ISACA CISM — Certified Information Security Manager · Domain 2 · 20% of exam

Information Security Risk Management

Drill 20 practice questions focused entirely on Information Security Risk Management for the ISACA CISM exam. Tap an answer for instant feedback and a full explanation — no sign-up, always free.

Verified answer20 questions
Question 1 of 20

An information security manager compiles monthly KRI data showing that failed patch-deployment rates have steadily risen over three consecutive reporting cycles, though no individual threshold has yet been breached. Before the next executive risk committee meeting, what is the MOST important action the manager should take?

Reviewed for accuracy · Report an issue
Question 2 of 20

An information security manager notices that several individually low-rated risks across different business units all stem from the same unpatched legacy authentication service. Each business unit has independently accepted its portion of the risk as within its local tolerance. What should the security manager do FIRST?

Reviewed for accuracy · Report an issue
Question 3 of 20

During a security review, an information security manager identifies that the organization has deployed strong perimeter firewalls but has no monitoring of lateral movement within the internal network. Recent threat intelligence indicates attackers in the industry increasingly use credential theft to move laterally after gaining an initial foothold. Which of the following BEST describes what the manager has identified?

Reviewed for accuracy · Report an issue
Question 4 of 20

Employees across several business units have rapidly begun using a third-party generative AI service to accelerate their work. The information security manager becomes aware of this trend but has no formal record of the tool in the risk register or any assessment of its data handling. Which action should the information security manager take FIRST to address this emerging risk?

Reviewed for accuracy · Report an issue
Question 5 of 20

During a risk assessment for a new customer-facing payment portal, a business unit leader argues that the risk should be rated as 'low' because the organization already has strong web application firewalls, encryption, and multifactor authentication in place. The information security manager wants the assessment to first establish an accurate baseline before comparing it against these safeguards. Which risk value should the information security manager insist on documenting first?

Reviewed for accuracy · Report an issue
Question 6 of 20

An information security manager established a key risk indicator (KRI) that tracks the percentage of privileged accounts without multifactor authentication. The KRI was set with a threshold of 5%. Over the last three monthly reporting cycles the value has climbed from 4% to 6% to 9%, breaching the threshold. What is the security manager's BEST first action?

Reviewed for accuracy · Report an issue
Question 7 of 20

An information security manager is designing key risk indicators (KRIs) for a program that has repeatedly been surprised by ransomware incidents. The manager wants indicators that give the business advance warning so preventive action can be taken before losses occur. Which of the following would be the MOST useful KRI to add for this purpose?

Reviewed for accuracy · Report an issue
Question 8 of 20

During a qualitative risk assessment, an information security manager notices that different business unit leaders rate the same shared risk scenario very differently — one calls the impact 'high' while another calls it 'low' — because each interprets the rating scales based on their own judgment. What should the security manager do FIRST to improve the reliability of the assessment?

Reviewed for accuracy · Report an issue
Question 9 of 20

An information security manager is preparing a quantitative risk analysis to justify investing in a database encryption solution. The organization's customer database is valued at $2,000,000. A successful breach would compromise approximately 40% of the records' value, and threat intelligence indicates such a breach is likely to occur about once every four years. Which figure represents the annualized loss expectancy (ALE) the manager should present to support the decision?

Reviewed for accuracy · Report an issue
Question 10 of 20

After implementing agreed mitigating controls for a critical customer-facing application, the information security manager reassesses the risk and finds the residual risk still exceeds the organization's documented risk appetite. The business unit insists the application must remain in production to meet revenue targets. What should the information security manager do NEXT?

Reviewed for accuracy · Report an issue
Question 11 of 20

A business unit manager wants to continue using a legacy application that cannot support multi-factor authentication. The information security manager has documented that this creates a risk exceeding the organization's defined risk appetite. The manager insists the application is critical to revenue and asks the security team to simply accept the risk. What is the MOST appropriate action for the information security manager?

Reviewed for accuracy · Report an issue
Question 12 of 20

A financial services firm operates a legacy peer-to-peer file-sharing feature that generates minimal revenue but has been repeatedly implicated in data leakage incidents. The residual risk far exceeds the organization's risk appetite even after multiple control enhancements, and no cost-effective mitigation exists. The business owner confirms the feature is not strategically important. Which risk response is MOST appropriate for the information security manager to recommend?

Reviewed for accuracy · Report an issue
Question 13 of 20

A financial services firm has identified that a single perimeter firewall is the only control protecting a customer database containing sensitive PII. A risk assessment rates the residual risk as high, and management has decided to mitigate rather than accept it. The information security manager is asked to recommend the mitigation approach. Which recommendation BEST reduces the residual risk?

Reviewed for accuracy · Report an issue
Question 14 of 20

A manufacturing company deploys new IT and operational technology systems on a near-monthly basis, but risk assessments are only performed during the annual enterprise risk review. As a result, several recently deployed systems introduced significant exposures that were not identified until an incident occurred. Which action would BEST address the root cause of this problem?

Reviewed for accuracy · Report an issue
Question 15 of 20

An information security manager maintains a risk register that was last fully assessed nine months ago. A newly disclosed critical vulnerability is now being actively exploited in the wild against a technology stack the organization uses heavily in a revenue-generating application. What should the information security manager do FIRST?

Reviewed for accuracy · Report an issue
Question 16 of 20

A quantitative risk assessment for a legacy inventory system shows an annualized loss expectancy (ALE) of $40,000. The information security manager evaluates a proposed control that would reduce the ALE to $5,000 but costs $90,000 per year to operate. The system is scheduled for decommissioning in 18 months. Which risk response is the MOST appropriate for the security manager to recommend?

Reviewed for accuracy · Report an issue
Question 17 of 20

A financial services firm outsources credit card payment processing to a third-party provider. The contract shifts operational responsibility to the provider, but recent breach headlines have made the firm's leadership nervous about reputational and regulatory consequences if the provider is compromised. The information security manager is asked to characterize the firm's residual exposure after this outsourcing arrangement. Which statement should the security manager convey to leadership?

Reviewed for accuracy · Report an issue
Question 18 of 20

An information security manager is developing risk scenarios for a newly deployed customer-facing e-commerce platform. The team has documented several threat sources and vulnerabilities but is struggling to prioritize which scenarios warrant deeper analysis. Which input would MOST improve the relevance and prioritization of the risk scenarios?

Reviewed for accuracy · Report an issue
Question 19 of 20

An information security manager is building risk scenarios for a quantitative analysis and needs to estimate how often a ransomware event is likely to affect the organization each year. Which source would provide the MOST reliable basis for estimating the annualized rate of occurrence?

Reviewed for accuracy · Report an issue
Question 20 of 20

An information security manager must recommend which of two risk scenarios to address first. Scenario 1 has a single loss expectancy (SLE) of $50,000 and an annual rate of occurrence (ARO) of 3. Scenario 2 has an SLE of $250,000 and an ARO of 0.5. Mitigation for each costs approximately $80,000 per year. Which scenario should be prioritized for treatment based on cost-effectiveness?

Reviewed for accuracy · Report an issue

More CISM practice

Keep going with the other ISACA CISM — Certified Information Security Manager domains, or take a full timed mock exam.

← Back to CISM overview