Isaca CISM Exam Questions - Real Practice Questions for Guaranteed Success

Question 1

What should be the NEXT course of action when an information security manager has identified a department that is repeatedly not following the security policy?

APerform a vulnerability assessment on the systems within the department.

BIntroduce additional controls to force compliance with policy.

CRequire department users to repeat security awareness training.

DReport the policy violation to senior management.

Correct : D

Options Selected by Other Users:

Mark Question:

Start a Discussions

Submit Your Answer:

APerform a vulnerability assessment on the systems within the department.

BIntroduce additional controls to force compliance with policy.

CRequire department users to repeat security awareness training.

DReport the policy violation to senior management.

0 / 1500

Question 2

Which of the following is MOST important for an information security manager to consider when determining whether data should be stored?

AData protection regulations

BData storage limitations

CBusiness requirements

DType and nature of data

Correct : C

Options Selected by Other Users:

Mark Question:

Start a Discussions

Submit Your Answer:

AData protection regulations

BData storage limitations

CBusiness requirements

DType and nature of data

0 / 1500

Question 3

Which of the following is the MOST important characteristic of an effective information security metric?

AThe metric expresses residual risk relative to risk tolerance.

BThe metric is frequently reported to senior management.

CThe metric directly maps to an industry risk management framework.

DThe metric compares the organization's inherent risk against its risk appetite.

Correct : A

Options Selected by Other Users:

Mark Question:

Start a Discussions

Submit Your Answer:

AThe metric expresses residual risk relative to risk tolerance.

BThe metric is frequently reported to senior management.

CThe metric directly maps to an industry risk management framework.

DThe metric compares the organization's inherent risk against its risk appetite.

0 / 1500

Question 4

Which of the following should an organization do FIRST upon learning that a subsidiary is located in a country where civil unrest has just begun?

AAssess changes in the risk profile.

BActivate the disaster recovery plan (DRP).

CInvoke the incident response plan.

DConduct security awareness training.

Correct : A

Options Selected by Other Users:

Mark Question:

Start a Discussions

Submit Your Answer:

AAssess changes in the risk profile.

BActivate the disaster recovery plan (DRP).

CInvoke the incident response plan.

DConduct security awareness training.

0 / 1500

Question 5

Senior management recently approved a mobile access policy that conflicts with industry best practices. Which of the following is the information security manager's BEST course of action when developing security standards for mobile access to the organization's network?

AAlign the standards with the organizational policy.

BAlign the standards with industry best practices.

CResolve the discrepancy before developing the standards.

DPerform a cost-benefit analysis of aligning the standards to policy.

Correct : C

The Information Security Manager's primary responsibility is to ensure that the organization's information assets are adequately protected. In this scenario, there is a conflict between the approved mobile access policy and industry best practices. Developing security standards based on a flawed policy could lead to significant security vulnerabilities.

Why the other options are not the best course of action:

A . Align the standards with the organizational policy: This would perpetuate the misalignment with best practices, potentially leaving the organization exposed to risks.

B . Align the standards with industry best practices: While this is ideal from a security perspective, it directly contradicts the approved policy, which could create operational and compliance issues.

D . Perform a cost-benefit analysis of aligning the standards to policy: A cost-benefit analysis might be useful at some point, but it does not address the fundamental issue of a policy that is not in line with best practices.

Key CISM Principles Reflected:

Alignment with Organizational Objectives: Security standards and policies should support and enable the organization's business objectives.

Risk Management: Identifying, assessing, and mitigating risks are essential elements of information security management.

Governance: Effective governance ensures that information security activities are aligned with the organization's strategies and objectives.

In summary: The Information Security Manager should proactively engage senior management to highlight the discrepancy between the approved policy and industry best practices. The goal is to revise the policy to ensure it adequately addresses security risks while supporting the organization's objectives. Once the policy is aligned with best practices, the security standards can be developed accordingly.

Options Selected by Other Users:

Mark Question:

Start a Discussions

Submit Your Answer:

AAlign the standards with the organizational policy.

BAlign the standards with industry best practices.

CResolve the discrepancy before developing the standards.

DPerform a cost-benefit analysis of aligning the standards to policy.

0 / 1500

Master Isaca CISM Exam with Reliable Practice Questions

Options Selected by Other Users:

Options Selected by Other Users:

Options Selected by Other Users:

Options Selected by Other Users:

Options Selected by Other Users: