CISM Domain 2 Exam Questions &
Answers (Grade A+)
Risk controls are adequate when ____ -
correct answer ✅the residual risk is less than or equal to
acceptable risk
Value at risk can be used: -
correct answer ✅to determine maximum probable loss in a given
time period—typically at 95 or 99 percent certainty.
High-impact, low-likelihood situations are typically most cost
effectively covered by ________ -
correct answer ✅transferring the risk to a third party, e.g.,
insurance
Reducing exposure reduces _______ -
correct answer ✅the likelihood of a vulnerability being exploited
factor in calculating impact of lost connectivity: -
correct answer ✅Financial losses incurred by the business units
Control baselines are MOST directly related to the: -
correct answer ✅organization's risk appetite
, CISM Domain 2 Exam Questions &
Answers (Grade A+)
first step in a risk analysis process to determine the impact to the
organization -
correct answer ✅Calculate the value of the information or asset
Unless the exploitation of vulnerability by a threat has ________ ,
there is no risk to the organization. -
correct answer ✅consequences
Purpose of controls: -
correct answer ✅Bring residual risk to acceptable levels
Most effective way to avoid introduction of malware into the end
user's computers. -
correct answer ✅Restricting execution of mobile code
Which program element should be implemented FIRST in asset
classification and control? -
correct answer ✅Valuation
Why might an organization rationally choose to mitigate a risk that
is estimated to be at a level higher than its stated risk appetite but
within its stated risk tolerance? -
Answers (Grade A+)
Risk controls are adequate when ____ -
correct answer ✅the residual risk is less than or equal to
acceptable risk
Value at risk can be used: -
correct answer ✅to determine maximum probable loss in a given
time period—typically at 95 or 99 percent certainty.
High-impact, low-likelihood situations are typically most cost
effectively covered by ________ -
correct answer ✅transferring the risk to a third party, e.g.,
insurance
Reducing exposure reduces _______ -
correct answer ✅the likelihood of a vulnerability being exploited
factor in calculating impact of lost connectivity: -
correct answer ✅Financial losses incurred by the business units
Control baselines are MOST directly related to the: -
correct answer ✅organization's risk appetite
, CISM Domain 2 Exam Questions &
Answers (Grade A+)
first step in a risk analysis process to determine the impact to the
organization -
correct answer ✅Calculate the value of the information or asset
Unless the exploitation of vulnerability by a threat has ________ ,
there is no risk to the organization. -
correct answer ✅consequences
Purpose of controls: -
correct answer ✅Bring residual risk to acceptable levels
Most effective way to avoid introduction of malware into the end
user's computers. -
correct answer ✅Restricting execution of mobile code
Which program element should be implemented FIRST in asset
classification and control? -
correct answer ✅Valuation
Why might an organization rationally choose to mitigate a risk that
is estimated to be at a level higher than its stated risk appetite but
within its stated risk tolerance? -
