CISM EXAM 2025 LATEST REAL EXAM
QUESTIONS AND CORRECT ANSWERS
Which of the following should be the FIRST step in developing an information
security plan?
A. Perform a technical vulnerabilities assessment
B. Analyze the current business strategy
C. Perform a business impact analysis
D. Assess the current levels of security awareness - ANSWER>>B
Senior management commitment and support for information security can BEST
be obtained through presentations that:
A. use illustrative examples of successful attacks.
B. explain the technical risks to the organization.
C. evaluate the organization against best security practices.
D. tie security risks to key business objectives. - ANSWER>>D
The MOST appropriate role for senior management in supporting information
security is the:
A. evaluation of vendors offering security products.
B. assessment of risks to the organization.
C. approval of policy statements and funding.
D. monitoring adherence to regulatory requirements. - ANSWER>>C
,Which of the following would BEST ensure the success of information security
governance within an organization?
A. Steering committees approve security projects
B. Security policy training provided to all managers
C. Security training available to all employees on the intranet
D. Steering committees enforce compliance with laws and regulations -
ANSWER>>A
Information security governance is PRIMARILY driven by:
A. technology constraints.
B. regulatory requirements.
C. litigation potential.
D. business strategy. - ANSWER>>D
Which of the following represents the MAJOR focus of privacy regulations?
A. Unrestricted data mining
B. Identity theft
C. Human rights protection
D. Identifiable personal data - ANSWER>>D
Investments in information security technologies should be based on:
A. vulnerability assessments.
B. value analysis.
C. business climate.
D. audit recommendations. - ANSWER>>B
,Retention of business records should PRIMARILY be based on:
A. business strategy and direction.
B. regulatory and legal requirements.
C. storage capacity and longevity.
D. business ease and value analysis. - ANSWER>>B
Which of the following is characteristic of centralized information security
management?
A. More expensive to administer
B. Better adherence to policies
C. More aligned with business unit needs
D. Faster turnaround of requests - ANSWER>>B
Successful implementation of information security governance will FIRST
require:
A. security awareness training.
B. updated security policies.
C. a computer incident management team.
D. a security architecture. - ANSWER>>B
Which of the following individuals would be in the BEST position to sponsor the
creation of an information security steering group?
A. Information security manager
B. Chief operating officer (COO)
, C. Internal auditor
D. Legal counsel - ANSWER>>B
The MOST important component of a privacy policy is:
A. notifications.
B. warranties.
C. liabilities.
D. geographic coverage. - ANSWER>>A
The cost of implementing a security control should not exceed the:
A. annualized loss expectancy.
B. cost of an incident.
C. asset value.
D. implementation opportunity costs. - ANSWER>>C
When a security standard conflicts with a business objective, the situation
should be resolved by:
A. changing the security standard.
B. changing the business objective.
C. performing a risk analysis.
D. authorizing a risk acceptance. - ANSWER>>C
Minimum standards for securing the technical infrastructure should be defined
in a security:
A. strategy.
QUESTIONS AND CORRECT ANSWERS
Which of the following should be the FIRST step in developing an information
security plan?
A. Perform a technical vulnerabilities assessment
B. Analyze the current business strategy
C. Perform a business impact analysis
D. Assess the current levels of security awareness - ANSWER>>B
Senior management commitment and support for information security can BEST
be obtained through presentations that:
A. use illustrative examples of successful attacks.
B. explain the technical risks to the organization.
C. evaluate the organization against best security practices.
D. tie security risks to key business objectives. - ANSWER>>D
The MOST appropriate role for senior management in supporting information
security is the:
A. evaluation of vendors offering security products.
B. assessment of risks to the organization.
C. approval of policy statements and funding.
D. monitoring adherence to regulatory requirements. - ANSWER>>C
,Which of the following would BEST ensure the success of information security
governance within an organization?
A. Steering committees approve security projects
B. Security policy training provided to all managers
C. Security training available to all employees on the intranet
D. Steering committees enforce compliance with laws and regulations -
ANSWER>>A
Information security governance is PRIMARILY driven by:
A. technology constraints.
B. regulatory requirements.
C. litigation potential.
D. business strategy. - ANSWER>>D
Which of the following represents the MAJOR focus of privacy regulations?
A. Unrestricted data mining
B. Identity theft
C. Human rights protection
D. Identifiable personal data - ANSWER>>D
Investments in information security technologies should be based on:
A. vulnerability assessments.
B. value analysis.
C. business climate.
D. audit recommendations. - ANSWER>>B
,Retention of business records should PRIMARILY be based on:
A. business strategy and direction.
B. regulatory and legal requirements.
C. storage capacity and longevity.
D. business ease and value analysis. - ANSWER>>B
Which of the following is characteristic of centralized information security
management?
A. More expensive to administer
B. Better adherence to policies
C. More aligned with business unit needs
D. Faster turnaround of requests - ANSWER>>B
Successful implementation of information security governance will FIRST
require:
A. security awareness training.
B. updated security policies.
C. a computer incident management team.
D. a security architecture. - ANSWER>>B
Which of the following individuals would be in the BEST position to sponsor the
creation of an information security steering group?
A. Information security manager
B. Chief operating officer (COO)
, C. Internal auditor
D. Legal counsel - ANSWER>>B
The MOST important component of a privacy policy is:
A. notifications.
B. warranties.
C. liabilities.
D. geographic coverage. - ANSWER>>A
The cost of implementing a security control should not exceed the:
A. annualized loss expectancy.
B. cost of an incident.
C. asset value.
D. implementation opportunity costs. - ANSWER>>C
When a security standard conflicts with a business objective, the situation
should be resolved by:
A. changing the security standard.
B. changing the business objective.
C. performing a risk analysis.
D. authorizing a risk acceptance. - ANSWER>>C
Minimum standards for securing the technical infrastructure should be defined
in a security:
A. strategy.
