CISM SET 8 Exam Questions &
Answers (Grade A+)
701. An organization recently outsourced the development of a
mission-critical business application. Which of the following would
be the BEST way to test for the existence of backdoors?
A. Perform security code reviews on the entire application
B. Scan the entire application using a vulnerability scanning tool
C. Monitor Internet traffic for sensitive information leakage
D. Run the application from a high-privileged account on a test
system - correct answer ✅A. Perform security code reviews on the
entire application
702. When remote access to confidential information is granted to
a vendor for analytic purposes, which of the following is the MOST
important security consideration?
A. The vendor must be able to amend data
B. The vendor must agree to the organization's information security
policy
C. Data is encrypted in transit and at rest at the vendor site
D. Data is subject to regular access log review - correct answer ✅B.
The vendor must agree to the organization's information security
policy
,CISM SET 8 Exam Questions &
Answers (Grade A+)
703. When investigating an information security incident details of
the incident should be shared:
A. widely to demonstrate positive intent
B. only as needed
C. only with management
D. only with internal audit - correct answer ✅B. only as needed
704. The PRIMARY advantage of involving end users in continuity
planning is that they:
A. can see the overall impact to the business
B. are more objective than information security management
C. can balance the technical and business risks
D. have a better understanding of specific business needs - correct
answer ✅D. have a better understanding of specific business
needs
705. In a business proposal, a potential vendor promotes being
certified for international security standards as a measure of its
security capability.
Before relying on this certification, it is MOST important that the
information security manager confirms that the:
,CISM SET 8 Exam Questions &
Answers (Grade A+)
A. certification scope is relevant to the service being offered
B. certification will remain current through the life of the contract
C. current international standard was used to assess security
processes
D. certification can be extended to cover the client's business -
correct answer ✅A. certification scope is relevant to the service
being offered
706. Which of the following service offerings in a typical
Infrastructure as a Service (IaaS) model will BEST enable a cloud
service provider to assist customers when recovering from a
security incident?
A. Capability to take a snapshot of virtual machines
B. Capability of online virtual machine analysis
C. Availability of web application firewall logs
D. Availability of current infrastructure documentation - correct
answer ✅A. Capability to take a snapshot of virtual machines
707. Which of the following roles is BEST able to influence the
security culture within an organization?
A. Chief information security officer (CISO)
, CISM SET 8 Exam Questions &
Answers (Grade A+)
B. Chief information officer (CIO)
C. Chief operating officer (COO)
D. Chief executive officer (CEO) - correct answer ✅D. Chief
executive officer (CEO)
708. Which of the following BEST indicates the effectiveness of a
recent information security awareness campaign delivered across
the organization?
A. Increase in the frequency of security incident escalations
B. Reduction in the impact of security incidents
C. Decrease in the number of security incidents
D. Increase in the number of reported security incidents - correct
answer ✅D. Increase in the number of reported security incidents
709. Which of the following is the BEST evidence of alignment
between corporate and information security governance?
A. Security key performance indicators (KPIs)
B. Senior management sponsorship
C. Regular security policy reviews
D. Project resource optimization - correct answer ✅B. Senior
management sponsorship
Answers (Grade A+)
701. An organization recently outsourced the development of a
mission-critical business application. Which of the following would
be the BEST way to test for the existence of backdoors?
A. Perform security code reviews on the entire application
B. Scan the entire application using a vulnerability scanning tool
C. Monitor Internet traffic for sensitive information leakage
D. Run the application from a high-privileged account on a test
system - correct answer ✅A. Perform security code reviews on the
entire application
702. When remote access to confidential information is granted to
a vendor for analytic purposes, which of the following is the MOST
important security consideration?
A. The vendor must be able to amend data
B. The vendor must agree to the organization's information security
policy
C. Data is encrypted in transit and at rest at the vendor site
D. Data is subject to regular access log review - correct answer ✅B.
The vendor must agree to the organization's information security
policy
,CISM SET 8 Exam Questions &
Answers (Grade A+)
703. When investigating an information security incident details of
the incident should be shared:
A. widely to demonstrate positive intent
B. only as needed
C. only with management
D. only with internal audit - correct answer ✅B. only as needed
704. The PRIMARY advantage of involving end users in continuity
planning is that they:
A. can see the overall impact to the business
B. are more objective than information security management
C. can balance the technical and business risks
D. have a better understanding of specific business needs - correct
answer ✅D. have a better understanding of specific business
needs
705. In a business proposal, a potential vendor promotes being
certified for international security standards as a measure of its
security capability.
Before relying on this certification, it is MOST important that the
information security manager confirms that the:
,CISM SET 8 Exam Questions &
Answers (Grade A+)
A. certification scope is relevant to the service being offered
B. certification will remain current through the life of the contract
C. current international standard was used to assess security
processes
D. certification can be extended to cover the client's business -
correct answer ✅A. certification scope is relevant to the service
being offered
706. Which of the following service offerings in a typical
Infrastructure as a Service (IaaS) model will BEST enable a cloud
service provider to assist customers when recovering from a
security incident?
A. Capability to take a snapshot of virtual machines
B. Capability of online virtual machine analysis
C. Availability of web application firewall logs
D. Availability of current infrastructure documentation - correct
answer ✅A. Capability to take a snapshot of virtual machines
707. Which of the following roles is BEST able to influence the
security culture within an organization?
A. Chief information security officer (CISO)
, CISM SET 8 Exam Questions &
Answers (Grade A+)
B. Chief information officer (CIO)
C. Chief operating officer (COO)
D. Chief executive officer (CEO) - correct answer ✅D. Chief
executive officer (CEO)
708. Which of the following BEST indicates the effectiveness of a
recent information security awareness campaign delivered across
the organization?
A. Increase in the frequency of security incident escalations
B. Reduction in the impact of security incidents
C. Decrease in the number of security incidents
D. Increase in the number of reported security incidents - correct
answer ✅D. Increase in the number of reported security incidents
709. Which of the following is the BEST evidence of alignment
between corporate and information security governance?
A. Security key performance indicators (KPIs)
B. Senior management sponsorship
C. Regular security policy reviews
D. Project resource optimization - correct answer ✅B. Senior
management sponsorship
