ISACA CISM — Certified Information Security Manager · Difficulty

Medium CISM practice questions

Applied — put a concept to work in a realistic situation. 102 medium questions available — no sign-up, always free.

Question 1 of 25

A manufacturing enterprise is acquiring a smaller competitor. The acquiring company follows ISO/IEC 27001, while the target has an informal, undocumented security program built around a different framework. The board has asked the information security manager how to approach integrating the two security programs to deliver value while managing risk. What should the information security manager do FIRST?

Reviewed for accuracy · Report an issue
Question 2 of 25

An information security manager compiles monthly KRI data showing that failed patch-deployment rates have steadily risen over three consecutive reporting cycles, though no individual threshold has yet been breached. Before the next executive risk committee meeting, what is the MOST important action the manager should take?

Reviewed for accuracy · Report an issue
Question 3 of 25

A newly appointed information security manager at a mid-sized financial services firm discovers that the organization's information security policies were written years ago and reference no external standard. The board has asked for assurance that the security program reflects recognized good practice and can be benchmarked against peers. Which action should the security manager take FIRST to address the board's request?

Reviewed for accuracy · Report an issue
Question 4 of 25

An information security manager is developing the security program for a large enterprise and must ensure that protection levels applied to data are appropriate and cost-effective. Before selecting and applying baseline controls to the organization's information assets, which activity provides the MOST essential foundation for these decisions?

Reviewed for accuracy · Report an issue
Question 5 of 25

An information security manager is developing handling requirements for a newly classified dataset that feeds an automated financial trading algorithm. Business owners emphasize that the data is not confidential (it is derived from public market feeds) but that corrupted or altered values could trigger erroneous multimillion-dollar trades. When defining the protection baseline for this asset, which control emphasis should the manager prioritize?

Reviewed for accuracy · Report an issue
Question 6 of 25

An information security manager finds that an organization has a documented data classification policy with four sensitivity levels, but a recent review reveals that employees frequently store confidential files in shared repositories accessible to all staff. Investigation shows the classification levels are well understood, but there is no consistent way to identify how sensitive a given file is once it leaves its original system. What is the MOST likely root cause the security manager should address?

Reviewed for accuracy · Report an issue
Question 7 of 25

During the rollout of a new information security program, the security manager discovers that many critical data assets have been classified inconsistently, with IT staff making classification decisions based on technical storage requirements rather than business value. Which action should the security manager take FIRST to correct this?

Reviewed for accuracy · Report an issue
Question 8 of 25

An information security manager discovers that customer datasets originally classified as 'Confidential' three years ago are now aggregated into analytics reports and used broadly across marketing, finance, and operations. The datasets still carry the original classification labels, but their sensitivity and regulatory exposure have grown significantly since the initial classification. What should the security manager do FIRST to address this situation?

Reviewed for accuracy · Report an issue
Question 9 of 25

A newly appointed information security manager discovers that the organization's security program applies controls inconsistently, and several recent incidents involved systems that no one in IT was aware of. Before proposing new technical controls, which action will provide the MOST foundational basis for building an effective information security program?

Reviewed for accuracy · Report an issue
Question 10 of 25

A newly appointed information security manager presents monthly reports to the board consisting of the number of blocked malware events, patched vulnerabilities, and firewall rule changes. Board members repeatedly ask why the security program deserves continued funding and how it supports strategic objectives. Which change to the reporting approach would BEST address the board's concern?

Reviewed for accuracy · Report an issue
Question 11 of 25

During a business impact analysis (BIA) for a manufacturing company, the information security manager finds that the finance department claims its payroll system is the most critical asset requiring the shortest recovery time. However, an operations manager insists the production control system must be restored first, as a shutdown halts all revenue-generating output within hours. The two departments cannot agree on relative priority. What is the security manager's BEST next step to resolve the conflict and produce a defensible BIA?

Reviewed for accuracy · Report an issue
Question 12 of 25

During the investigation of a suspected fraud incident, a security analyst copies key log files and a disk image from the affected server to a shared network folder so that several team members can review them simultaneously. The incident may later result in legal action against an employee. From an evidence-handling perspective, what is the MOST significant problem with the analyst's action?

Reviewed for accuracy · Report an issue
Question 13 of 25

An information security manager is establishing a security control baseline for a new application being deployed on a third-party PaaS provider. The provider publishes a SOC 2 Type II report and a shared responsibility matrix indicating it manages physical, network, and hypervisor controls. What should the manager do FIRST when tailoring the organization's control baseline for this application?

Reviewed for accuracy · Report an issue
Question 14 of 25

During a security review, an information security manager identifies that the organization has deployed strong perimeter firewalls but has no monitoring of lateral movement within the internal network. Recent threat intelligence indicates attackers in the industry increasingly use credential theft to move laterally after gaining an initial foothold. Which of the following BEST describes what the manager has identified?

Reviewed for accuracy · Report an issue
Question 15 of 25

Following a ransomware incident that encrypted several file servers, an organization successfully restored operations from backups within its recovery objectives. The information security manager is now reviewing the control set to reduce the impact of any future occurrence. Which type of control was MOST directly responsible for limiting the business impact in this case, and should be prioritized for continued investment?

Reviewed for accuracy · Report an issue
Question 16 of 25

An information security manager is establishing a new data classification scheme for an organization that currently stores all data at a single sensitivity level. After defining the classification categories (public, internal, confidential, restricted), what should the manager do NEXT to make the scheme operationally effective?

Reviewed for accuracy · Report an issue
Question 17 of 25

An organization has deployed a data loss prevention (DLP) technology to prevent exfiltration of confidential customer data through email and web channels. Six months later, the DLP tool generates thousands of alerts, but employees continue to inadvertently send sensitive files externally, and staff are unaware which data is considered confidential. Which action would MOST effectively improve the DLP program's outcomes?

Reviewed for accuracy · Report an issue
Question 18 of 25

A newly appointed information security manager discovers that during a recent ransomware incident, no one initiated the containment decision because staff assumed the IT operations team, the legal department, and the CISO each held that authority. Post-incident review shows overlapping and undocumented responsibilities across several security processes. Which action will BEST prevent this type of failure in the future?

Reviewed for accuracy · Report an issue
Question 19 of 25

A retail organization has strong preventive controls at its network perimeter, but a recent tabletop exercise revealed that if an attacker bypasses these controls, the security team would have no reliable way to identify malicious activity occurring on internal servers. The information security manager wants to close this gap most effectively. Which control should be prioritized?

Reviewed for accuracy · Report an issue
Question 20 of 25

Employees across several business units have rapidly begun using a third-party generative AI service to accelerate their work. The information security manager becomes aware of this trend but has no formal record of the tool in the risk register or any assessment of its data handling. Which action should the information security manager take FIRST to address this emerging risk?

Reviewed for accuracy · Report an issue
Question 21 of 25

An organization's help desk logs all reported events into a ticketing system. The information security manager notices that unrelated events—malware alerts, data exposure reports, and phishing attempts—are all handled by the same generic workflow, causing specialized teams to be engaged inconsistently. Which improvement to the incident management process would MOST directly address this problem?

Reviewed for accuracy · Report an issue
Question 22 of 25

During a security event, a SOC analyst detects unusual outbound traffic from a server that hosts a customer-facing payment application. The analyst is unsure how urgently to escalate and which stakeholders to notify. Which activity, if performed FIRST, would BEST determine the appropriate escalation path and response resources?

Reviewed for accuracy · Report an issue
Question 23 of 25

During a major data breach affecting customers, a journalist calls a help-desk technician directly and asks for confirmation of the number of records exposed. The technician is aware of internal chatter about the incident. What should the incident response plan direct the technician to do?

Reviewed for accuracy · Report an issue
Question 24 of 25

A security analyst at a financial services firm notices unusual outbound traffic from a database server during routine monitoring. The analyst is unsure whether this rises to the level of a formal security incident that should activate the incident response team. Which of the following would MOST effectively help the analyst make this determination consistently?

Reviewed for accuracy · Report an issue
Question 25 of 25

A SOC analyst receives an automated alert from the intrusion detection system indicating possible lateral movement on an internal subnet. Before any containment actions are taken, what should the analyst do FIRST?

Reviewed for accuracy · Report an issue