Proper study guides for Updated Isaca Certified Information Security Manager certified begins with Isaca CISM preparation products which designed to deliver the Guaranteed CISM questions by making you pass the CISM test at your first time. Try the free CISM demo right now.

Q1. The decision on whether new risks should fall under periodic or event-driven reporting 

should be based on which of the following? 

A. Mitigating controls 

B. Visibility of impact 

C. Likelihood of occurrence 

D. Incident frequency 



Visibility of impact is the best measure since it manages risks to an organization in the timeliest manner. Likelihood of occurrence and incident frequency are not as relevant. Mitigating controls is not a determining factor on incident reporting. 

Q2. After completing a full IT risk assessment, who can BEST decide which mitigating controls should be implemented? 

A. Senior management 

B. Business manager 

C. IT audit manager 

D. Information security officer (ISO) 



The business manager will be in the best position, based on the risk assessment and mitigation proposals. to decide which controls should/could be implemented, in line with the business strategy and with budget. Senior management will have to ensure that the business manager has a clear understanding of the risk assessed but in no case will be in a position to decide on specific controls. The IT audit manager will take part in the process to identify threats and vulnerabilities, and to make recommendations for mitigations. The information security officer (ISO) could make some decisions regarding implementation of controls. However, the business manager will have a broader business view and full control over the budget and, therefore, will be in a better position to make strategic decisions. 

Q3. Which of the following is MOST essential for a risk management program to be effective? 

A. Flexible security budget 

B. Sound risk baseline 

C. New risks detection 

D. Accurate risk reporting 



All of these procedures are essential for implementing risk management. However, without identifying new risks, other procedures will only be useful for a limited period. 

Q4. The MOST important reason for conducting periodic risk assessments is because: 

A. risk assessments are not always precise. 

B. security risks are subject to frequent change. 

C. reviewers can optimize and reduce the cost of controls. 

D. it demonstrates to senior management that the security function can add value. 



Risks are constantly changing. A previously conducted risk assessment may not include measured risks that have been introduced since the last assessment. Although an assessment can never be perfect and invariably contains some errors, this is not the most important reason for periodic reassessment. The fact that controls can be made more efficient to reduce costs is not sufficient. Finally, risk assessments should not be performed merely to justify the existence of the security function. 

Q5. The PRIMARY objective of a security steering group is to: 

A. ensure information security covers all business functions. 

B. ensure information security aligns with business goals. 

C. raise information security awareness across the organization. 

D. implement all decisions on security management across the organization. 



The security steering group comprises senior management of key business functions and has the primary objective to align the security strategy with the business direction. Option A is incorrect because all business areas may not be required to be covered by information security; but, if they do, the main purpose of the steering committee would be alignment more so than coverage. While raising awareness is important, this goal would not be carried out by the committee itself. The steering committee may delegate part of the decision making to the information security manager; however, if it retains this authority, it is not the primary' goal. 

Q6. An outsource service provider must handle sensitive customer information. Which of the following is MOST important for an information security manager to know? 

A. Security in storage and transmission of sensitive data 

B. Provider's level of compliance with industry standards 

C. Security technologies in place at the facility 

D. Results of the latest independent security review 



Mow the outsourcer protects the storage and transmission of sensitive information will allow an information security manager to understand how sensitive data will be protected. Choice B is an important but secondary consideration. Choice C is incorrect because security technologies are not the only components to protect the sensitive customer information. Choice D is incorrect because an independent security review may not include analysis on how sensitive customer information would be protected.

Q7. Risk assessment should be built into which of the following systems development phases to ensure that risks are addressed in a development project? 

A. Programming 

B. Specification 

C. User testing 

D. Feasibility 



Risk should be addressed as early as possible in the development cycle. The feasibility study should include risk assessment so that the cost of controls can be estimated before the project proceeds. Risk should also be considered in the specification phase where the controls are designed, but this would still be based on the assessment carried out in the feasibility study. Assessment would not be relevant in choice A or C. 

Q8. The PRIMARY reason for assigning classes of sensitivity and criticality to information resources is to provide a basis for: 

A. determining the scope for inclusion in an information security program. 

B. defining the level of access controls. 

C. justifying costs for information resources. 

D. determining the overall budget of an information security program. 



The assigned class of sensitivity and criticality of the information resource determines the level of access controls to be put in place. The assignment of sensitivity and criticality takes place with the information assets that have already been included in the information security program and has only an indirect bearing on the costs to be incurred. The assignment of sensitivity and criticality contributes to, but does not decide, the overall budget of the information security program. 

Q9. Security technologies should be selected PRIMARILY on the basis of their: 

A. ability to mitigate business risks. 

B. evaluations in trade publications. 

C. use of new and emerging technologies. 

D. benefits in comparison to their costs. 



The most fundamental evaluation criterion for the appropriate selection of any security technology is its ability to reduce or eliminate business risks. Investments in security technologies should be based on their overall value in relation to their cost; the value can be demonstrated in terms of risk mitigation. This should take precedence over whether they use new or exotic technologies or how they are evaluated in trade publications. 

Q10. While implementing information security governance an organization should FIRST: 

A. adopt security standards. 

B. determine security baselines. 

C. define the security strategy. 

D. establish security policies. 



The first step in implementing information security governance is to define the security strategy based on which security baselines are determined. Adopting suitable security-standards, performing risk assessment and implementing security policy are steps that follow the definition of the security strategy.