Isaca CISM Exam Questions Instant Access - No Installation Required

Question 1

An incident response team has established that an application has been breached. Which of the following should be done NEXT?

AMaintain the affected systems in a forensically acceptable state

BConduct a risk assessment on the affected application

CInform senior management of the breach.

DIsolate the impacted systems from the rest of the network

Answer : D

The next thing an incident response team should do after establishing that an application has been breached is to isolate the impacted systems from the rest of the network, which means disconnecting them from the internet or other network connections to prevent further spread of the attack or data exfiltration. Isolating the impacted systems can help to contain the breach and limit its impact on the organization. The other options, such as maintaining the affected systems in a forensically acceptable state, conducting a risk assessment, or informing senior management, may be done later in the incident response process, after isolating the impacted systems. Reference:

https://www.crowdstrike.com/cybersecurity-101/incident-response/

https://learn.microsoft.com/en-us/security/operations/incident-response-playbooks

https://www.invicti.com/blog/web-security/incident-response-steps-web-application-security/

Question 2

IT projects have gone over budget with too many security controls being added post-production. Which of the following would MOST help to ensure that relevant controls are applied to a project?

AInvolving information security at each stage of project management

BIdentifying responsibilities during the project business case analysis

CCreating a data classification framework and providing it to stakeholders

DProviding stakeholders with minimum information security requirements

Answer : A

The best way to ensure that relevant controls are applied to a project is to involve information security at each stage of project management. This will help to identify and address the security risks and requirements of the project from the beginning, and to integrate security controls into the project design, development, testing, and implementation. This will also help to avoid adding unnecessary or ineffective controls post-production, which can increase the project cost and complexity, and reduce the project performance and quality. By involving information security at each stage of project management, the information security manager can ensure that the project delivers the expected security value and aligns with the organization's security strategy and objectives.Reference= CISM Review Manual 15th Edition, page 41.

Question 3

Which of the following is the MOST essential element of an information security program?

ABenchmarking the program with global standards for relevance

BPrioritizing program deliverables based on available resources

CInvolving functional managers in program development

DApplying project management practices used by the business

Answer : C

Involving functional managers in program development is the most essential element of an information security program, because they are responsible for ensuring that the information security policies, standards, and procedures are implemented and enforced within their respective business units. They also provide input and feedback on the information security requirements, risks, and controls that affect their operations and objectives.

Reference=

CISM Review Manual, 16th Edition, ISACA, 2020, p. 37: ''Functional managers are responsible for ensuring that the information security policies, standards, and procedures are implemented and enforced within their respective business units.''

CISM Review Manual, 16th Edition, ISACA, 2020, p. 38: ''Functional managers should be involved in the development of the information security program to provide input and feedback on the information security requirements, risks, and controls that affect their operations and objectives.''

Question 4

In the context of developing an information security strategy, which of the following provides the MOST useful input to determine the or

ASecurity budget

BRisk register

CRisk score

DLaws and regulations

Answer : D

Laws and regulations provide the most useful input to determine the organization's information security strategy because they define the legal and compliance requirements and obligations that the organization must adhere to, and guide the development and implementation of the security policies and controls that support them. Security budget is not a useful input to determine the organization's information security strategy because it does not reflect the organization's security needs or goals, but rather a resource to enable the security activities and initiatives. Risk register is not a useful input to determine the organization's information security strategy because it does not reflect the organization's security vision or mission, but rather a tool to identify and manage the security risks. Risk score is not a useful input to determine the organization's information security strategy because it does not reflect the organization's security priorities or objectives, but rather a measure of the level of risk exposure or performance. Reference: https://www.isaca.org/resources/isaca-journal/issues/2016/volume-4/technical-security-standards-for-information-systems https://www.isaca.org/resources/isaca-journal/issues/2017/volume-2/how-to-align-security-initiatives-with-business-goals-and-objectives

Question 5

Which of the following is the BEST way lo monitor for advanced persistent threats (APT) in an organization?

ANetwork with peers in the industry to share information.

BBrowse the Internet to team of potential events

CSearch for anomalies in the environment

DSearch for threat signatures in the environment.

Answer : C

An advanced persistent threat (APT) is a stealthy and sophisticated attack that aims to compromise and maintain access to a target network or system over a long period of time, often for espionage or sabotage purposes. APTs are difficult to detect by conventional security tools, such as antivirus or firewalls, that rely on signatures or rules to identify threats. Therefore, the best way to monitor for APTs is to search for anomalies in the environment, such as unusual network traffic, user behavior, file activity, or system configuration changes, that may indicate a compromise or an ongoing attack. Reference: https://www.isaca.org/credentialing/cism https://www.nist.gov/publications/information-security-handbook-guide-managers

Question 6

Which of the following is MOST important to ensure the alignment of an information security program with the organizational strategy?

ABenchmarking against industry peers

BAdoption of an industry recognized framework

CApproval from senior management

DIdentification of business-specific risk factors

Answer : C

Question 7

An information security manager is assessing security risk associated with a cloud service provider. Which of the following is the MOST appropriate reference to consult when performing this assessment?

APrevious provider service level agreements (SLAs)

BSecurity control frameworks

CThreat intelligence reports

DPenetration test results from the provider

Answer : B

Security control frameworks (e.g., ISO/IEC 27001, NIST SP 800-53, CSA Cloud Controls Matrix) provide a structured and standardized approach to assess the security posture of cloud providers. These frameworks ensure completeness and alignment with best practices.

''Standardized security frameworks enable consistent evaluation of third-party providers and alignment with industry-recognized security requirements.''

--- CISM Review Manual 15th Edition, Chapter 3: Third-Party Risk Management*

Penetration test results and SLAs are useful, but only frameworks provide comprehensive coverage.

Isaca Certified Information Security Manager CISM Exam Questions