CISM - Domain 1 - InfoSec Governance
Exam Questions & Answers (Grade A+)
Security governance principles -
correct answer ✅* Bottom-up
* Top-down
* C-Level Exec ultimately liable
Governance standards and control frameworks -
correct answer ✅PCI-DSS
OCTAVE (self directed risk mgmt.)
COBIT (goals for IT stakeholders)
COSO (goals for entire org.)
ITIL (IT service mgmt.)
FRAP (analyze one business unit/app/system at a time in a
roundtable)
OCTAVE -
correct answer ✅Operationally Critical Threat, Asset and Vuln.
Evaluation
FRAP -
correct answer ✅Facilitated Risk Analysis Process, provides tested
variations on the methodology
,CISM - Domain 1 - InfoSec Governance
Exam Questions & Answers (Grade A+)
ISO 27000 series -
correct answer ✅This series contains a range of individual
standards and documents specifically reserved by ISO for
information security. ISO 27001, 27002, 27004, 27005, 27799
ISO 27001 -
correct answer ✅Establish, implement, control and improvement
of the ISMS. Uses PDCA (plan, do, check, act).
ISO 27002 -
correct answer ✅Provides practical advice on how to implement
security controls. From BS 7799. Security controls* based on
*industry best practices*.
ISO 27004 -
correct answer ✅Information Security Metrics Implementation. A
standard to the measure ISMS effectiveness
ISCO 27005 -
correct answer ✅Standards based approach to risk mgmt.
, CISM - Domain 1 - InfoSec Governance
Exam Questions & Answers (Grade A+)
ISO 27799 -
correct answer ✅Guide illustrates protection Personal Health data
Using ISO 17799 (27002)
Defense in depth (layered defense or Onion defense) -
correct answer ✅Multiple overlapping security controls, applies to
physical and logical security, no single security control secures an
asset, Improves CIA
Policies -
correct answer ✅Mandatory, high-level, non-specific. They can
contain "patches, updates, strong encryption". They will not be
specific to "
Standards -
correct answer ✅Mandatory; Describes a specific use of
technology
Guidelines -
correct answer ✅Non-Mandatory; Recommendations relating to a
policy
Exam Questions & Answers (Grade A+)
Security governance principles -
correct answer ✅* Bottom-up
* Top-down
* C-Level Exec ultimately liable
Governance standards and control frameworks -
correct answer ✅PCI-DSS
OCTAVE (self directed risk mgmt.)
COBIT (goals for IT stakeholders)
COSO (goals for entire org.)
ITIL (IT service mgmt.)
FRAP (analyze one business unit/app/system at a time in a
roundtable)
OCTAVE -
correct answer ✅Operationally Critical Threat, Asset and Vuln.
Evaluation
FRAP -
correct answer ✅Facilitated Risk Analysis Process, provides tested
variations on the methodology
,CISM - Domain 1 - InfoSec Governance
Exam Questions & Answers (Grade A+)
ISO 27000 series -
correct answer ✅This series contains a range of individual
standards and documents specifically reserved by ISO for
information security. ISO 27001, 27002, 27004, 27005, 27799
ISO 27001 -
correct answer ✅Establish, implement, control and improvement
of the ISMS. Uses PDCA (plan, do, check, act).
ISO 27002 -
correct answer ✅Provides practical advice on how to implement
security controls. From BS 7799. Security controls* based on
*industry best practices*.
ISO 27004 -
correct answer ✅Information Security Metrics Implementation. A
standard to the measure ISMS effectiveness
ISCO 27005 -
correct answer ✅Standards based approach to risk mgmt.
, CISM - Domain 1 - InfoSec Governance
Exam Questions & Answers (Grade A+)
ISO 27799 -
correct answer ✅Guide illustrates protection Personal Health data
Using ISO 17799 (27002)
Defense in depth (layered defense or Onion defense) -
correct answer ✅Multiple overlapping security controls, applies to
physical and logical security, no single security control secures an
asset, Improves CIA
Policies -
correct answer ✅Mandatory, high-level, non-specific. They can
contain "patches, updates, strong encryption". They will not be
specific to "
Standards -
correct answer ✅Mandatory; Describes a specific use of
technology
Guidelines -
correct answer ✅Non-Mandatory; Recommendations relating to a
policy
