CISM Certification Exam Practice

Certified Information Security Manager (CISM) Certification Exam Practice Questions And Correct Answers (Verified Answers) Plus Rationales 2026 Q&A | Instant Download Pdf

• Which of the following best defines the primary role of information

security governance?

• To ensure the organization complies with all security standards
• To align information security strategies with business objectives
• To implement technical security controls
• To manage day-to-day security operations
• To align information security strategies with business objectives

Rationale: Governance focuses on aligning security programs with

business goals rather than technical implementation or daily operations. 1 / 4

• Which process ensures that information security policies are

understood and consistently followed by employees?

• Risk assessment
• Security awareness training
• Security audit
• Incident response
• Security awareness training

Rationale: Awareness programs educate employees about policies

and acceptable security behavior, ensuring consistent adherence.

• What is the primary purpose of a Business Impact Analysis (BIA)?
• To implement preventive controls
• To identify critical business functions and their dependencies
• To monitor security incidents
• To conduct vulnerability assessments
• To identify critical business functions and their dependencies

Rationale: BIA identifies essential business processes and the impact

of their disruption, guiding continuity planning.

• Which of the following is the MOST important factor when developing

an information security strategy?

• Available security technologies
• Organizational goals and risk appetite
• Compliance requirements
• Industry benchmarks 2 / 4

• Organizational goals and risk appetite

Rationale: Security strategy must align with business objectives and

the level of risk the organization is willing to accept.

• A key performance indicator (KPI) for information security governance

should primarily:

• Measure the number of security incidents
• Evaluate alignment with business objectives
• Track security control implementation
• Assess technical vulnerabilities
• Evaluate alignment with business objectives

Rationale: Governance KPIs should focus on effectiveness and

alignment of security with organizational goals rather than operational metrics.

• What is the BEST method to ensure that security policies remain

relevant over time?

• Annual review and updates
• Employee surveys
• Monthly penetration testing
• Vendor audits
• Annual review and updates

Rationale: Policies should be periodically reviewed and updated to

remain relevant to organizational changes and emerging threats. 3 / 4

• Which of the following is a primary objective of an information

security risk assessment?

• To implement security controls
• To identify and evaluate potential threats and vulnerabilities
• To perform system backups
• To enforce security policies
• To identify and evaluate potential threats and vulnerabilities

Rationale: Risk assessments identify threats and vulnerabilities,

providing the basis for informed risk management decisions.

• Which type of control is designed to prevent unauthorized access

before it occurs?

• Detective control
• Corrective control
• Preventive control
• Compensating control
• Preventive control

Rationale: Preventive controls stop incidents from occurring by

restricting access or enforcing policies.

9. An organization’s risk appetite is BEST described as:

• The maximum potential loss the organization can sustain
• The organization’s willingness to accept risk to achieve objectives
• A formal risk register
• The total number of identified threats
• / 4