1
WGU D489 Task 1 Cybersecurity Management
Actual Exam 2026/2027 – Complete Exam-Style
Questions with Detailed Rationales | 100%
Verified | Pass Guaranteed – A+ Graded
[SECTION 1: Cybersecurity Governance & Strategy — Questions 1-7]
Q1: A Chief Information Security Officer (CISO) is tasked with aligning the cybersecurity
program with the organization's primary business goal of expanding into new international
markets. Which governance activity best ensures this alignment?
A. Revising the firewall rulesets to allow traffic from new geographic regions.
B. Updating the Acceptable Use Policy to include multiple languages.
C. Integrating risk management into the strategic planning process to identify and mitigate
market-specific regulatory risks.
D. Conducting a penetration test against the new data centers being built abroad.
Correct Answer: C
Rationale: Integrating risk management into strategic planning ensures that security
considerations are embedded into business decisions from the start, facilitating the identification
of region-specific compliance requirements (such as GDPR) that could impact market expansion.
This approach aligns with the NIST Cybersecurity Framework's "Govern" function, emphasizing
that cybersecurity is an enterprise-wide risk management issue, not just a technical one. Option A
is a technical control, not a governance activity. Option B is a procedural update but lacks
strategic scope. Option D is a tactical assurance activity that occurs after strategic decisions are
made.
Q2: An organization is preparing for an ISO/IEC 27001 certification audit. According to the
governance requirements of the standard, what is the primary objective of the Statement of
Applicability (SoA)?
A. To list all software vulnerabilities currently present in the environment.
B. To identify the applicable security controls from Annex A and justify their inclusion or
exclusion.
,2
C. To document the roles and responsibilities of the Incident Response Team.
D. To provide a financial breakdown of the information security budget.
Correct Answer: B
Rationale: The Statement of Applicability (SoA) is a critical document in ISO 27001
implementation that bridges the gap between the risk assessment and the implementation of
controls. It explicitly lists which controls from ISO 27001 Annex A are applicable to the
organization and provides justification for any controls that are not implemented, demonstrating
due diligence. Option A refers to a vulnerability report, not the SoA. Option C is covered in
procedural documents or policies. Option D is part of budget management, not certification
scope definition.
Q3: During a board meeting, a director asks the CISO to explain the concept of "Due Diligence"
versus "Due Care" in the context of legal liability. Which statement best distinguishes the two?
A. Due Diligence is the act of monitoring systems, while Due Care is the act of investigating
incidents.
B. Due Diligence is the research and analysis of a company's organizational health, while Due
Care is the implementation of security practices to maintain that health.
C. Due Diligence applies to physical security, while Due Care applies to logical security.
D. Due Diligence is required by law, whereas Due Care is only an ethical guideline.
Correct Answer: B
Rationale: In legal and governance terms, Due Diligence represents the "prudent person" rule—
conducting the necessary research and risk assessments to understand what needs to be protected.
Due Care refers to the actual implementation of the necessary safeguards and countermeasures to
protect the organization and maintain its critical infrastructure. Option A reverses the definitions
or describes operational tasks. Option C is incorrect as both concepts apply to all domains of
security. Option D is incorrect because both concepts have legal and ethical weight in liability
cases.
Q4: Senior management has decided to outsource the company's customer support call center to
a third-party provider. Which governance mechanism is most critical to manage the security risks
associated with this relationship?
, 3
A. A detailed Service Level Agreement (SLA) that includes security metrics and penalties for
non-compliance.
B. A Memorandum of Understanding (MOU) that outlines the general spirit of cooperation.
C. A Non-Disclosure Agreement (NDA) signed by the call center employees.
D. A direct connection between the corporate VPN and the third-party network.
Correct Answer: A
Rationale: A Service Level Agreement (SLA) is the primary governance tool for managing third-
party risk, as it legally binds the provider to specific performance and security standards (e.g.,
patch management times, background check requirements). It provides the basis for audits and
remediation, ensuring the vendor aligns with the organization's risk appetite. An MOU is
generally non-binding and lacks the enforcement teeth of an SLA. An NDA protects
confidentiality but does not enforce operational security controls. A direct VPN connection
(Option D) is a technical integration that increases risk if not governed by a contract.
Q5: The organization wants to formally establish a data classification scheme. Which governance
body should be responsible for approving the classification categories and the handling
procedures for each level?
A. The Data Governance Council or Senior Management.
B. The IT Security Operations Team.
C. The External Auditors.
D. The Human Resources Department.
Correct Answer: A
Rationale: The Data Governance Council, comprised of stakeholders from legal, compliance,
business units, and IT, is the appropriate body to approve data classification schemes because it
ensures the policy aligns with business needs and regulatory requirements. Senior management
bears the ultimate accountability for data protection. IT Ops generally implements the technical
controls based on the policy but does not set the governance rules. Auditors assess compliance,
and HR handles personnel data, but neither has the cross-functional authority to classify all
organizational data.
WGU D489 Task 1 Cybersecurity Management
Actual Exam 2026/2027 – Complete Exam-Style
Questions with Detailed Rationales | 100%
Verified | Pass Guaranteed – A+ Graded
[SECTION 1: Cybersecurity Governance & Strategy — Questions 1-7]
Q1: A Chief Information Security Officer (CISO) is tasked with aligning the cybersecurity
program with the organization's primary business goal of expanding into new international
markets. Which governance activity best ensures this alignment?
A. Revising the firewall rulesets to allow traffic from new geographic regions.
B. Updating the Acceptable Use Policy to include multiple languages.
C. Integrating risk management into the strategic planning process to identify and mitigate
market-specific regulatory risks.
D. Conducting a penetration test against the new data centers being built abroad.
Correct Answer: C
Rationale: Integrating risk management into strategic planning ensures that security
considerations are embedded into business decisions from the start, facilitating the identification
of region-specific compliance requirements (such as GDPR) that could impact market expansion.
This approach aligns with the NIST Cybersecurity Framework's "Govern" function, emphasizing
that cybersecurity is an enterprise-wide risk management issue, not just a technical one. Option A
is a technical control, not a governance activity. Option B is a procedural update but lacks
strategic scope. Option D is a tactical assurance activity that occurs after strategic decisions are
made.
Q2: An organization is preparing for an ISO/IEC 27001 certification audit. According to the
governance requirements of the standard, what is the primary objective of the Statement of
Applicability (SoA)?
A. To list all software vulnerabilities currently present in the environment.
B. To identify the applicable security controls from Annex A and justify their inclusion or
exclusion.
,2
C. To document the roles and responsibilities of the Incident Response Team.
D. To provide a financial breakdown of the information security budget.
Correct Answer: B
Rationale: The Statement of Applicability (SoA) is a critical document in ISO 27001
implementation that bridges the gap between the risk assessment and the implementation of
controls. It explicitly lists which controls from ISO 27001 Annex A are applicable to the
organization and provides justification for any controls that are not implemented, demonstrating
due diligence. Option A refers to a vulnerability report, not the SoA. Option C is covered in
procedural documents or policies. Option D is part of budget management, not certification
scope definition.
Q3: During a board meeting, a director asks the CISO to explain the concept of "Due Diligence"
versus "Due Care" in the context of legal liability. Which statement best distinguishes the two?
A. Due Diligence is the act of monitoring systems, while Due Care is the act of investigating
incidents.
B. Due Diligence is the research and analysis of a company's organizational health, while Due
Care is the implementation of security practices to maintain that health.
C. Due Diligence applies to physical security, while Due Care applies to logical security.
D. Due Diligence is required by law, whereas Due Care is only an ethical guideline.
Correct Answer: B
Rationale: In legal and governance terms, Due Diligence represents the "prudent person" rule—
conducting the necessary research and risk assessments to understand what needs to be protected.
Due Care refers to the actual implementation of the necessary safeguards and countermeasures to
protect the organization and maintain its critical infrastructure. Option A reverses the definitions
or describes operational tasks. Option C is incorrect as both concepts apply to all domains of
security. Option D is incorrect because both concepts have legal and ethical weight in liability
cases.
Q4: Senior management has decided to outsource the company's customer support call center to
a third-party provider. Which governance mechanism is most critical to manage the security risks
associated with this relationship?
, 3
A. A detailed Service Level Agreement (SLA) that includes security metrics and penalties for
non-compliance.
B. A Memorandum of Understanding (MOU) that outlines the general spirit of cooperation.
C. A Non-Disclosure Agreement (NDA) signed by the call center employees.
D. A direct connection between the corporate VPN and the third-party network.
Correct Answer: A
Rationale: A Service Level Agreement (SLA) is the primary governance tool for managing third-
party risk, as it legally binds the provider to specific performance and security standards (e.g.,
patch management times, background check requirements). It provides the basis for audits and
remediation, ensuring the vendor aligns with the organization's risk appetite. An MOU is
generally non-binding and lacks the enforcement teeth of an SLA. An NDA protects
confidentiality but does not enforce operational security controls. A direct VPN connection
(Option D) is a technical integration that increases risk if not governed by a contract.
Q5: The organization wants to formally establish a data classification scheme. Which governance
body should be responsible for approving the classification categories and the handling
procedures for each level?
A. The Data Governance Council or Senior Management.
B. The IT Security Operations Team.
C. The External Auditors.
D. The Human Resources Department.
Correct Answer: A
Rationale: The Data Governance Council, comprised of stakeholders from legal, compliance,
business units, and IT, is the appropriate body to approve data classification schemes because it
ensures the policy aligns with business needs and regulatory requirements. Senior management
bears the ultimate accountability for data protection. IT Ops generally implements the technical
controls based on the policy but does not set the governance rules. Auditors assess compliance,
and HR handles personnel data, but neither has the cross-functional authority to classify all
organizational data.
