ISACA CISM — Certified Information Security Manager · Domain 1 · 17% of exam

Information Security Governance

Drill 20 practice questions focused entirely on Information Security Governance for the ISACA CISM exam. Tap an answer for instant feedback and a full explanation — no sign-up, always free.

Verified answer20 questions
Question 1 of 20

A manufacturing enterprise is acquiring a smaller competitor. The acquiring company follows ISO/IEC 27001, while the target has an informal, undocumented security program built around a different framework. The board has asked the information security manager how to approach integrating the two security programs to deliver value while managing risk. What should the information security manager do FIRST?

Reviewed for accuracy · Report an issue
Question 2 of 20

A newly appointed information security manager at a mid-sized financial services firm discovers that the organization's information security policies were written years ago and reference no external standard. The board has asked for assurance that the security program reflects recognized good practice and can be benchmarked against peers. Which action should the security manager take FIRST to address the board's request?

Reviewed for accuracy · Report an issue
Question 3 of 20

A newly appointed information security manager at a manufacturing firm finds that a technically sound security strategy approved two years ago has been largely ignored by business units. Interviews reveal that employees view security controls as obstacles to production targets, and line managers routinely grant exceptions to keep operations moving. Which action would BEST address the underlying cause of the strategy's poor adoption?

Reviewed for accuracy · Report an issue
Question 4 of 20

A newly appointed information security manager presents monthly reports to the board consisting of the number of blocked malware events, patched vulnerabilities, and firewall rule changes. Board members repeatedly ask why the security program deserves continued funding and how it supports strategic objectives. Which change to the reporting approach would BEST address the board's concern?

Reviewed for accuracy · Report an issue
Question 5 of 20

A multinational retailer operates in several countries, each with different breach notification timelines and data protection obligations. The information security manager discovers that one jurisdiction requires notification within 72 hours, while a contractual clause with a major partner requires immediate notification of any incident, and a third country mandates notification only after confirmed harm to individuals. To address these conflicting legal, regulatory, and contractual requirements when developing the incident response and governance approach, what should the information security manager do FIRST?

Reviewed for accuracy · Report an issue
Question 6 of 20

A manufacturing company signs a contract with a large retail customer that includes strict information security clauses requiring encryption of all customer data and 24-hour breach notification. The company stores this data with a third-party cloud provider whose standard service agreement offers only 72-hour breach notification and does not commit to the required encryption controls. What should the information security manager do FIRST?

Reviewed for accuracy · Report an issue
Question 7 of 20

A newly appointed information security manager discovers that business units routinely adopt unsanctioned cloud applications ('shadow IT') because the formal approval process is perceived as slow and bureaucratic. Executives value the units' agility and are reluctant to impose heavy controls. Which action would BEST address the root cause while supporting enterprise governance objectives?

Reviewed for accuracy · Report an issue
Question 8 of 20

A newly appointed information security manager discovers that during a recent ransomware incident, no one initiated the containment decision because staff assumed the IT operations team, the legal department, and the CISO each held that authority. Post-incident review shows overlapping and undocumented responsibilities across several security processes. Which action will BEST prevent this type of failure in the future?

Reviewed for accuracy · Report an issue
Question 9 of 20

A newly appointed information security manager finds that security decisions are made informally within the IT department and are not visible to or endorsed by the enterprise's existing corporate governance structures (board committees, risk committee, and audit committee). The manager wants information security to become a sustainable part of how the organization is directed and controlled. Which action would BEST achieve this objective?

Reviewed for accuracy · Report an issue
Question 10 of 20

A newly appointed information security manager wants senior executives to approve funding for a multi-year security program. Previous requests were rejected because leadership viewed security spending as a cost with no measurable return. Which approach will BEST secure executive approval for the program?

Reviewed for accuracy · Report an issue
Question 11 of 20

A newly appointed CISO has operated the information security governance program for one year. The board now asks for evidence that governance itself—not just individual controls—is effective and delivering value. Which of the following would BEST demonstrate the effectiveness of the governance program to the board?

Reviewed for accuracy · Report an issue
Question 12 of 20

A newly appointed information security manager discovers that the organization's security program operates without a formal charter. Security decisions are frequently overturned by business unit leaders who claim security has no authority to mandate controls. To establish legitimate, enterprise-wide authority for the security function, what should the security manager do FIRST?

Reviewed for accuracy · Report an issue
Question 13 of 20

A newly appointed information security manager observes that the organization's security program lacks clear separation between strategic direction-setting and day-to-day operational execution. Executives frequently make operational security decisions, while the security team independently sets risk appetite without executive input. To correct this, which distinction should the manager emphasize when redefining roles and responsibilities?

Reviewed for accuracy · Report an issue
Question 14 of 20

A newly appointed information security manager finds that the security function currently reports directly to the head of IT operations. The manager is concerned that this arrangement may compromise the objectivity of security decisions, particularly when security controls conflict with operational uptime targets. Which of the following is the BEST recommendation to address this governance concern?

Reviewed for accuracy · Report an issue
Question 15 of 20

A newly appointed information security manager finds that security decisions across the enterprise are made inconsistently — IT approves some risk exceptions, business units approve others, and there is no coordinated forum for prioritizing security investments. Executives complain that security initiatives lack business buy-in and frequently stall. Which action would MOST effectively address the root cause of these governance problems?

Reviewed for accuracy · Report an issue
Question 16 of 20

A newly appointed information security manager discovers that the organization has multiple security initiatives underway, each championed by a different business unit and funded from separate budgets. The initiatives frequently overlap, and there is no clear link between them and the enterprise's stated business objectives. The board has asked the manager to bring order to these efforts. Which action should the manager take FIRST?

Reviewed for accuracy · Report an issue
Question 17 of 20

A newly appointed information security manager is tasked with developing an information security strategy for a manufacturing enterprise that has never had a formal strategy. Before proposing specific initiatives and investments, which of the following provides the MOST important foundation for the strategy?

Reviewed for accuracy · Report an issue
Question 18 of 20

A multinational manufacturer operates in several countries where privacy and cybersecurity laws are frequently changing. The information security manager wants to ensure the security strategy continues to satisfy legal and regulatory obligations over time without requiring an emergency response every time a new law is enacted. Which action would BEST support this objective?

Reviewed for accuracy · Report an issue
Question 19 of 20

A newly appointed information security manager has documented the organization's desired future state for security, which is aligned with an approved governance framework and endorsed by executive management. Before developing a roadmap of initiatives to present for funding, what should the manager do NEXT?

Reviewed for accuracy · Report an issue
Question 20 of 20

A newly hired information security manager finds that the organization's security strategy exists on paper but is largely ignored across business units. Middle managers view security as an IT concern and rarely allocate resources to security initiatives. The manager wants to ensure the strategy becomes an enduring, enterprise-wide priority. Which action will MOST effectively establish the foundation for lasting organizational commitment to the security strategy?

Reviewed for accuracy · Report an issue

More CISM practice

Keep going with the other ISACA CISM — Certified Information Security Manager domains, or take a full timed mock exam.

← Back to CISM overview