CISM EXAM PREP LATEST ALL QUESTIONS AND
ANSWERS SURE A+
✔✔Information Security Governance - ✔✔While corporate governance deals with
performance and control at all levels of the organization, information security
governance is a subset of corporate governance. Information security governance is
concerned with the policies and controls related to protecting information in the
organization. It helps you to
• ensure that information security objectives are achieved
• provide strategic direction for information security activities
• ensure the efficient use of information resources, and
manage information security risks
✔✔General components of the Information Security Governance Framework are: - ✔✔-
security strategy
- security policies
- standards
- security organizational structure
- metrics and monitoring
✔✔Steering Committee - ✔✔Consists of senior representatives of departments that are
directly or indirectly affected by information security policies. The steering committee
aims to involve all stakeholders influenced by security aspects.
, ✔✔Who is responsible for identifying information assets that need to be protected and
assigning appropriate priorities and protection levels for them? - ✔✔The Board of
Directors
✔✔Who is responsible for achieving organizational consent over priorities related to
information security and ensuring the involvement of all stakeholders influenced by
security considerations? - ✔✔The Steering Committe
✔✔Who needs to establish reporting and communication channels in the whole
organization to make sure that information security governance is effective? - ✔✔The
CISO
✔✔Who should establish processes for integrating security with business objectives
and provide proper leadership and continuous support to the people working to
implement information security? - ✔✔Executive Management
✔✔What is GRC? - ✔✔Governance, Risk Management, Compliance
✔✔What are the 3 GRC processes? - ✔✔- Governance is the process that senior
management can use to direct and control an organization. It involves developing
methods to ensure that all employees of the organization adhere to its policies,
standards, and procedures.
- Risk management helps you create and implement methods for mitigating risks. Using
this process, you can establish the organization's risk tolerance, recognize potential
risks and their impact on business operations, and decide the priority for mitigating the
risks based on business goals and risk tolerance.
- Compliance is the process using which you can supervise the controls and methods
that ensure adherence to an organization's policies, standards, and procedures.
✔✔Systems Theory - ✔✔Systems Theory is a network of processes, people,
technologies, relationships, events, reactions, and results that interact with each other
to achieve one common goal. By analyzing these interactions, an information security
manager can understand the working of a system in an organization and control any
risks to it.
✔✔4 elements of the information security business model - ✔✔• organization design
and strategy
• people
• process
• technology
ANSWERS SURE A+
✔✔Information Security Governance - ✔✔While corporate governance deals with
performance and control at all levels of the organization, information security
governance is a subset of corporate governance. Information security governance is
concerned with the policies and controls related to protecting information in the
organization. It helps you to
• ensure that information security objectives are achieved
• provide strategic direction for information security activities
• ensure the efficient use of information resources, and
manage information security risks
✔✔General components of the Information Security Governance Framework are: - ✔✔-
security strategy
- security policies
- standards
- security organizational structure
- metrics and monitoring
✔✔Steering Committee - ✔✔Consists of senior representatives of departments that are
directly or indirectly affected by information security policies. The steering committee
aims to involve all stakeholders influenced by security aspects.
, ✔✔Who is responsible for identifying information assets that need to be protected and
assigning appropriate priorities and protection levels for them? - ✔✔The Board of
Directors
✔✔Who is responsible for achieving organizational consent over priorities related to
information security and ensuring the involvement of all stakeholders influenced by
security considerations? - ✔✔The Steering Committe
✔✔Who needs to establish reporting and communication channels in the whole
organization to make sure that information security governance is effective? - ✔✔The
CISO
✔✔Who should establish processes for integrating security with business objectives
and provide proper leadership and continuous support to the people working to
implement information security? - ✔✔Executive Management
✔✔What is GRC? - ✔✔Governance, Risk Management, Compliance
✔✔What are the 3 GRC processes? - ✔✔- Governance is the process that senior
management can use to direct and control an organization. It involves developing
methods to ensure that all employees of the organization adhere to its policies,
standards, and procedures.
- Risk management helps you create and implement methods for mitigating risks. Using
this process, you can establish the organization's risk tolerance, recognize potential
risks and their impact on business operations, and decide the priority for mitigating the
risks based on business goals and risk tolerance.
- Compliance is the process using which you can supervise the controls and methods
that ensure adherence to an organization's policies, standards, and procedures.
✔✔Systems Theory - ✔✔Systems Theory is a network of processes, people,
technologies, relationships, events, reactions, and results that interact with each other
to achieve one common goal. By analyzing these interactions, an information security
manager can understand the working of a system in an organization and control any
risks to it.
✔✔4 elements of the information security business model - ✔✔• organization design
and strategy
• people
• process
• technology
