ISACA CISM — Certified Information Security Manager · Difficulty

Hard CISM practice questions

Challenge — multi-step scenarios, trade-offs, and subtle distinctions. 19 hard questions available — no sign-up, always free.

Question 1 of 19

An information security manager notices that several individually low-rated risks across different business units all stem from the same unpatched legacy authentication service. Each business unit has independently accepted its portion of the risk as within its local tolerance. What should the security manager do FIRST?

Reviewed for accuracy · Report an issue
Question 2 of 19

A newly appointed information security manager at a manufacturing firm finds that a technically sound security strategy approved two years ago has been largely ignored by business units. Interviews reveal that employees view security controls as obstacles to production targets, and line managers routinely grant exceptions to keep operations moving. Which action would BEST address the underlying cause of the strategy's poor adoption?

Reviewed for accuracy · Report an issue
Question 3 of 19

A multinational retailer operates in several countries, each with different breach notification timelines and data protection obligations. The information security manager discovers that one jurisdiction requires notification within 72 hours, while a contractual clause with a major partner requires immediate notification of any incident, and a third country mandates notification only after confirmed harm to individuals. To address these conflicting legal, regulatory, and contractual requirements when developing the incident response and governance approach, what should the information security manager do FIRST?

Reviewed for accuracy · Report an issue
Question 4 of 19

A manufacturing company signs a contract with a large retail customer that includes strict information security clauses requiring encryption of all customer data and 24-hour breach notification. The company stores this data with a third-party cloud provider whose standard service agreement offers only 72-hour breach notification and does not commit to the required encryption controls. What should the information security manager do FIRST?

Reviewed for accuracy · Report an issue
Question 5 of 19

A newly appointed information security manager discovers that business units routinely adopt unsanctioned cloud applications ('shadow IT') because the formal approval process is perceived as slow and bureaucratic. Executives value the units' agility and are reluctant to impose heavy controls. Which action would BEST address the root cause while supporting enterprise governance objectives?

Reviewed for accuracy · Report an issue
Question 6 of 19

During a disaster recovery test, the information security manager observes that a critical order-processing system was restored and made operational within 5 hours, meeting its documented 6-hour recovery time objective (RTO). However, the recovered database was missing the last 3 hours of transactions before the outage, while the documented recovery point objective (RPO) for that system is 30 minutes. Which of the following is the MOST important conclusion the security manager should draw from this test result?

Reviewed for accuracy · Report an issue
Question 7 of 19

During a contained malware incident, the response team discovers the infection has spread to the systems supporting the organization's primary customer-facing platform, and full restoration is now expected to exceed the documented maximum tolerable downtime. As the information security manager, what is the MOST appropriate next action?

Reviewed for accuracy · Report an issue
Question 8 of 19

A security manager wants to improve the organization's ability to detect intrusions early. The SIEM currently generates thousands of alerts daily, but most are false positives, and a recent breach went undetected for weeks because malicious activity blended in with normal traffic. Which action would MOST effectively improve the organization's detection capability?

Reviewed for accuracy · Report an issue
Question 9 of 19

During a confirmed intrusion, an attacker has established a foothold on a single server in a segmented DMZ but has not yet moved laterally. The incident response team is under pressure from operations to keep the customer-facing application online. The information security manager must decide on a containment strategy. Which factor should MOST influence the choice between immediate isolation and delayed containment?

Reviewed for accuracy · Report an issue
Question 10 of 19

During a post-incident review, an information security manager discovers that the organization detected a sophisticated intrusion three weeks after the initial compromise, well after data had been exfiltrated. The SIEM was properly tuned and alerts were triaged promptly, but no rule existed to detect the specific attacker technique used. Which improvement would MOST effectively reduce the detection time for similar future attacks?

Reviewed for accuracy · Report an issue
Question 11 of 19

A newly appointed CISO has operated the information security governance program for one year. The board now asks for evidence that governance itself—not just individual controls—is effective and delivering value. Which of the following would BEST demonstrate the effectiveness of the governance program to the board?

Reviewed for accuracy · Report an issue
Question 12 of 19

During a ransomware outbreak, an incident responder discovers several infected servers actively encrypting shared storage. Management wants the systems isolated immediately, but the legal team has indicated the organization may pursue prosecution and file a cyber-insurance claim. What should the incident responder do FIRST to balance containment with these requirements?

Reviewed for accuracy · Report an issue
Question 13 of 19

After implementing agreed mitigating controls for a critical customer-facing application, the information security manager reassesses the risk and finds the residual risk still exceeds the organization's documented risk appetite. The business unit insists the application must remain in production to meet revenue targets. What should the information security manager do NEXT?

Reviewed for accuracy · Report an issue
Question 14 of 19

A manufacturing company deploys new IT and operational technology systems on a near-monthly basis, but risk assessments are only performed during the annual enterprise risk review. As a result, several recently deployed systems introduced significant exposures that were not identified until an incident occurred. Which action would BEST address the root cause of this problem?

Reviewed for accuracy · Report an issue
Question 15 of 19

A quantitative risk assessment for a legacy inventory system shows an annualized loss expectancy (ALE) of $40,000. The information security manager evaluates a proposed control that would reduce the ALE to $5,000 but costs $90,000 per year to operate. The system is scheduled for decommissioning in 18 months. Which risk response is the MOST appropriate for the security manager to recommend?

Reviewed for accuracy · Report an issue
Question 16 of 19

An information security manager must recommend which of two risk scenarios to address first. Scenario 1 has a single loss expectancy (SLE) of $50,000 and an annual rate of occurrence (ARO) of 3. Scenario 2 has an SLE of $250,000 and an ARO of 0.5. Mitigation for each costs approximately $80,000 per year. Which scenario should be prioritized for treatment based on cost-effectiveness?

Reviewed for accuracy · Report an issue
Question 17 of 19

A security manager identifies a critical vulnerability in a customer-facing application. The permanent fix requires a vendor patch that will not be available for four months, and the residual risk during that period exceeds the organization's risk appetite. Which action should the security manager take FIRST?

Reviewed for accuracy · Report an issue
Question 18 of 19

A newly appointed information security manager has completed an approved security strategy that includes defined objectives and initiatives with allocated budget. Six months into execution, the executive sponsor asks how the manager will demonstrate that the strategy is actually moving the organization toward its intended security posture over time. Which of the following is the MOST effective way to provide this assurance?

Reviewed for accuracy · Report an issue
Question 19 of 19

A newly approved information security strategy contains 14 initiatives spanning three years. The information security manager must convert the strategy into an actionable roadmap. Several initiatives are interdependent: a data classification program must precede a data loss prevention deployment, and an identity governance rollout depends on completing an HR system integration owned by another department. When developing the roadmap, what should the information security manager do FIRST?

Reviewed for accuracy · Report an issue