduction in incident impacts.
  • D. Senior management has approved the program and is supportive of it.

Answer: C

Explanation:
Explanation
Option A is correct since an effective security program will show a trend in impact reduction. Options B and C may well derive from a performing program, but are not as significant as option
A. Option D may indicate that it is not successful.


NEW QUESTION # 59
Which of the following will ensure confidentiality of content when accessing an email system over the Internet?

  • A. Digital signatures
  • B. Digital encryption
  • C. Data masking
  • D. Multi-factor authentication

Answer: B


NEW QUESTION # 60
An organization permits the storage and use of its critical and sensitive information on employee- owned smartphones. Which of the following is the BEST security control?

  • A. Establishing the authority to remote wipe
  • B. Monitoring now often the smartphone is used
  • C. Developing security awareness training
  • D. Requiring the backup of the organization s data by the user

Answer: A


NEW QUESTION # 61
Organization XYZ. a lucrative, Internet-only business, recently suffered a power outage that lasted 2 hours. The organization s data center was unavailable in the interim. In order to mitigate risk in the MOST cost-efficient manner, the organization should:

  • A. plan to operate at a reduced capacity from the primary place of business.
  • B. create an FT hot site with immediate fail-over capability.
  • C. set up a duplicate business center in a geographically separate area.
  • D. install an uninterruptible power supply (UPS) and generator.

Answer: D


NEW QUESTION # 62
Which of the following BEST provides an information security manager with sufficient assurance that a service provider complies with the organization's information security requirements?

  • A. An independent review report indicating compliance with industry standards
  • B. Third-party security control self-assessment (CSA) results
  • C. Alive demonstration of the third-party supplier's security capabilities
  • D. The ability to i third-party supplier's IT systems and processes

Answer: D

Explanation:
A service provider is a third-party supplier that provides IT services or products to an organization. A service provider should comply with the organization's information security requirements, such as policies, standards, procedures, and controls, to ensure the confidentiality, integrity, and availability of the organization's data and systems. The best way to provide an information security manager with sufficient assurance that a service provider complies with the organization's information security requirements is to have the ability to audit the third-party supplier's IT systems and processes. An audit is a systematic and independent examination of evidence to determine the degree of conformity to predetermined criteria. An audit can verify the effectiveness and efficiency of the service provider's security controls, identify any gaps or weaknesses, and provide recommendations for improvement. An audit can also ensure that the service provider adheres to the contractual obligations and service level agreements (SLAs) with the organization. Therefore, option B is the most appropriate answer.
Option A is not the best answer because a live demonstration of the third-party supplier's security capabilities may not be comprehensive, objective, or reliable. A live demonstration may only show the positive aspects of the service provider's security, but not reveal any hidden or potential issues. A live demonstration may also be subject to manipulation or deception by the service provider.
Option C is not the best answer because third-party security control self-assessment (CSA) results may not be accurate, complete, or consistent. A self-assessment is a process where the service provider evaluates its own security controls against a set of criteria or standards. A self-assessment may be biased, subjective, or incomplete, as the service provider may not disclose or report all the relevant information or issues. A self-assessment may also vary in quality and scope depending on the service provider's expertise, resources, and methodology.
Option D is not the best answer because an independent review report indicating compliance with industry standards may not be sufficient or specific for the organization's information security requirements. An independent review is a process where an external party evaluates the service provider's security controls against a set of industry standards or best practices, such as ISO/IEC 27001, NIST CSF, PCI DSS, etc. An independent review report may provide a general overview of the service provider's security posture, but not address the organization's unique or specific security needs, risks, or expectations. An independent review report may also be outdated, limited, or generic, as the industry standards or best practices may not reflect the current or emerging security threats or trends. Reference = CISM Review Manual 15th Edition1, pages 257-258; CISM Review Questions, Answers & Explanations Database - 12 Month Subscription, QID 301.
An independent review report indicating compliance with industry standards BEST provides an information security manager with sufficient assurance that a service provider complies with the organization's information security requirements. This is because an independent review report is an objective and reliable source of evidence that the service provider has implemented and maintained effective security controls that meet the industry standards and best practices. An independent review report can also provide assurance that the service provider has addressed any gaps or weaknesses identified in previous audits or assessments.


NEW QUESTION # 63
An internal review of a web-based application system finds the ability to gain access to all employees' accounts by changing the employee's ID on the URL used for accessing the account. The vulnerability identified is:

  • A. broken authentication.
  • B. unvalidated input.
  • C. cross-site scripting.
  • D. structured query language (SQL) injection.

Answer: A

Explanation:
Explanation
The authentication process is broken because, although the session is valid, the application should reauthenticate when the input parameters are changed. The review provided valid employee IDs, and valid input was processed. The problem here is the lack of reauthentication when the input parameters are changed.
Cross-site scripting is not the problem in this case since the attack is not transferred to any other user's browser to obtain the output. Structured query language (SQL) injection is not a problem since input is provided as a valid employee ID and no SQL queries are injected to provide the output.


NEW QUESTION # 64
An organization has implemented controls to mitigate risks resulting from identified vulnerabilities in an application. Which of the following is the BEST way to verify all weaknesses have been addressed?

  • A. Prepare compensating controls
  • B. Conduct penetration testing
  • C. Perform a vulnerability assessment
  • D. Conduct an internal audit

Answer: B

Explanation:
Penetration testing simulates real-world attacks to identify any remaining exploitable vulnerabilities after controls are implemented. It validates that mitigation has been successful from an attacker's perspective.
"Penetration testing is essential to verify the effectiveness of remediation efforts and ensure vulnerabilities can no longer be exploited."
- CISM Review Manual 15th Edition, Chapter 2: Risk Management, Section: Security Testing and Evaluation* Vulnerability assessments and audits are valuable, but pen testing provides practical assurance.


NEW QUESTION # 65
An information security manager learns that business unit leaders are encouraging increased use of social media platforms to reach customers. Which of the following should be done FIRST to help mitigate the risk of confidential information being disclosed by employees on social media?

  • A. Establish an organization-wide social media policy.
  • B. Restrict social media access on corporate devices.
  • C. Develop sanctions for misuse of social media sites.
  • D. Monitor social media sites visited by employees.

Answer: A

Explanation:
An organization-wide social media policy is a document that defines the rules and guidelines for using social media platforms within the organization. It covers topics such as who can use social media, what they can post, how they should protect confidential information, and what are the consequences for violating the policy. An organization-wide social media policy helps to mitigate the risk of confidential information being disclosed by employees on social media by providing a clear and consistent framework for managing social media activities12.
References = 1: CISM Review Manual (Digital Version), page 271 2: CISM Review Manual (Print Version), page 271


NEW QUESTION # 66
The MOST important factors in determining the scope and timing for testing a business continuity plan are:

  • A. manual processing capabilities and the test location
  • B. the experience level of personnel and the function location.
  • C. prior testing results and the degree of detail of the business continuity plan
  • D. the importance of the function to be tested and the cost of testing,

Answer: D


NEW QUESTION # 67
When performing a business impact analysis (BIA), who should be responsible for determining the initial recovery time objective (RTO)?

  • A. Information security manager
  • B. Business continuity coordinator
  • C. External consultant
  • D. Information owners

Answer: B

Explanation:
Explanation
When performing a business impact analysis (BIA), it is the responsibility of the business continuity coordinator to determine the initial recovery time objective (RTO). The RTO is a critical component of the BIA and should be determined in cooperation with the information owners. The RTO should reflect the maximum tolerable period of disruption (MTPD) and should be used to guide the development of the recovery strategy.


NEW QUESTION # 68
Which of the following is the MOST important role of the information security manager when the organization is in the process of adopting emerging technologies?

  • A. Assessing how peer organizations using the same technologies have been impacted
  • B. Developing training for end users to familiarize them with the new technology
  • C. Understanding the impact on existing resources
  • D. Reviewing vendor contracts and service level agreements (SLAs)

Answer: C


NEW QUESTION # 69
......

CISM Premium Exam Engine - Download Free PDF Questions: https://www.pass4surecert.com/ISACA/CISM-practice-exam-dumps.html

CISM Dumps Questions Study Exam Guide : https://drive.google.com/open?id=1gwTb9rQe7ba77B2H5Bp4IFtSCo_2P11f