ISACA CISM — Certified Information Security Manager · Domain 4 · 30% of exam

Incident Management

Drill 20 practice questions focused entirely on Incident Management for the ISACA CISM exam. Tap an answer for instant feedback and a full explanation — no sign-up, always free.

Verified answer20 questions
Question 1 of 20

During a business impact analysis (BIA) for a manufacturing company, the information security manager finds that the finance department claims its payroll system is the most critical asset requiring the shortest recovery time. However, an operations manager insists the production control system must be restored first, as a shutdown halts all revenue-generating output within hours. The two departments cannot agree on relative priority. What is the security manager's BEST next step to resolve the conflict and produce a defensible BIA?

Reviewed for accuracy · Report an issue
Question 2 of 20

During the investigation of a suspected fraud incident, a security analyst copies key log files and a disk image from the affected server to a shared network folder so that several team members can review them simultaneously. The incident may later result in legal action against an employee. From an evidence-handling perspective, what is the MOST significant problem with the analyst's action?

Reviewed for accuracy · Report an issue
Question 3 of 20

During a disaster recovery test, the information security manager observes that a critical order-processing system was restored and made operational within 5 hours, meeting its documented 6-hour recovery time objective (RTO). However, the recovered database was missing the last 3 hours of transactions before the outage, while the documented recovery point objective (RPO) for that system is 30 minutes. Which of the following is the MOST important conclusion the security manager should draw from this test result?

Reviewed for accuracy · Report an issue
Question 4 of 20

An organization's help desk logs all reported events into a ticketing system. The information security manager notices that unrelated events—malware alerts, data exposure reports, and phishing attempts—are all handled by the same generic workflow, causing specialized teams to be engaged inconsistently. Which improvement to the incident management process would MOST directly address this problem?

Reviewed for accuracy · Report an issue
Question 5 of 20

During a security event, a SOC analyst detects unusual outbound traffic from a server that hosts a customer-facing payment application. The analyst is unsure how urgently to escalate and which stakeholders to notify. Which activity, if performed FIRST, would BEST determine the appropriate escalation path and response resources?

Reviewed for accuracy · Report an issue
Question 6 of 20

During a major data breach affecting customers, a journalist calls a help-desk technician directly and asks for confirmation of the number of records exposed. The technician is aware of internal chatter about the incident. What should the incident response plan direct the technician to do?

Reviewed for accuracy · Report an issue
Question 7 of 20

A security analyst at a financial services firm notices unusual outbound traffic from a database server during routine monitoring. The analyst is unsure whether this rises to the level of a formal security incident that should activate the incident response team. Which of the following would MOST effectively help the analyst make this determination consistently?

Reviewed for accuracy · Report an issue
Question 8 of 20

During a contained malware incident, the response team discovers the infection has spread to the systems supporting the organization's primary customer-facing platform, and full restoration is now expected to exceed the documented maximum tolerable downtime. As the information security manager, what is the MOST appropriate next action?

Reviewed for accuracy · Report an issue
Question 9 of 20

A SOC analyst receives an automated alert from the intrusion detection system indicating possible lateral movement on an internal subnet. Before any containment actions are taken, what should the analyst do FIRST?

Reviewed for accuracy · Report an issue
Question 10 of 20

A security manager wants to improve the organization's ability to detect intrusions early. The SIEM currently generates thousands of alerts daily, but most are false positives, and a recent breach went undetected for weeks because malicious activity blended in with normal traffic. Which action would MOST effectively improve the organization's detection capability?

Reviewed for accuracy · Report an issue
Question 11 of 20

Six months after deploying a SIEM, the incident response team reports that analysts are ignoring most alerts because the vast majority turn out to be benign, and a recent malware infection went unnoticed for two weeks despite generating log entries. Which action should the information security manager prioritize to improve incident detection effectiveness?

Reviewed for accuracy · Report an issue
Question 12 of 20

During a security incident, the response team has successfully contained a compromised web server by isolating it from the network. Application services are being restored to a standby environment to maintain business operations. Before declaring the incident resolved, the incident manager insists on one additional step during the eradication phase. Which action is MOST important to complete before recovery is finalized?

Reviewed for accuracy · Report an issue
Question 13 of 20

During a confirmed intrusion, an attacker has established a foothold on a single server in a segmented DMZ but has not yet moved laterally. The incident response team is under pressure from operations to keep the customer-facing application online. The information security manager must decide on a containment strategy. Which factor should MOST influence the choice between immediate isolation and delayed containment?

Reviewed for accuracy · Report an issue
Question 14 of 20

A security analyst receives multiple SIEM alerts indicating suspicious lateral movement across several servers in a data center. The incident response team has confirmed the activity is malicious. Before selecting a containment approach, what is the MOST important activity the team should complete during the analysis phase?

Reviewed for accuracy · Report an issue
Question 15 of 20

A newly appointed information security manager reviews the organization's incident management capability and finds that the response team performs well during active incidents but consistently struggles because tools, access credentials, and contact lists are gathered on the fly. Which phase of the incident management lifecycle should the manager strengthen FIRST to address the root cause of these repeated struggles?

Reviewed for accuracy · Report an issue
Question 16 of 20

Following a sophisticated malware incident, the response team has removed the malicious code, patched the exploited vulnerability, and restored affected systems from clean backups. Business operations have resumed normally. Before formally declaring the incident closed, what should the incident manager ensure is done FIRST?

Reviewed for accuracy · Report an issue
Question 17 of 20

Following a widespread malware outbreak that forced a shutdown of multiple systems, the incident response team has completed eradication and validated that all affected hosts are clean. The information security manager must now guide the recovery phase. Several business units are demanding immediate restoration of their applications. What should PRIMARILY determine the sequence in which systems are brought back online?

Reviewed for accuracy · Report an issue
Question 18 of 20

Following the eradication of malware from a compromised customer-facing application, the incident response team has rebuilt the affected servers from known-good images. The business unit is pressuring the information security manager to return the application to production immediately to minimize revenue loss. Before authorizing the transition of the system back to normal operations, what should the information security manager ensure has been established FIRST?

Reviewed for accuracy · Report an issue
Question 19 of 20

During a malware incident, the incident response team has isolated the affected servers and removed the identified malicious files. Management is pressuring the information security manager to restore the servers to production immediately to minimize downtime. What should the information security manager do BEFORE authorizing recovery to production?

Reviewed for accuracy · Report an issue
Question 20 of 20

During a post-incident review, an information security manager discovers that the organization detected a sophisticated intrusion three weeks after the initial compromise, well after data had been exfiltrated. The SIEM was properly tuned and alerts were triaged promptly, but no rule existed to detect the specific attacker technique used. Which improvement would MOST effectively reduce the detection time for similar future attacks?

Reviewed for accuracy · Report an issue

More CISM practice

Keep going with the other ISACA CISM — Certified Information Security Manager domains, or take a full timed mock exam.

← Back to CISM overview