Exam2pass
0 items Sign In or Register
  • Home
  • IT Exams
  • Guarantee
  • FAQs
  • Reviews
  • Contact Us
  • Demo
Exam2pass > Isaca > Isaca Certifications > CISM > CISM Online Practice Questions and Answers

CISM Online Practice Questions and Answers

Questions 4

Which of the following is characteristic of decentralized information security management across a geographically dispersed organization?

A. More uniformity in quality of service

B. Better adherence to policies

C. Better alignment to business unit needs

D. More savings in total operating costs

Buy Now

Correct Answer: C

Decentralization of information security management generally results in better alignment to business unit needs. It is generally more expensive to administer due to the lack of economies of scale. Uniformity in quality of service tends to vary from unit to unit.

Questions 5

A risk profile supports effective security decisions PRIMARILY because it:

A. defines how to best mitigate future risks.

B. identifies priorities for risk reduction.

C. enables comparison with industry best practices.

D. describes security threats.

Buy Now

Correct Answer: B

Questions 6

An information security manager is implementing a bring your own device (BYOD) program. Which of the following would BEST ensure that users adhere to the security standards?

A. Monitor user activities on the network

B. Publish the standards on the intranet landing page

C. Establish an acceptable use policy

D. Deploy a device management solution

Buy Now

Correct Answer: D

Questions 7

Which of the following is an example of a vulnerability?

A. Natural disasters

B. Defective software

C. Ransomware

D. Unauthorized users

Buy Now

Correct Answer: B

Questions 8

Which of the following BEST facilitates effective strategic alignment of security initiatives?

A. The business strategy is periodically updated

B. Procedures and standards are approved by department heads.

C. Periodic security audits are conducted by a third-party.

D. Organizational units contribute to and agree on priorities

Buy Now

Correct Answer: D

Organizational units contribute to and agree on priorities is the best way to facilitate effective strategic alignment of security initiatives because it ensures that the security initiatives are aligned with the business goals and objectives, supported by relevant stakeholders, and prioritized based on risk and value. The business strategy is periodically updated is not sufficient to facilitate effective strategic alignment of security initiatives because it does not involve collaboration or communication between different organizational units. Procedures and standards are approved by department heads is not sufficient to facilitate effective strategic alignment of security initiatives because it does not reflect the strategic direction or vision of the organization. Periodic security audits are conducted by a third-party is not sufficient to facilitate effective strategic alignment of security initiatives because it does not address the planning or implementation of security initiatives. References: https://www.isaca.org/resources/isaca-journal/issues/2016/volume- 2/how-to-align-security-initiatives-with-business-goals-and-objectives https://www.isaca.org/resources/isaca-journal/issues/2015/volume-1/how-to-measure-theeffectiveness-of-information-security-governance

Questions 9

Which of the following BEST describes a buffer overflow?

A. A function is carried out with more data than the function can handle

B. A program contains a hidden and unintended function that presents a security risk

C. Malicious code designed to interfere with normal operations

D. A type of covert channel that captures data

Buy Now

Correct Answer: A

A buffer overflow is a software coding error or vulnerability that occurs when a function is carried out with more data than the function can handle, resulting in adjacent memory locations being overwritten or corrupted by the excess data1. A

program contains a hidden and unintended function that presents a security risk is not a buffer overflow, but rather a backdoor2. Malicious code designed to interfere with normal operations is not a buffer overflow, but rather malware3. A type

of covert channel that captures data is not a buffer overflow, but rather a keylogger.

References:

https://www.fortinet.com/resources/cyberglossary/buffer-overflow 2 https://www.fortinet.com/resources/cyberglossary/backdoor 3 https://www.fortinet.com/resources/cyberglossary/malware https://www.fortinet.com/resources/cyberglossary/

keylogger

Questions 10

Which of the following is the PRIMARY purpose of a business impact analysis (BIA)?

A. To define security roles and responsibilities

B. To determine return on investment (ROI)

C. To establish incident severity levels

D. To determine the criticality of information assets

Buy Now

Correct Answer: D

A business impact analysis (BIA) is a process that identifies and evaluates the potential effects of disruptions to critical business operations as a result of a disaster, accident or emergency. The primary purpose of a BIA is to determine the criticality of information assets and the impact of their unavailability on the organization's mission, objectives and reputation. (From CISM Review Manual 15th Edition) References: CISM Review Manual 15th Edition, page 178, section 4.3.2.1.

Questions 11

Company A, a cloud service provider, is in the process of acquiring Company B to gain new benefits by incorporating their technologies within its cloud services.

Which of the following should be the PRIMARY focus of Company A's information security manager?

A. The organizational structure of Company B

B. The cost to align to Company A's security policies

C. Company A's security architecture

D. Company B's security policies

Buy Now

Correct Answer: D

According to the CISM Review Manual, the security architecture of an organization defines the security principles, standards, guidelines and procedures that support the information security strategy and align with the business objectives.

When acquiring another company, the information security manager of the acquiring company should focus on ensuring that the security architecture of the acquired company is compatible with its own, or that any gaps or conflicts are

identified and resolved.

References: CISM Review Manual, 27th Edition, Chapter 2, Section 2.1.2, page 751.

Questions 12

Of the following, who is MOST appropriate to own the risk associated with the failure of a privileged access control?

A. Data owner

B. Business owner

C. Information security manager

D. Compliance manager

Buy Now

Correct Answer: B

The business owner is the most appropriate person to own the risk associated with the failure of a privileged access control because they are ultimately responsible for the protection and use of the information in their business unit

1.

The data owner is responsible for determining the access rights for specific data sets, but not for the access control mechanisms

2.

The information security manager is responsible for implementing and enforcing the security policies and standards, but not for owning the risk

3.

The compliance manager is responsible for ensuring that the organization meets the regulatory requirements, but not for owning the risk. References: 1 https://www.cyberark.com/resources/blog/how-do-you-prioritize-risk-for-privilegedaccess- management 3 https://www.isaca.org/resources/isaca-journal/issues/2017/volume- 1/capability-framework-for-privileged-access- management 2 https://security.stackexchange.com/questions/218049/what-is-the-difference-betweendata-owner-data-custodian-and-system-owner

Questions 13

Which of the following is the GREATEST benefit of information asset classification?

A. Helping to determine the recovery point objective (RPO)

B. Providing a basis for implementing a need-to-know policy

C. Supporting segregation of duties

D. Defining resource ownership

Buy Now

Correct Answer: B

Exam Code: CISM
Exam Name: Certified Information Security Manager
Last Update: Jul 02, 2026
Questions: 1583

PDF (Q&A)

$45.99
ADD TO CART

VCE

$49.99
ADD TO CART

PDF + VCE

$59.99
ADD TO CART

Exam2Pass----The Most Reliable Exam Preparation Assistance

There are tens of thousands of certification exam dumps provided on the internet. And how to choose the most reliable one among them is the first problem one certification candidate should face. Exam2Pass provide a shot cut to pass the exam and get the certification. If you need help on any questions or any Exam2Pass exam PDF and VCE simulators, customer support team is ready to help at any time when required.

Home | Guarantee & Policy |  Privacy & Policy |  Terms & Conditions |  How to buy |  FAQs |  About Us |  Contact Us |  Demo |  Reviews

2026 Copyright @ exam2pass.com All trademarks are the property of their respective vendors. We are not associated with any of them.