Certified Information Security Manager (CISM)

Multiple Choice Questions:

1. From the following statements, which is incorrect about policy
compliance?
a. Policies serve as the foundation for all accountability for security
duties across the company.
b. In policy compliance, it is the responsibility of the information
security manager to guarantee that there are no orphan systems
or systems without policy compliance owners during the
assignment process.
c. A policy exception process is frequently mentioned in information
security management literature.
d. Policy compliance define the possibilities for systems, processes,
and behaviours that nevertheless adhere to policy.

2. Which of the following statement is not true regarding “COBIT”?

a. COBIT gives a comprehensive framework for enterprise IT
governance and management that address IT security, risk,
governance, and information security in general.
b. COBIT has various emphasis areas, each of which describes a
specific governance domain, topic, or issue that can be addressed
by a set of governance and management objectives and their
components.
c. COBIT is more operational, focusing on service management and
delivery.
d. COBIT is based on principle that define the fundamental
requirements of a business information and technology
governance system.
3. Is the following statement true or false?
The likelihood is also known as probability, is a measure of the frequency
that an event may arise.
a. True
b. False

4. Which of the following statement does not exist in the common

containment activity of security incident?
a. Escalation and notification to suitable stakeholders.
b. Memory analysis and captures.
c. Enterprise-wide password modifications of all accounts.
d. Include non-conformity terms.

5. Which of the following statement does not fall under the directory?
a. Contacts within companies designated to give equipment, services
and supplies.
b. Contact information for regulatory paperwork.
c. Law enforcement contacts.
d. Insurance company agents.

6. What is represented by “A” in FAIR?

a. Argument
b. Analysis
c. Acceptance
d. Assessment

7. How many components of the NIST cybersecurity framework?

a. 5
b. 7
c. 3
d. 9
8. Controls should be implemented across several control categories to
support the development of a defence-in-depth strategy and to ensure
comprehensive achievement of control objectives. Which of the
following is not one of them?
a. Detective
b. Compensating
c. Deterrent
d. Statutory

9. The phrase "________________" refers to a complete snapshot of all

appropriate conditions at a specific time in the future.
a. Unitary state
b. Desired state
c. Confederal state
d. Federal state

10. Which of the following is/are the way(s) for risk treatment?
a. Risk mitigation
b. Risk avoidance
c. Risk acceptance
d. All of the above

11. _________________ is defined as the allowable variation from

acceptable risk, which is typically expressed as a percentage or range.
a. Risk tolerance
b. Risk mitigation
c. Risk transfer
d. Risk avoidance
12. Is the following statement true or false?
A foundational structure, or set of structures, can be described as an
architecture framework. These structures can be used to create a variety
of different architectures, such as business process architecture, also
known as contextual architecture.
a. True
b. False

13. The risk of loss caused by ineffective, inefficient, inadequate, or failed

procedures, people, and systems, as well as external events, is referred
to as _________________.
a. Strategic risk
b. Operational risk
c. Regulatory risk
d. Compliance risk

14. ______________ refers to any activity inside the information security

program that is aimed to ensure compliance with the enterprise's
security policies, standards, and procedures.
a. Compliance enforcement
b. Compliance audit
c. Compliance strategy
d. Compliance approach

15. From the following, which is not involved in the personal skills?
a. Integrity
b. Coping with stress
c. Discrimination
d. Time management

16. Which of the following is not the part of IRT model?

a. Central IRT
b. Distributed IRT
c. Coordinating IRT
d. Insourced IRT
17. There are some elements that must be considered in strategic planning,
and subsequent operation and implementation as a part of information
security itself. Which of the following is not one of them?
a. Business Impact Analysis
b. Vulnerability Assessment
a. Resource Independency Analysis
b. Outsourced Services

18. Which management has the responsibility of carrying out the directives
issued by the board of directors?
a. Consultative management
b. Executive management
c. Security management
d. Data management

19. The __________________ system's concepts and procedures are well

suited to the unique reliance on effective, efficient management of a
business process such as information security.
a. RDE
b. DSC
c. TQM
d. GTH

20. What is represented by “S” in CISO?

a. Services
b. Security
c. Selection
d. Substitution

21. Which of the following is not the activity of management?

a. Controls and internal audit
b. Performance evaluation
c. Position benchmarking
d. Functional foremanship
22. Which of the following is not included in the elements of an incident
response plan?
a. Preparation
b. Containment
c. Elimination
d. Recovery

23. Which of the following is not included in the responsibilities of steering

committee?
a. Discussion only old laws, regulations, and requirements rather
than new law.
b. Risk treatment deliberation and recommendation.
c. Discussion and coordination of IT and security projects.
d. Review of recent risk assessments.

24. _____________ is the process of calculating and determining potential

probability and resulting outcomes.
a. Risk tolerance
b. Risk analysis
c. Risk mitigation
d. Risk transfer

25. The risk exposure or level without considering the actions that
management might take or has taken is referred to as ____________.
a. Residual risk
b. Strategic risk
c. Inherent risk
d. Risk management
26. Which management refers to the processes that are used to organise,
assign, and govern information security resources, such as people,
processes, and technology, in order to improve the efficiency and
effectiveness of business solutions.
a. Information security resource management
b. Persuasive management
c. Enterprise information security management
d. End-to-end system management

27. From the following, which is not the responsibility of business process
and business assets owners?
a. Access grants
b. Physical location
c. Functional definition
d. Access cancellation

28. ___________________ refers to the set of top-down activities that

control the security organisation to ensure that information security
supports the organisation.
a. Security risk management
b. Information security governance
c. Executive management
d. Enterprise risk governance

29. How many elements of BMIS Model?

a. 4
b. 5
c. 6
d. 7
30. Which of the following statement is not true regarding
Countermeasures?
a. Countermeasures are controls that are put in place in response to
a known threat.
b. Countermeasures are something that serves as a guard or
protection.
c. Countermeasures used to address specific threats or
vulnerabilities are frequently costly, both operationally and
financially, and can become a distraction from core security
operations.
d. Countermeasures frequently provide targeted protection, making
them more effective but less efficient than broader.

31. Which of the following negative factors are considered while examining
outsourcing possibilities?
I. The third-party vendor's viability.
II. Lack of transparency into security processes.
III. Gain of critical skills.
IV. Incident management complexity.
a. I and II only
b. I, II, and III only
c. I, II, and IV only
d. I, II, III, and IV

32._________________ is defined as the allowable variation from

acceptable risk, which is typically expressed as a percentage or range.
a. Risk tolerance
b. Risk analysis
c. Risk mitigation
d. Risk treatment
33. The ability to give and ensure the start-to-finish management of an
issue within the company is referred to as incident management.
a. Authoritative management
b. Transformational management
c. Incident management
d. Recursive management

34. Which of the following is/are included the objectives of information

architecture approaches?
a. Give overarching coherence, cohesiveness and structure.
b. Enable and support attainment of business strategy.
c. Provide a class of abstraction independent of distinct preferences
and technologies.
d. All of the above

35. Which control area indicates about asset management?

a. A.7
b. A.9
c. A.8
d. A.11

36. Which of the following is/are included in the security concepts of IRTs?
a. Operating systems
b. Malicious code
c. Programming skills
d. All of the above

37. Which of the following is not involved in the methods for

providing network service continuity?
a. Alternative routing
b. Short-haul network diversity
c. Last-mile circuit protection
d. Voice recovery
38. _____________ are defined as any incident that has the potential to
harm an enterprise's assets, operations, or staff.
a. Threats
b. Vulnerability
c. Elements
d. Strings

39. Which of the following statement is incorrect about “BIA”?

a. A BIA is used to assess the impact of losing the availability of any
resource on an enterprise.
b. The BIA is frequently mentioned in the context of BC and DR.
Other methodologies, in addition to the BIA, may be used to
assess possible impact.
c. The BIA identifies the lowest resources required to restore and
prioritises the recovery of processes and supporting systems.
d. None of the above

40. Which of the following factors should be considered when choosing a

site for a response and recovery strategy?
I. AIW
II. RPO
III. MTO
IV. CDO
a. I, III, and IV only
b. II and IV only
c. I, II and III only
d. I, II, III, and IV