
[Nov 10, 2025] Pass CISM Review Guide, Reliable CISM Test Engine
CISM Test Engine Practice Test Questions, Exam Dumps
How to study the CISM Exam
PassSureExam expert team recommends you to prepare some notes on these topics along with it don't forget to practice ISACA CISM Exam exam dumps which been written by our expert team, Both these will help you a lot to clear this exam with good marks.
For more info visit:
NEW QUESTION # 546
An information security manager learns of a new standard related to an emerging technology the organization wants to implement. Which of the following should the information security manager recommend be done FIRST?
- A. Determine whether the organization can benefit from adopting the new standard.
- B. Obtain legal counsel's opinion on the standard's applicability to regulations,
- C. Perform a risk assessment on the new technology.
- D. Review industry specialists' analyses of the new standard.
Answer: A
Explanation:
= The first step that the information security manager should recommend when learning of a new standard related to an emerging technology is to determine whether the organization can benefit from adopting the new standard. This involves evaluating the business objectives, needs, and requirements of the organization, as well as the potential advantages, disadvantages, and challenges of implementing the new technology and the new standard. The information security manager should also consider the alignment of the new standard with the organization's existing policies, procedures, and standards, as well as the impact of the new standard on the organization's information security governance, risk management, program, and incident management. By conducting a preliminary analysis of the feasibility, suitability, and desirability of the new standard, the information security manager can provide a sound basis for further decision making and planning.
References = CISM Review Manual, 16th Edition, Chapter 1: Information Security Governance, Section:
Information Security Standards, page 391; CISM Review Questions, Answers & Explanations Manual, 10th Edition, Question 43, page 412.
NEW QUESTION # 547
Which of the following activities is MOST likely to increase the difficulty of totally eradicating malicious code that is not immediately detected?
- A. Upgrading hardware
- B. Applying patches
- C. Backing up files
- D. Changing access rules
Answer: C
Explanation:
Section: INFORMATION SECURITY PROGRAM MANAGEMENT
Explanation:
If malicious code is not immediately detected, it will most likely be backed up as a part of the normal tape backup process. When later discovered, the code may be eradicated from the device but still remain undetected ON a backup tape. Any subsequent restores using that tape may reintroduce the malicious code.
Applying patches, changing access rules and upgrading hardware does not significantly increase the level of difficulty.
NEW QUESTION # 548
Which of the following is a viable containment strategy for a distributed denial of service (DDoS) attack?
- A. Redirect the attacker's traffic
- B. Disable firewall ports exploited by the attacker.
- C. Block IP addresses used by the attacker
- D. Power off affected servers
Answer: A
Explanation:
Explanation
Redirecting the attacker's traffic is a viable containment strategy for a distributed denial of service (DDoS) attack because it helps to divert the malicious traffic away from the target server and reduce the impact of the attack. A DDoS attack is an attempt by attackers to overwhelm a server or a network with a large volume of requests or packets, preventing legitimate users from accessing the service or resource. Redirecting the attacker's traffic is a technique that involves changing the DNS settings or routing tables to send the attacker's traffic to another destination, such as a sinkhole, a honeypot, or a scrubbing center. A sinkhole is a server that absorbs and discards the malicious traffic. A honeypot is a decoy server that mimics the target server and collects information about the attacker's behavior and techniques. A scrubbing center is a service that filters out the malicious traffic and forwards only the legitimate traffic to the target server. Redirecting the attacker's traffic helps to contain the DDoS attack by reducing the load on the target server and preserving its availability and performance. Therefore, redirecting the attacker's traffic is the correct answer.
References:
* https://www.fortinet.com/resources/cyberglossary/implement-ddos-mitigation-strategy
* https://learn.microsoft.com/en-us/azure/ddos-protection/ddos-response-strategy
* https://www.cloudflare.com/learning/ddos/glossary/sinkholing/.
NEW QUESTION # 549
Which of the following is the MOST important consideration when establishing an organization's information security governance committee?
- A. Members are rotated periodically.
- B. Members represent functions across the organization.
- C. Members have knowledge of information security controls.
- D. Members are business risk owners.
Answer: B
Explanation:
= The most important consideration when establishing an organization's information security governance committee is to ensure that members represent functions across the organization. This is because the information security governance committee is responsible for setting the direction, scope, and objectives of the information security program, and for ensuring that the program aligns with the organization's business goals and strategies. By having members from different functions, such as finance, human resources, operations, legal, and IT, the committee can ensure that the information security program considers the needs, expectations, and perspectives of various stakeholders, and that the program supports the organization's mission, vision, and values. Having a diverse and representative committee also helps to foster a culture of security awareness and accountability throughout the organization, and to promote collaboration and communication among different functions.
Members having knowledge of information security controls, members being business risk owners, and members being rotated periodically are all desirable characteristics of an information security governance committee, but they are not the most important consideration. Members having knowledge of information security controls can help the committee to understand the technical aspects of information security and to evaluate the effectiveness and efficiency of the information security program. However, having technical knowledge is not sufficient to ensure that the information security program is aligned with the organization's business goals and strategies, and that the program considers the needs and expectations of various stakeholders. Members being business risk owners can help the committee to identify and prioritize the information security risks that affect the organization's business objectives, and to allocate appropriate resources and responsibilities for managing those risks. However, being a business risk owner does not necessarily imply that the member has a comprehensive and balanced view of the organization's information security needs and expectations, and that the member can represent the interests and perspectives of various functions. Members being rotated periodically can help the committee to maintain its independence and objectivity, and to avoid conflicts of interest or complacency. However, rotating members too frequently can also reduce the continuity and consistency of the information security program, and can affect the committee' s ability to monitor and evaluate the performance and progress of the information security program. References =
* ISACA, CISM Review Manual, 16th Edition, 2020, pages 36-37.
* ISACA, CISM Review Questions, Answers & Explanations Database, 12th Edition, 2020, question ID
1014.
NEW QUESTION # 550
Deciding the level of protection a particular asset should be given is BEST determined by:
- A. a vulnerability assessment.
- B. a threat assessment.
- C. the corporate risk appetite.
- D. a risk analysis.
Answer: D
NEW QUESTION # 551
The PRIMARY goal in developing an information security strategy is to:
- A. ensure that legal and regulatory requirements are met
- B. educate business process owners regarding their duties.
- C. establish security metrics and performance monitoring.
- D. support the business objectives of the organization.
Answer: D
Explanation:
The business objectives of the organization supersede all other factors. Establishing metrics and measuring performance, meeting legal and regulatory requirements, and educating business process owners are all subordinate to this overall goal.
NEW QUESTION # 552
Risk assessment is MOST effective when performed:
- A. at the beginning of security program development.
- B. while developing the business case for the security program.
- C. during the business change process.
- D. on a continuous basis.
Answer: D
Explanation:
Explanation/Reference:
Explanation:
Risk assessment needs to be performed on a continuous basis because of organizational and technical changes. Risk assessment must take into account all significant changes in order to be effective.
NEW QUESTION # 553
Which of the following is the MOST likely outcome from the implementation of a security governance framework?
- A. Realized business value from information security initiatives
- B. Compliance with international standards
- C. Increased availability of information systems
- D. Cost reduction of information security initiatives
Answer: C
NEW QUESTION # 554
An information security manager learns that a departmental system is out of compliance with the information security policy's authentication requirements. Which of the following should be the information security manager's FIRST course of action?
- A. Submit the issue to the steering committee for escalation.
- B. Isolate the noncompliant system from the rest of the network.
- C. Request risk acceptance from senior management.
- D. Conduct an impact analysis to quantify the associated risk
Answer: D
NEW QUESTION # 555
If the inherent risk of a business activity is higher than the acceptable risk level, the information security manager should FIRST:
- A. recommend that management avoid the business activity
- B. transfer risk to a third party to avoid cost of impact.
- C. implement controls to mitigate the risk to an acceptable level.
- D. assess the gap between current and acceptable level of risk.
Answer: D
NEW QUESTION # 556
Which of the following is the MOST important reason for logging firewall activity?
- A. Intrusion detection
- B. Auditing purposes
- C. Incident investigation
- D. Firewall tuning
Answer: C
Explanation:
Section: INCIDENT MANAGEMENT AND RESPONSE
Explanation/Reference:
NEW QUESTION # 557
Which of the following is MOST critical to review when preparing to outsource a data repository to a cloud-based solution?
- A. Disaster recovery plan
- B. Identity and access management
- C. A risk assessment
- D. Vendor s information security policy
Answer: C
NEW QUESTION # 558
An email digital signature will:
- A. verify to recipients the integrity of an email message.
- B. automatically correct unauthorized modification of an email message.
- C. protect the confidentiality of an email message.
- D. prevent unauthorized modification of an email message.
Answer: D
NEW QUESTION # 559
Information security controls should be designed PRIMARILY based on:
- A. business risk scenarios,
- B. a vulnerability assessment.
- C. regulatory requirements.
- D. a business impact analysis (BIA).
Answer: A
Explanation:
Explanation
Information security controls should be designed primarily based on business risk scenarios, because they help to identify and prioritize the most relevant and significant threats and vulnerabilities that may affect the organization's information assets and business objectives. Business risk scenarios are hypothetical situations that describe the possible sources, events, and consequences of a security breach, as well as the likelihood and impact of the occurrence. Business risk scenarios can help to:
Align the information security controls with the business needs and requirements, and ensure that they support the achievement of the strategic goals and the mission and vision of the organization Assess the effectiveness and efficiency of the existing information security controls, and identify the gaps and weaknesses that need to be addressed or improved Select and implement the appropriate information security controls that can prevent, detect, or mitigate the risks, and that can provide the optimal level of protection and performance for the information assets Evaluate and measure the return on investment and the value proposition of the information security controls, and communicate and justify the rationale and benefits of the controls to the stakeholders and management Information security controls should not be designed primarily based on a business impact analysis (BIA), regulatory requirements, or a vulnerability assessment, because these are secondary or complementary factors that influence the design of the controls, but they do not provide the main basis or criteria for the design. A BIA is a method of estimating and comparing the potential effects of a disruption or a disaster on the critical business functions and processes, in terms of financial, operational, and reputational aspects. A BIA can help to determine the recovery objectives and priorities for the information assets, but it does not identify or address the specific risks and threats that may cause the disruption or the disaster. Regulatory requirements are the legal, contractual, or industry standards and obligations that the organization must comply with regarding information security. Regulatory requirements can help to establish the minimum or baseline level of information security controls that the organization must implement, but they do not reflect the specific or unique needs and challenges of the organization. A vulnerability assessment is a method of identifying and analyzing the weaknesses and flaws in the information systems and assets that may expose them to exploitation or compromise. A vulnerability assessment can help to discover and remediate the existing or potential security issues, but it does not consider the business context or impact of the issues.
References = CISM Review Manual, 16th Edition, ISACA, 2021, pages 119-120, 122-123, 125-126, 129-130.
NEW QUESTION # 560
When supporting an organization's privacy officer, which of the following is the information security managers PRIMARY role regarding privacy requirements?
- A. Ensuring appropriate controls are in place
- B. Monitoring the transfer of private data
- C. Determining data classification
- D. Conducting privacy awareness programs
Answer: A
NEW QUESTION # 561
Which of the following is MOST important to ensuring information stored by an organization is protected appropriately?
- A. Defining security asset categorization
- B. Developing a records retention schedule
- C. Defining information stewardship roles
- D. Assigning information asset ownership
Answer: D
Explanation:
Explanation
The most important factor to ensuring information stored by an organization is protected appropriately is assigning information asset ownership. Information asset ownership is the process of identifying and assigning the roles and responsibilities of the individuals or groups who have the authority and accountability for the information assets and their protection. Information asset owners are responsible for defining the business value, classification, and security requirements of the information assets, as well as granting the access rights and privileges to the information users and custodians. Information asset owners are also responsible for monitoring and reviewing the security performance and compliance of the information assets, and reporting and resolving any security issues or incidents. By assigning information asset ownership, the organization can ensure that the information assets are properly identified, categorized, protected, and managed according to their importance, sensitivity, and regulatory obligations.
References = CISM Review Manual, 16th Edition, Chapter 1: Information Security Governance, Section: Data Classification, page 331; CISM Review Questions, Answers & Explanations Manual, 10th Edition, Question
62, page 572.
NEW QUESTION # 562
Which of the following is a PRIMARY benefit of managed security solutions?
- A. Lower cost of operations
- B. Easier implementation across an organization
- C. Wider range of capabilities
- D. Greater ability to focus on core business operations
Answer: D
NEW QUESTION # 563
......
The ISACA CISM exam consists of 150 multiple-choice questions that test candidates on four domains: Information Security Governance, Risk Management, Information Security Program Development and Management, and Information Security Incident Management. CISM exam is administered in a computer-based format and takes four hours to complete. To be eligible for the CISM certification, candidates must have at least five years of experience in information security management, with at least three years of experience in the four domains covered in the exam.
100% Free CISM Daily Practice Exam With 964 Questions: https://www.passsureexam.com/CISM-pass4sure-exam-dumps.html
CISM exam torrent ISACA study guide: https://drive.google.com/open?id=1FSph_Yb1i328uVp7VuHX3L7Qb3LnkiNi