CISM 150 Questions and Answer Exam Practice - Free
CISM MOCK EXAM — BATCH 1 (Questions 1–20)
Total 20 Questions (mix Domain 1–4)
CISM Style: 70% decision-based, 20% scenario, 10% conceptual
DOMAIN 1 – Information Security Governance
(Questions 1–5)
Q1 (D1) — Governance Alignment
A new CEO wants to ensure that information security contributes to business growth rather than just compliance. What should the Information Security Manager do FIRST?
A. Update the existing technical security standards.
B. Map current security initiatives to business objectives.
C. Deploy new monitoring tools to improve visibility.
D. Conduct a full enterprise-wide penetration test.
Correct Answer: B
Explanation: Governance starts with alignment between security initiatives and business objectives. Tools/tests come later.
Q2 (D1) — Policy vs Standard
Which statement BEST describes the purpose of an information security policy?
A. Provides day-to-day operational instructions for staff.
B. Defines management’s direction and high-level expectations.
C. Lists all approved technologies used by the organization.
D. Outlines step-by-step configuration guidance.
Correct Answer: B
Explanation: Policies express top-level management direction, not operational details.
Q3 (D1) — Board Reporting
The board is requesting a more “strategic” security update. Which report BEST satisfies this requirement?
A. Number of malware alerts blocked by firewalls
B. Comparison of risk posture against organizational risk appetite
C. Monthly patch compliance percentages
D. SOC analyst performance scores
Correct Answer: B
Explanation: Boards care about risk posture vs appetite, not operational activity metrics.
Q4 (D1) — Governance Engagement
Business units rarely include the security team in strategic planning discussions. What is the BEST governance improvement?
A. Require mandatory technical security training for all business leaders.
B. Establish a governance committee that includes security representation.
C. Increase the security budget for new tools and automation.
D. Require the CISO to approve all new business initiatives.
Correct Answer: B
Explanation: Embedding security into governance structures ensures early engagement.
Q5 (D1) — Accountability Trap
Who is ultimately accountable for information security within the enterprise?
A. Information Security Manager
B. IT Operations Manager
C. Senior Management / Executive Leadership
D. Internal Audit
Correct Answer: C
Explanation: According to governance principles, executive leadership holds ultimate accountability—not IT or audit.
DOMAIN 2 – Information Security Risk Management
(Questions 6–10)
Q6 (D2) — Risk Acceptance Level
A business manager wants to accept a high residual risk. What is the MOST appropriate response?
A. Approve the acceptance immediately.
B. Escalate the decision to the appropriate senior authority.
C. Reject the acceptance request.
D. Require additional vulnerability scans.
Correct Answer: B
Explanation: High residual risk must be accepted at the correct senior level, not by the security manager alone.
Q7 (D2) — Inherent vs Residual Risk
Residual risk is BEST defined as:
A. Risk remaining after controls are implemented.
B. Risk before controls are applied.
C. Risk transferred through insurance.
D. Risk that cannot be mitigated.
Correct Answer: A
Explanation: Residual risk = inherent risk minus control effect.
Q8 (D2) — Scenario-Based Risk Assessment
A company plans to launch an online service in two weeks. Security testing found several medium-risk vulnerabilities. What should the Information Security Manager do FIRST?
A. Delay the launch until all vulnerabilities are fixed.
B. Conduct a risk assessment to evaluate business impact and urgency.
C. Approve the go-live immediately since they are medium risks.
D. Request development to perform additional penetration testing.
Correct Answer: B
Explanation: Always perform risk assessment first—never jump to delay or approve.
Q9 (D2) — Third-Party Risk
A cloud provider refuses to share detailed internal test reports but provides SOC 2 and ISO 27001 certifications. What should the security manager do?
A. Accept the certifications as sufficient assurance.
B. Terminate the contract immediately.
C. Evaluate whether certification scope covers required controls.
D. Request access to all internal logs.
Correct Answer: C
Explanation: Certifications are useful only if the scope is relevant. Verification is required.
Q10 (D2) — Risk Communication
Key stakeholders perceive a medium risk as “critical.” What should the Information Security Manager do FIRST?
A. Escalate to the audit committee.
B. Provide a clear explanation of the risk rating method.
C. Lower the rating to satisfy stakeholders.
D. Perform a second risk assessment with another team.
Correct Answer: B
Explanation: Misalignment usually comes from misunderstanding, so clarify methodology first.
DOMAIN 3 – Security Program Development & Management
(Questions 11–15)
Q11 (D3) — Program Roadmap Priority
Which initiative should be the FIRST priority when building a security program roadmap?
A. Implementation of advanced security analytics.
B. Projects aligned with regulatory deadlines and high risks.
C. Deployment of passwordless authentication.
D. Configuring all systems to use the same OS version.
Correct Answer: B
Explanation: Program management is risk- and compliance-driven.
Q12 (D3) — Awareness Effectiveness
Which BEST indicates that security awareness training is effective?
A. High attendance rates
B. Completion of annual training modules
C. Reduction in social engineering incidents
D. Number of emails sent to employees
Correct Answer: C
Explanation: Effectiveness = behavior change, not participation.
Q13 (D3) — Program Maturity
A mature security program is BEST characterized by:
A. Strong reliance on manual processes
B. Reactive approach to emerging risks
C. Continuous improvement based on metrics and trends
D. Heavy investment in security tools
Correct Answer: C
Explanation: Maturity means measured, repeatable, and improving processes.
Q14 (D3) — Security Architecture
When creating a security architecture, what is the MOST important input?
A. Penetration test results
B. Vendor tools available on the market
C. Business processes and information flows
D. Number of network devices
Correct Answer: C
Explanation: Architecture must reflect how the business uses information.
Q15 (D3) — Program Governance
Which factor is MOST critical to long-term success of an information security program?
A. Budget increases every year
B. Executive sponsorship and business alignment
C. Number of certifications held by security staff
D. Adoption of the newest technology
Correct Answer: B
Explanation: Governance success = executive support + alignment.
DOMAIN 4 – Incident Management
(Questions 16–20)
Q16 (D4) — Triage FIRST
A user reports unusual system behavior. What is the FIRST step?
A. Shut down the workstation
B. Begin triage to validate and classify the incident
C. Reinstall the OS
D. Notify law enforcement
Correct Answer: B
Explanation: Incident handling always begins with triage.
Q17 (D4) — Containment Decision
During an active attack, business leaders demand immediate system restoration. Forensic evidence has not been collected. What should the security manager do?
A. Restore systems immediately
B. Refuse and delay restoration
C. Explain trade-offs and request a business-risk decision
D. Ignore business pressure
Correct Answer: C
Explanation: CISM emphasizes risk-based decision-making shared with business owners.
Q18 (D4) — Incident Metrics
Which metric BEST reflects incident response performance?
A. Number of alerts generated
B. Mean time to detect (MTTD) and mean time to respond (MTTR)
C. Number of systems patched
D. Number of SOC analysts
Correct Answer: B
Explanation: Detection and response time = key performance indicators.
Q19 (D4) — Escalation Criteria
Which situation warrants escalation to senior management?
A. Low-impact malware infection
B. Repeated failed login attempts
C. Incident exceeding recovery time objectives (RTOs)
D. Internal phishing simulation failure
Correct Answer: C
Explanation: Exceeding RTO = business impact, requiring senior attention.
Q20 (D4) — Lessons Learned
The MOST important output of a post-incident review is:
A. Identification of employees to discipline
B. Recommendations for process and control improvement
C. A list of all technical logs involved
D. Evidence prepared for legal action
Correct Answer: B
Explanation: CISM focuses on process improvement, not blame.
CISM MOCK EXAM — BATCH 2 (Questions 21–40)
DOMAIN 1 – Information Security Governance
(Questions 21–25)
Q21 (D1) — Governance & Accountability
A business director argues that information security is “an IT responsibility.” What is the BEST response from the Information Security Manager?
A. Agree and delegate all security ownership to IT operations.
B. Explain that ultimate accountability lies with executive management and business leadership.
C. Involve internal audit to enforce compliance.
D. Require the business director to undergo technical security training.
Correct Answer: B
Explanation: Governance principle: business leadership holds accountability, security/IT provides support—not ownership.
Q22 (D1) — Policy Approval
Which person or group should approve the enterprise-wide information security policy?
A. IT operations manager
B. Legal department
C. Executive management or the board
D. Security architect
Correct Answer: C
Explanation: Policies represent management direction, so they require executive approval.
Q23 (D1) — Strategic Alignment
Which of the following BEST ensures that the information security program remains aligned with the enterprise’s long-term goals?
A. Annual refresh of technical standards
B. Quarterly review of risk metrics with senior management
C. Increasing penetration testing frequency
D. Implementing a network segmentation project
Correct Answer: B
Explanation: Regular risk-based reviews with senior leadership keep security aligned with business direction.
Q24 (D1) — Cost vs Benefit
Senior executives request justification for a proposed security governance framework. What should the Information Security Manager emphasize FIRST?
A. Technical complexity of the framework
B. Benchmark comparisons with competitor organizations
C. Expected improvements in risk posture and business assurance
D. How many new controls will be implemented
Correct Answer: C
Explanation: Governance benefits = reduced risk + improved assurance, not technical details.
Q25 (D1) — Governance Maturity
Which indicator MOST strongly suggests that security governance is maturing?
A. More security incidents are detected
B. Business units proactively engage security during strategic planning
C. The security team grows in size
D. Annual audits find more technical findings
Correct Answer: B
Explanation: Early and proactive business engagement is a hallmark of mature governance.
DOMAIN 2 – Information Security Risk Management
(Questions 26–30)
Q26 (D2) — Risk Threshold
A risk assessment shows a moderate impact and low likelihood. Business leadership asks whether mitigation is necessary. What is the BEST course of action?
A. Mitigate immediately to avoid all potential risk.
B. Accept the risk if within the organization’s risk appetite.
C. Transfer the risk through cyber insurance.
D. Increase monitoring but prohibit acceptance.
Correct Answer: B
Explanation: Risk within appetite can be accepted responsibly.
Q27 (D2) — Scenario: Sudden Change in Risk
A critical vulnerability is discovered in a widely used system. No exploit exists yet, but one is expected soon. What should the Information Security Manager do FIRST?
A. Patch immediately, regardless of downtime impact.
B. Conduct a quick risk evaluation including potential impact and urgency.
C. Wait until an exploit is confirmed.
D. Disable the system entirely.
Correct Answer: B
Explanation: Even urgent vulnerabilities require risk evaluation before decisions are made.
Q28 (D2) — Quantitative vs Qualitative
Which factor BEST differentiates quantitative from qualitative risk assessment?
A. Use of numbers or monetary values
B. Use of subject matter experts
C. Use of probability scoring
D. Use of high/medium/low scales
Correct Answer: A
Explanation: Quantitative = numerical financial values. Qualitative = descriptive values.
Q29 (D2) — Third-Party Traceability
A vendor claims compliance with security standards but provides no proof. What should the Information Security Manager request FIRST?
A. Proof of certification and validation by accredited auditors
B. A copy of all internal assessment procedures
C. Access to their internal SIEM
D. A detailed list of firewall rules
Correct Answer: A
Explanation: Certifications/audits must be verifiable.
Q30 (D2) — Residual Risk Communication
If residual risk remains high after mitigation efforts, the Information Security Manager should:
A. Accept the risk on behalf of the business
B. Request a formal decision from the correct risk owner
C. Order immediate redesign of all controls
D. Ignore the risk since mitigation has already occurred
Correct Answer: B
Explanation: Acceptance of high residual risk must be made at the correct organizational level.
DOMAIN 3 – Security Program Development & Management
(Questions 31–35)
Q31 (D3) — Resource Prioritization
Budget cuts require reducing the number of security initiatives this year. What is the BEST approach?
A. Cancel all initiatives equally
B. Prioritize projects addressing high-impact risks or compliance
C. Select the cheapest initiatives
D. Delay improvements to monitoring and logging
Correct Answer: B
Explanation: Program priorities must be risk-based.
Q32 (D3) — SDLC Integration
Security has been excluded from early SDLC stages. What is the BEST corrective measure?
A. Require security sign-off only before deployment
B. Integrate security checkpoints at key SDLC gates
C. Provide optional security training to developers
D. Increase post-production testing
Correct Answer: B
Explanation: Embedding security gates ensures consistent integration.
Q33 (D3) — Metrics & KPIs
Which KPI BEST measures the effectiveness of a security program?
A. Number of antivirus licenses
B. Frequency of risk committee meetings
C. Reduction in high-risk findings over time
D. Number of awareness materials created
Correct Answer: C
Explanation: Effectiveness = improved risk posture, not activity volume.
Q34 (D3) — Security Controls Lifecycle
Which activity is MOST critical to ensure long-term control effectiveness?
A. Deploying more advanced tools
B. Continuous monitoring and periodic review
C. Occasional audits
D. Annual penetration tests
Correct Answer: B
Explanation: Controls must be continuously monitored and updated.
Q35 (D3) — Role Clarification
Which statement BEST defines the role of the Information Security Manager?
A. Owns all business risks
B. Ensures security strategy aligns with business goals and supports risk management
C. Manages IT operations
D. Performs internal audit duties
Correct Answer: B
Explanation: Security manager = governance facilitator, not risk owner.
DOMAIN 4 – Incident Management
(Questions 36–40)
Q36 (D4) — Detection vs False Alarms
The SOC reports a spike in false-positive alerts. What should the Information Security Manager do FIRST?
A. Disable the alerting system temporarily
B. Review alert tuning and correlation rules
C. Replace the SIEM immediately
D. Instruct analysts to ignore specific alerts
Correct Answer: B
Explanation: False positives require rule tuning, not shutdown.
Q37 (D4) — Communication in Crisis
During an ongoing cyber incident, executives demand frequent updates. What is the BEST communication approach?
A. Provide high-level, business impact–focused updates
B. Provide all technical details, even if not requested
C. Wait until full resolution before sharing updates
D. Let the SOC communicate directly with executives
Correct Answer: A
Explanation: Executives need business-impact updates, not technical noise.
Q38 (D4) — Containment Strategy
A ransomware infection is spreading laterally across networks. What is the MOST urgent action?
A. Notify law enforcement
B. Perform forensic collection
C. Isolate affected systems immediately
D. Begin rebuilding backups
Correct Answer: C
Explanation: Containment is priority before investigation or recovery.
Q39 (D4) — Evidence Handling
What is the MOST important principle when collecting evidence?
A. Complete eradication of the threat
B. Maintaining chain of custody
C. Prioritizing rapid restoration
D. Copying all logs to one location
Correct Answer: B
Explanation: Evidence integrity = chain of custody.
Q40 (D4) — Lessons Learned Outcomes
What is the PRIMARY objective of a lessons-learned meeting?
A. Assign blame to responsible teams
B. Improve future incident response and control effectiveness
C. Identify employees to discipline
D. Produce detailed technical logs
Correct Answer: B
Explanation: Lessons learned = continuous improvement, not blame.
CISM MOCK EXAM — BATCH 3 (Questions 41–60)
DOMAIN 1 – Information Security Governance
(Questions 41–45)
Q41 (D1) — Governance Enforcement
A business unit consistently bypasses security policies to speed up delivery. What is the BEST action for the Information Security Manager?
A. Immediately escalate to internal audit
B. Work with the business unit to understand drivers and adjust policies if appropriate
C. Report the team for disciplinary action
D. Deploy additional monitoring tools
Correct Answer: B
Explanation: Governance is about alignment, not punishment. Understanding business needs enables sustainable compliance.
Q42 (D1) — Business Case Justification
When proposing a new information security initiative, the MOST important justification to executives is:
A. Competitive advantage and alignment with business goals
B. The complexity and sophistication of the security solution
C. Number of features offered by the tool
D. Amount of technical debt reduction
Correct Answer: A
Explanation: Executives respond to business value, not technical bells and whistles.
Q43 (D1) — Policy Lifecycle
The MOST important reason to periodically review security policies is:
A. To update formatting and structure
B. To align with evolving business objectives and regulatory changes
C. To reduce the size of the policy library
D. To satisfy external auditors
Correct Answer: B
Explanation: Policies must reflect current business and regulatory environments.
Q44 (D1) — Accountability Framework
Which role holds ultimate accountability for ensuring information security governance is effective?
A. CISO
B. Board / Executive Leadership
C. Information Security Manager
D. IT Operations
Correct Answer: B
Explanation: Governance accountability always lies with executive leadership.
Q45 (D1) — Governance Communication
What is the MOST effective way to ensure business leaders understand their security responsibilities?
A. Distribute technical documentation
B. Conduct targeted governance briefings aligned to business roles
C. Send monthly incident reports
D. Require mandatory annual exams
Correct Answer: B
Explanation: Role-based governance briefings help leaders understand responsibilities without overwhelming detail.
DOMAIN 2 – Information Security Risk Management
(Questions 46–50)
Q46 (D2) — Scenario: Conflicting Risk Views
Security identifies a risk as “high,” but the business views it as “low priority.” What should the Information Security Manager do FIRST?
A. Enforce mitigation because security rated it high
B. Revisit the risk assessment with business context and adjust if appropriate
C. Accept the business decision immediately
D. Escalate to internal audit
Correct Answer: B
Explanation: Risk evaluation must include business context. Reassessment fosters alignment.
Q47 (D2) — Threat Landscape Changes
A new exploit becomes available for a previously low-likelihood vulnerability. What is the BEST immediate action?
A. Increase monitoring and reassess likelihood
B. Ignore it unless exploitation occurs
C. Deploy new antivirus tools
D. Inform the board immediately
Correct Answer: A
Explanation: Changes in threat landscape require reassessment but not panic escalation.
Q48 (D2) — Risk Treatment Decision
Which scenario BEST justifies risk transfer?
A. Cost of controls exceeds expected loss
B. Threat likelihood is extremely low
C. Vendor contract allows shifting liability through agreements
D. Law requires the risk to be mitigated
Correct Answer: C
Explanation: Risk transfer works through contractual or insurance mechanisms, not through low likelihood.
Q49 (D2) — Key Risk Indicator (KRI) Use
KRIs are MOST useful for:
A. Tracking operational tasks
B. Predicting emerging risks before they materialize
C. Measuring policy compliance
D. Counting incident tickets
Correct Answer: B
Explanation: KRIs are forward-looking indicators to predict emerging risks.
Q50 (D2) — TPRM (Third-Party Risk)
A vendor with critical access has not undergone a security review for 3 years. What is the BEST next step?
A. Immediately terminate the contract
B. Conduct a risk-based third-party review
C. Block all vendor access
D. Ignore because the vendor has been stable
Correct Answer: B
Explanation: Third-party access to critical systems requires regular risk-based assessment.
DOMAIN 3 – Security Program Development & Management
(Questions 51–55)
Q51 (D3) — Security Strategy Execution
Which activity BEST demonstrates execution of a security strategy?
A. Implementing a central SIEM
B. Rolling out projects that directly support strategic objectives
C. Increasing the number of audits
D. Buying the latest EDR technology
Correct Answer: B
Explanation: Strategy execution = projects aligned to strategic objectives, not tool purchases.
Q52 (D3) — Awareness Failures
Employees continue clicking phishing emails despite training. What is the BEST action?
A. Punish employees who fail tests
B. Redesign the awareness program with targeted behavioral reinforcement
C. Increase email filtering sensitivity
D. Extend training duration
Correct Answer: B
Explanation: Awareness should focus on behavior change, not punishment or longer sessions.
Q53 (D3) — Program Success Measurement
Which metric BEST demonstrates the success of the security program?
A. Number of security staff
B. Reduction in business-impacting security events
C. Increase in tool usage
D. Number of compliance checklists completed
Correct Answer: B
Explanation: Business impact reduction = true indication of effectiveness.
Q54 (D3) — Resource Management
The security team lacks the skills to manage cloud environments. What is the BEST response?
A. Outsource the entire security function
B. Provide targeted training or hire cloud-competent staff
C. Ignore cloud-specific risks
D. Delay cloud initiatives
Correct Answer: B
Explanation: Skills gaps should be addressed through training or strategic hiring.
Q55 (D3) — Control Integration
Which approach BEST ensures new security controls do not disrupt the business?
A. Deploy controls directly in production to minimize delays
B. Test controls in pilot environments with business involvement
C. Avoid implementing controls that affect workflows
D. Allow business units to disable controls if needed
Correct Answer: B
Explanation: Pilots with business input ensure alignment + minimal disruption.
DOMAIN 4 – Incident Management
(Questions 56–60)
Q56 (D4) — Escalation Criteria
Which scenario MOST requires escalation to senior management?
A. Failed phishing simulation
B. Malware detected and removed automatically
C. Incident likely to impact regulatory compliance
D. Routine scan showing outdated patches
Correct Answer: C
Explanation: Regulatory impact = executive-level concern.
Q57 (D4) — Evidence Preservation
Which practice is MOST important when preserving digital evidence?
A. Collecting all available logs
B. Avoiding changes to the original data
C. Restoring systems before collection
D. Sharing log access with multiple teams
Correct Answer: B
Explanation: Evidence integrity = preserve original state.
Q58 (D4) — Incident Objective
What is the PRIMARY goal of incident management?
A. Achieving perfect forensic detail
B. Minimizing business impact and enabling recovery
C. Ensuring attackers are prosecuted
D. Increasing SOC workload
Correct Answer: B
Explanation: CISM perspective: business impact reduction is priority.
Q59 (D4) — Communication Flow
During a live incident, technical teams need detailed logs, but executives request business summaries. What is the BEST approach?
A. Provide all details to everyone
B. Tailor communication based on stakeholder roles
C. Share only executive summaries
D. Pause communication until incident is fully resolved
Correct Answer: B
Explanation: Stakeholder-appropriate communication is a core CISM principle.
Q60 (D4) — Post-Incident Review
Which element is MOST critical in a post-incident review?
A. Identification of people responsible for errors
B. Recognition of high-performing employees
C. Analysis of lessons learned and improvement opportunities
D. Review of firewall policies
Correct Answer: C
Explanation: Lessons learned = continuous improvement, not assigning blame.
CISM MOCK EXAM — BATCH 4 (Questions 61–80)
DOMAIN 1 – Information Security Governance
(Questions 61–65)
Q61 (D1) — Governance Reporting
The board requests a “strategic” view of information security. Which report BEST satisfies this?
A. Daily SOC alert summaries
B. Patch compliance percentages
C. Risk posture compared to risk appetite
D. Number of malware detections
Correct Answer: C
Explanation: Boards care about risk posture vs appetite at a strategic level—not operational activity numbers.
Q62 (D1) — Executive Sponsorship
A new security program is struggling because business leaders do not prioritize security. What is the MOST effective step?
A. Provide mandatory technical training to executives
B. Seek executive sponsorship and communicate business-aligned value
C. Purchase more advanced reporting tools
D. Enforce strict penalties for non-compliance
Correct Answer: B
Explanation: Governance requires executive sponsorship and business alignment, not forced compliance.
Q63 (D1) — Policy Enforcement
A business unit refuses to comply with the new data classification policy, saying it is “too complicated.” What is the BEST response?
A. Enforce the policy without exceptions
B. Collaborate with the unit to simplify or tailor the policy where appropriate
C. Escalate to legal immediately
D. Remove the policy requirement entirely
Correct Answer: B
Explanation: Policies should support business usability without compromising governance.
Q64 (D1) — Governance vs Management
Which activity MOST clearly belongs to governance rather than management?
A. Implementing access controls
B. Performing technical security testing
C. Setting direction for the security strategy
D. Configuring firewalls
Correct Answer: C
Explanation: Governance = direction, oversight, alignment. Management = execution.
Q65 (D1) — Business Alignment
Which BEST demonstrates alignment between security and business strategy?
A. Security projects that directly support strategic business initiatives
B. Annual penetration testing
C. SOC analyst productivity improvements
D. Implementing every control in ISO 27001
Correct Answer: A
Explanation: Alignment means security supports business goals, not blindly implementing frameworks.
DOMAIN 2 – Information Security Risk Management
(Questions 66–70)
Q66 (D2) — Risk Ownership Clarification
Business managers keep assigning technical risks to the security team. What is the BEST corrective step?
A. Reject all risk assignments from business
B. Clarify ownership roles and provide training on risk accountability
C. Accept risks on behalf of the business
D. Escalate to internal audit
Correct Answer: B
Explanation: Risk owners = business, not security. Education ensures proper accountability.
Q67 (D2) — Risk Prioritization Scenario
A system supporting a revenue-critical process has multiple medium risks. What should be addressed FIRST?
A. The risk with highest impact regardless of business context
B. Risks that could disrupt revenue-generating processes
C. The easiest risks to fix
D. Risks with the most technical detail
Correct Answer: B
Explanation: Prioritize risks based on business criticality, not just technical severity.
Q68 (D2) — Control Selection
When selecting security controls, what factor should weigh MOST heavily?
A. Security team’s preference
B. Cost-benefit in context of risk reduction
C. Vendor popularity
D. Simplicity of implementation
Correct Answer: B
Explanation: Controls must be risk- and value-driven.
Q69 (D2) — Monitoring Emerging Risks
Which mechanism BEST helps identify emerging risks?
A. Annual audits
B. Regular review of threat intelligence feeds
C. Monthly meeting schedules
D. End-user surveys
Correct Answer: B
Explanation: Threat intelligence is key for identifying new and emerging risks.
Q70 (D2) — False Risk Metrics
A risk register shows dozens of “critical risks” that have never materialized. What should the Information Security Manager do FIRST?
A. Remove all critical risks
B. Re-evaluate risk scoring methodology
C. Accept all risks
D. Create a larger risk committee
Correct Answer: B
Explanation: Too many “critical risks” suggests faulty scoring or misalignment with real business impact.
DOMAIN 3 – Security Program Development & Management
(Questions 71–75)
Q71 (D3) — SDLC Maturity
Developers consistently bypass security requirements in early project stages. What is the BEST solution?
A. Increase end-of-project penetration testing
B. Embed required security checkpoints into SDLC gates
C. Extend the development timeline
D. Assign all testing to the security team
Correct Answer: B
Explanation: Security must be integrated early via SDLC gates.
Q72 (D3) — Skills & Competency
The security team lacks skills in data analytics needed for modern threat detection. What should the manager do FIRST?
A. Terminate underperforming employees
B. Invest in targeted training or hire required expertise
C. Replace the entire SOC platform
D. Outsource all analytics
Correct Answer: B
Explanation: Address skills gaps via training or strategic hiring.
Q73 (D3) — Control Effectiveness
Which BEST indicates a control is still effective?
A. No incidents reported
B. Controls are continuously monitored and reviewed
C. Security team reports fewer vulnerabilities
D. More logs are collected
Correct Answer: B
Explanation: Effectiveness requires ongoing monitoring, not absence of incidents.
Q74 (D3) — Program Roadmap
When building a security roadmap, what should be prioritized FIRST?
A. Vendor recommendations
B. Risks with high business impact or regulatory obligations
C. Initiatives recommended by IT operations
D. Controls easiest to implement
Correct Answer: B
Explanation: Roadmaps must be risk- and compliance-driven.
Q75 (D3) — Awareness Program
A good awareness program should focus PRIMARILY on:
A. Teaching deep technical concepts
B. Enforcing compliance through punishment
C. Changing user behavior aligned with policies
D. Reducing the security team’s workload
Correct Answer: C
Explanation: Awareness = behavioral change, not technical detail.
DOMAIN 4 – Incident Management
(Questions 76–80)
Q76 (D4) — Immediate Actions
A server shows signs of active compromise. What is the MOST urgent action?
A. Collect every log on the server
B. Disconnect or isolate the server to stop spread
C. Perform full forensic imaging immediately
D. Reboot the server as quick fix
Correct Answer: B
Explanation: Containment always precedes investigation.
Q77 (D4) — Evidence Integrity
When gathering digital evidence, which principle is MOST important?
A. Speed of collection
B. Not altering original data
C. Copying logs into spreadsheets
D. Allowing everyone to access evidence
Correct Answer: B
Explanation: Evidence must remain unaltered to maintain integrity.
Q78 (D4) — SOC Performance
Which metric BEST shows SOC performance improvement?
A. Number of alerts processed daily
B. Reduction in mean time to detect and respond
C. Number of dashboards created
D. Amount of log storage used
Correct Answer: B
Explanation: SOC performance = MTTD + MTTR reduction.
Q79 (D4) — Escalation Decision
Which incident warrants immediate escalation to senior management?
A. Malware detected and quarantined
B. Repeated failed login attempts
C. Incident likely to cause reputational or regulatory harm
D. User reporting phishing email
Correct Answer: C
Explanation: Incidents with major business/regulatory impact require senior oversight.
Q80 (D4) — Post-Incident Improvement
What is the MOST important activity after incident recovery?
A. Closing all tickets
B. Creating new dashboards
C. Conducting lessons learned to improve processes
D. Hiring more analysts
Correct Answer: C
Explanation: Lessons learned = continuous improvement.
CISM MOCK EXAM — BATCH 5 (Questions 81–100)
DOMAIN 1 – Information Security Governance
(Questions 81–85)
Q81 (D1) — Governance Oversight
Executive leadership asks how to verify the effectiveness of the security governance program. What is the BEST method?
A. Tracking SOC daily activities
B. Measuring alignment of security initiatives with business objectives
C. Counting number of patched systems
D. Comparing the number of incidents across departments
Correct Answer: B
Explanation: Governance = alignment + oversight, not operational counts.
Q82 (D1) — Framework Adoption
The CISO wants to adopt a governance framework (e.g., COBIT). What is the FIRST step?
A. Customize the controls
B. Assess current maturity and gaps
C. Immediately draft new policies
D. Purchase automation tools
Correct Answer: B
Explanation: Framework adoption begins with a gap/maturity assessment.
Q83 (D1) — Accountability Assignment
Which statement BEST clarifies accountability?
A. Security managers own all business risks
B. Business leaders own risks; security provides guidance
C. Risk ownership is shared equally
D. IT operations owns risks by default
Correct Answer: B
Explanation: CISM principle: business owns risk; security supports and advises.
Q84 (D1) — Policy Non-Compliance
A business unit is non-compliant with a critical security policy. Before escalation, what should the security manager do FIRST?
A. Understand business constraints and assess risk impact
B. Immediately notify the board
C. Remove the policy requirement
D. Disable the business unit’s systems
Correct Answer: A
Explanation: Governance requires business understanding + risk assessment before escalation.
Q85 (D1) — Strategic Decision Making
Which of the following demonstrates strategic security leadership?
A. Approving firewall rule changes
B. Ensuring security strategy supports enterprise goals and risk tolerance
C. Monitoring endpoint alerts
D. Completing audit checklists
Correct Answer: B
Explanation: Leadership = strategy + alignment, not operational tasks.
DOMAIN 2 – Information Security Risk Management
(Questions 86–90)
Q86 (D2) — Risk Reassessment
A risk was previously classified as low, but new threat intelligence suggests active exploitation. What should the Information Security Manager do FIRST?
A. Accept the risk
B. Reassess the risk
C. Notify law enforcement
D. Shut down impacted systems
Correct Answer: B
Explanation: New threat intel = reassessment before action.
Q87 (D2) — Risk Appetite Understanding
A department insists on mitigating even minor risks. What is the BEST action?
A. Support the mitigation effort
B. Communicate enterprise-wide risk appetite and prioritization
C. Reject their request
D. Encourage them to maintain minimal risk tolerance
Correct Answer: B
Explanation: Risk management requires understanding enterprise risk appetite, not over-mitigation.
Q88 (D2) — Scenario: Control Failure
A control designed to prevent unauthorized access fails during testing. What is the MOST appropriate action?
A. Accept the risk because testing found it early
B. Re-evaluate the risk and determine new treatment options
C. Remove the control entirely
D. Delay testing until later
Correct Answer: B
Explanation: Control failure requires risk re-evaluation and new treatment.
Q89 (D2) — Third-Party SLA Issues
A vendor consistently misses security-related SLA targets. What is the BEST action?
A. Terminate the contract immediately
B. Conduct a risk review and hold a vendor governance meeting
C. Accept the deviations
D. Ignore unless a breach occurs
Correct Answer: B
Explanation: Proper vendor governance = risk review + corrective management.
Q90 (D2) — Risk Register Accuracy
The risk register is outdated. What is the MOST important activity?
A. Assign security team to update everything alone
B. Review risks jointly with business owners
C. Remove all old risks
D. Outsource risk management
Correct Answer: B
Explanation: Risk = business-owned, so the review must involve business owners.
DOMAIN 3 – Security Program Development & Management
(Questions 91–95)
Q91 (D3) — Program Scalability
The organization is expanding globally. What is the BEST way to ensure consistent security?
A. Create identical controls everywhere with no exceptions
B. Define global minimum standards with region-specific tailoring
C. Allow each region to define its own standards
D. Outsource global operations
Correct Answer: B
Explanation: Global baseline + controlled tailoring = sustainable governance.
Q92 (D3) — Program Maturity
Which factor BEST indicates a mature security program?
A. Frequent major incidents
B. Activities are repeatable, measurable, and continuously improved
C. All controls implemented within a year
D. Security team doubles in size
Correct Answer: B
Explanation: Maturity = repeatable + measurable + improving processes.
Q93 (D3) — Awareness Tailoring
Phishing remains a major issue. What is the BEST improvement?
A. Longer awareness sessions
B. Role-based, targeted anti-phishing modules
C. Mandatory punishment for anyone who clicks
D. Daily security newsletters
Correct Answer: B
Explanation: Effective awareness is targeted and based on risk behavior.
Q94 (D3) — Project Prioritization
What is the MOST important input when prioritizing security projects?
A. Vendor pressure
B. Personal preference
C. Risk impact and regulatory deadlines
D. IT operations recommendations only
Correct Answer: C
Explanation: Program priorities must be risk/regulation driven.
Q95 (D3) — Control Integration
A new identity management control disrupts business workflows. What should the Information Security Manager do FIRST?
A. Roll back the change immediately
B. Engage business stakeholders to assess impact and adjust the rollout
C. Force the control regardless of impact
D. Disable identity management entirely
Correct Answer: B
Explanation: Work with business to balance security and workflow impact.
DOMAIN 4 – Incident Management
(Questions 96–100)
Q96 (D4) — Incident Validation
A user reports strange activity on their laptop. What is the FIRST action?
A. Wipe the laptop
B. Validate and classify the event through triage
C. Notify the entire company
D. Ignore until more issues occur
Correct Answer: B
Explanation: Incident handling always begins with triage.
Q97 (D4) — Communication Breakdown
During an incident, the SOC provides overly technical updates to executives. What is the BEST corrective step?
A. Stop all communication
B. Provide business-focused summaries tailored to executive needs
C. Force executives to attend technical briefings
D. Send detailed logs directly
Correct Answer: B
Explanation: Executives need business impact, not technical data.
Q98 (D4) — Containment Priority
A worm is spreading rapidly across internal networks. What is the MOST urgent action?
A. Perform detailed forensics
B. Conduct root cause analysis
C. Isolate affected segments immediately
D. Notify employees
Correct Answer: C
Explanation: Rapid containment is critical to stop lateral spread.
Q99 (D4) — Evidence Handling
What is the PRIMARY reason for maintaining chain of custody?
A. To speed up incident handling
B. To ensure evidence is admissible and trustworthy
C. To allow more employees to review evidence
D. To reduce storage needs
Correct Answer: B
Explanation: Chain of custody ensures evidence integrity & admissibility.
Q100 (D4) — Post-Incident Review
What is the MOST important objective of a post-incident review?
A. Assign blame to individuals
B. Promote disciplinary actions
C. Identify gaps and develop improvement actions
D. Document every log file collected
Correct Answer: C
Explanation: Lessons learned = continuous improvement, not punishment.
CISM MOCK EXAM — BATCH 6 (Questions 101–150)
DOMAIN 1 — Information Security Governance
(Questions 101–113)
(13 soal)
Q101 (D1)
A security initiative is ready to launch, but business leaders don’t understand its value. What should the Information Security Manager do FIRST?
A. Delay the initiative
B. Map initiative benefits to business objectives
C. Request audit support
D. Publish technical documentation
Correct: B
Explanation: Governance = alignment to business value.
Q102 (D1)
Which document MOST clearly reflects executive commitment to information security?
A. Incident playbook
B. Information security policy
C. Technical standards
D. Firewall configurations
Correct: B
Explanation: Policies capture management direction.
Q103 (D1)
The CFO wants to reduce security spending. What’s the BEST governance response?
A. Cut all security controls proportionally
B. Show risk impact of cutting specific initiatives
C. Agree without discussion
D. Escalate to the board immediately
Correct: B
Explanation: Executives make decisions, but must be shown risk impact.
Q104 (D1)
Business units avoid security participation. What’s the BEST governance solution?
A. Mandate punitive measures
B. Embed security into enterprise governance committees
C. Increase the SOC size
D. Reduce control requirements
Correct: B
Explanation: Governance = formal structures enabling participation.
Q105 (D1)
Which activity BEST demonstrates security governance maturity?
A. SOC handles more incidents
B. Business regularly invites security to strategy planning
C. Increased patch volumes
D. More tools deployed
Correct: B
Q106 (D1)
Who should approve information security strategy?
A. Security architect
B. Internal audit
C. Executive leadership
D. IT operations
Correct: C
Q107 (D1)
A new regulation requires additional security controls. What’s the FIRST step?
A. Update the firewall
B. Assess regulatory requirements and business impact
C. Start coding new monitoring scripts
D. Deploy encryption everywhere
Correct: B
Q108 (D1)
Security KPIs sent to executives are too technical. What should the manager do?
A. Reduce reports to one page
B. Translate KPIs into business impact metrics
C. Remove technical KPIs
D. Request executives to attend training
Correct: B
Q109 (D1)
Which statement BEST defines governance?
A. Implementing technical controls
B. Setting direction and oversight for security
C. Performing SOC monitoring
D. Writing configuration guides
Correct: B
Q110 (D1)
Which BEST demonstrates accountability?
A. Security approves business changes
B. Business owners make risk decisions
C. IT owns all risks
D. Security enforces all controls
Correct: B
Q111 (D1)
Executives want evidence of security value. What metric is BEST?
A. Number of blocked attacks
B. Reduction in business risk exposure
C. SOC ticket counts
D. Number of scans performed
Correct: B
Q112 (D1)
The board wants quarterly assurance. What should the manager present?
A. Firewall logs
B. Risk posture trend vs risk appetite
C. Technical dashboard
D. Antivirus license data
Correct: B
Q113 (D1)
Which BEST supports governance transparency?
A. Restricting reports
B. Regular reporting of risk and control status
C. Only reporting incidents
D. Only reporting successes
Correct: B
DOMAIN 2 — Risk Management
(Questions 114–126)
(13 soal)
Q114 (D2)
A threat actor shifts behavior targeting similar organizations. What should the manager do FIRST?
A. Implement new tools
B. Review threat intelligence + reassess risks
C. Ignore until attacked
D. Notify audit
Correct: B
Q115 (D2)
Which is the BEST example of inherent risk?
A. Risk after monitoring applied
B. Risk before any controls
C. Risk transferred to insurance
D. Risk accepted by business
Correct: B
Q116 (D2)
A risk is high but mitigation is too expensive. What is the BEST step?
A. Accept the risk personally
B. Escalate to authorized risk owner for decision
C. Ignore cost and mitigate
D. Cancel the system
Correct: B
Q117 (D2)
Vendor refuses internal scan results but shows SOC 2 Type II. What should you do?
A. Accept immediately
B. Check whether scope covers required controls
C. Terminate contract
D. Request raw server logs
Correct: B
Q118 (D2)
Which risk metric is MOST predictive?
A. Number of incidents
B. Key Risk Indicators (KRIs)
C. SOC ticket volume
D. Patch percentage
Correct: B
Q119 (D2)
A risk assessment is outdated. What’s the MOST critical next step?
A. Security updates it alone
B. Review with business owners
C. Remove outdated entries
D. Reassign risk scores at random
Correct: B
Q120 (D2)
A project is rushing to meet deadlines. Several risks were not assessed. What should the manager do FIRST?
A. Approve go-live
B. Conduct a rapid risk assessment
C. Reject project
D. Extend timeline forcefully
Correct: B
Q121 (D2)
What situation MOST requires risk transfer?
A. Insurance is cheaper
B. Liability belongs contractually to vendor
C. Risk is too technical
D. Risk is medium
Correct: B
Q122 (D2)
Business wants to ignore a high-likelihood threat. What should the security manager do FIRST?
A. Re-assess and explain consequences
B. Agree
C. Cancel the project
D. Report to regulators
Correct: A
Q123 (D2)
Which risk treatment is BEST when impact is moderate and likelihood is very low?
A. Avoid
B. Mitigate
C. Accept
D. Transfer
Correct: C
Q124 (D2)
Which factor MOST affects impact level?
A. Threat actor skill
B. Business process criticality
C. Number of vulnerabilities
D. Patch timing
Correct: B
Q125 (D2)
A new law increases compliance obligations. What should be updated FIRST?
A. Infrastructure
B. Risk register
C. Logging tools
D. Antivirus
Correct: B
Q126 (D2)
Which BEST shows risk is integrated into business decisions?
A. Security updates alone
B. Projects include risk assessments in early stages
C. Annual audit only
D. Penetration testing results
Correct: B
DOMAIN 3 — Security Program Development & Management
(Questions 127–139)
(13 soal)
Q127 (D3)
A new security architecture is being designed. What’s the MOST important input?
A. Network maps only
B. Business processes and data flows
C. Firewall logs
D. Developer feedback
Correct: B
Q128 (D3)
Which BEST measures program success?
A. Number of alerts
B. Reduction in business-impacting incidents
C. Number of tools deployed
D. Amount of log data
Correct: B
Q129 (D3)
Users bypass MFA because it “slows workflow.” What’s the BEST approach?
A. Remove MFA
B. Re-evaluate implementation and optimize with business
C. Enforce MFA strictly
D. Reduce password strength
Correct: B
Q130 (D3)
The awareness program fails to reduce risky behavior. What is the BEST improvement?
A. More training hours
B. Role-based, scenario-driven awareness
C. Mandatory certification
D. Disable internet access
Correct: B
Q131 (D3)
Which MOST improves long-term control effectiveness?
A. New firewalls
B. Continuous monitoring + periodic review
C. Annual audits only
D. Single pentest year
Correct: B
Q132 (D3)
Security roadmap priorities must be based on:
A. Vendor popularity
B. Risk & regulatory requirements
C. Technical interest
D. SOC preferences
Correct: B
Q133 (D3)
Which indicates program maturity?
A. More alerts
B. Measurable, repeatable processes
C. High staff turnover
D. Larger security team
Correct: B
Q134 (D3)
A business unit needs faster onboarding. What should the Information Security Manager do?
A. Remove all controls
B. Streamline controls without reducing effectiveness
C. Ignore request
D. Enforce same strict process
Correct: B
Q135 (D3)
Which role is responsible for ensuring security supports business goals?
A. SOC Lead
B. Information Security Manager
C. System Admin
D. Legal team
Correct: B
Q136 (D3)
New system goes live but no security requirements were collected. What’s the FIRST corrective action?
A. Penalize the team
B. Integrate security requirements into SDLC gates
C. Disable the system
D. Force re-development
Correct: B
Q137 (D3)
Which BEST reflects an outcome-based metric?
A. “Number of scans performed”
B. “Phishing incidents reduced by 40%”
C. “Hours of training delivered”
D. “Tools installed”
Correct: B
Q138 (D3)
Cloud adoption is expanding. What should the security team do FIRST?
A. Block cloud usage
B. Evaluate cloud risks + update program
C. Purchase new EDR
D. Increase SOC staffing
Correct: B
Q139 (D3)
Third-party access reviews are important to ensure:
A. Higher license utilization
B. Least privilege and continued business alignment
C. Vendor happiness
D. Faster onboarding
Correct: B
DOMAIN 4 — Incident Management
(Questions 140–150)
(11 soal)
Q140 (D4)
A possible breach is detected. What should be done FIRST?
A. Public announcement
B. Triage and validate
C. Notify police
D. Restore affected servers
Correct: B
Q141 (D4)
Which BEST indicates strong incident response maturity?
A. More alerts processed
B. Lower MTTD and MTTR
C. Larger SOC team
D. More dashboards
Correct: B
Q142 (D4)
A compromised server must be isolated IMMEDIATELY because:
A. To collect logs
B. To prevent further spread
C. To notify users
D. To reduce CPU load
Correct: B
Q143 (D4)
Executives request hourly updates. What should be provided?
A. Raw logs
B. Business impact summaries
C. Full packet captures
D. Malware samples
Correct: B
Q144 (D4)
Which BEST describes containment?
A. Restoring systems
B. Limiting attacker movement
C. Completing reports
D. Conducting interviews
Correct: B
Q145 (D4)
Which incident requires senior escalation?
A. Low-level malware
B. Minor phishing
C. Breach affecting regulated data
D. User forgets password
Correct: C
Q146 (D4)
Post-incident reviews must focus on:
A. Assigning blame
B. Control/process improvements
C. Hiring new employees
D. Data center redesign
Correct: B
Q147 (D4)
Which action MOST preserves evidence?
A. Editing logs
B. Disconnecting system without altering data
C. Reformatting disk
D. Restarting server
Correct: B
Q148 (D4)
SOC analysts are overwhelmed with alerts. What should the manager do FIRST?
A. Turn off SIEM
B. Tune alert rules and reduce false positives
C. Hire 10 more analysts
D. Disable threat feeds
Correct: B
Q149 (D4)
A ransomware attack locks several machines. What’s the FIRST priority?
A. Notify auditors
B. Contain and isolate machines
C. Pay ransom
D. Conduct lengthy forensics
Correct: B
Q150 (D4)
What is the PRIMARY goal of incident response?
A. Create punishment actions
B. Minimize business impact and restore operations
C. Increase SOC workload
D. Collect as many logs as possible
Correct: B
0 Komentar