ISACA CISM Exam with Verified
Detailed Answers
Which of the following steps should be FIRST in developing an
information security plan?
A. Perform a technical vulnerabilities assessment.
B. Analyze the current business strategy.
C. Perform a business impact analysis.
Assessthecurrentlevelsofsecurityawareness. -
correct answer ✅B. An information security manager needs to
gain an understanding of the current business strategy and
direction to understand the organization's objectives and the
impact of the other answers on achieving those objectives.
Senior management commitment and support for information
security can BEST be obtained through presentations that:
A. use illustrative examples of successful attacks.
B. explain the technical risk to the organization.
C. evaluate the organization against good security practices.
D. tie security risk to key business objectives. -
correct answer ✅D. Senior management wants to understand the
business justification for investing in security in relation to
achieving key business objectives.
,ISACA CISM Exam with Verified
Detailed Answers
The MOST appropriate role for senior management in supporting
information security is the:
A. evaluation of vendors offering security products.
B. assessment of risk to the organization.
C. approval of policy statements and funding.
D. developing standards sufficient to achieve acceptable risk. -
correct answer ✅C. Policies are a statement of senior
management intent and direction. Therefore, senior management
must approve them in addition to providing sufficient funding to
achieve the organization's risk management objectives.
Which of the following would be the BEST indicator of effective
information security governance within an organization?
A. The steering committee approves security projects.
B. Security policy training is provided to all managers.
C. Security training is available to all employees on the intranet.
D. IT personnel are trained in testing and applying required patches.
-
,ISACA CISM Exam with Verified
Detailed Answers
correct answer ✅A. The existence of a steering committee that
approves all security projects would be an indication of the
existence of a good governance program. To ensure that all
stakeholders impacted by security considerations are involved,
many organizations use a steering committee comprised
of senior representatives of affected groups. This composition helps
to achieve consensus on priorities and trade-offs and serves as an
effective communication channel for ensuring the alignment of the
security program with business objectives.
Information security governance is PRIMARILY driven by:
A. technology constraints.
B. regulatory requirements.
C. litigation potential.
D. business strategy. -
correct answer ✅D. Business strategy is the main determinant of
information security governance because security must align with
the business objectives set forth in the business strategy.
What is the MOST essential attribute of an effective key risk
indicator (KRI)? The KRI:
, ISACA CISM Exam with Verified
Detailed Answers
A. is accurate and reliable.
B. provides quantitative metrics.
C. indicates required action.
D. is predictive of a risk event. -
correct answer ✅D. A KRI should indicate that a risk is developing
or changing to show that investigation is needed to determine the
nature and extent of a risk.
Investments in information security technologies should be based
on:
A. vulnerability assessments.
B. value analysis.
C. business climate.
D. audit recommendations. -
correct answer ✅B. Investments in security technologies should be
based on a value analysis and a sound business case.
Determining which element of the confidentiality, integrity and
availability (CIA) triad is MOST important is a necessary task when:
Detailed Answers
Which of the following steps should be FIRST in developing an
information security plan?
A. Perform a technical vulnerabilities assessment.
B. Analyze the current business strategy.
C. Perform a business impact analysis.
Assessthecurrentlevelsofsecurityawareness. -
correct answer ✅B. An information security manager needs to
gain an understanding of the current business strategy and
direction to understand the organization's objectives and the
impact of the other answers on achieving those objectives.
Senior management commitment and support for information
security can BEST be obtained through presentations that:
A. use illustrative examples of successful attacks.
B. explain the technical risk to the organization.
C. evaluate the organization against good security practices.
D. tie security risk to key business objectives. -
correct answer ✅D. Senior management wants to understand the
business justification for investing in security in relation to
achieving key business objectives.
,ISACA CISM Exam with Verified
Detailed Answers
The MOST appropriate role for senior management in supporting
information security is the:
A. evaluation of vendors offering security products.
B. assessment of risk to the organization.
C. approval of policy statements and funding.
D. developing standards sufficient to achieve acceptable risk. -
correct answer ✅C. Policies are a statement of senior
management intent and direction. Therefore, senior management
must approve them in addition to providing sufficient funding to
achieve the organization's risk management objectives.
Which of the following would be the BEST indicator of effective
information security governance within an organization?
A. The steering committee approves security projects.
B. Security policy training is provided to all managers.
C. Security training is available to all employees on the intranet.
D. IT personnel are trained in testing and applying required patches.
-
,ISACA CISM Exam with Verified
Detailed Answers
correct answer ✅A. The existence of a steering committee that
approves all security projects would be an indication of the
existence of a good governance program. To ensure that all
stakeholders impacted by security considerations are involved,
many organizations use a steering committee comprised
of senior representatives of affected groups. This composition helps
to achieve consensus on priorities and trade-offs and serves as an
effective communication channel for ensuring the alignment of the
security program with business objectives.
Information security governance is PRIMARILY driven by:
A. technology constraints.
B. regulatory requirements.
C. litigation potential.
D. business strategy. -
correct answer ✅D. Business strategy is the main determinant of
information security governance because security must align with
the business objectives set forth in the business strategy.
What is the MOST essential attribute of an effective key risk
indicator (KRI)? The KRI:
, ISACA CISM Exam with Verified
Detailed Answers
A. is accurate and reliable.
B. provides quantitative metrics.
C. indicates required action.
D. is predictive of a risk event. -
correct answer ✅D. A KRI should indicate that a risk is developing
or changing to show that investigation is needed to determine the
nature and extent of a risk.
Investments in information security technologies should be based
on:
A. vulnerability assessments.
B. value analysis.
C. business climate.
D. audit recommendations. -
correct answer ✅B. Investments in security technologies should be
based on a value analysis and a sound business case.
Determining which element of the confidentiality, integrity and
availability (CIA) triad is MOST important is a necessary task when:
