CERTIFIED Information Security
Manager (CISM) Examination
QUESTION AND CORRECT ANSWERS
(VERIFIED ANSWERS) PLUS RATIONALES
2026 Q&A INSTANT DOWNLOAD PDF
1. Which activity is primarily the responsibility of an information security
manager?
A. Configuring firewalls
B. Developing encryption algorithms
C. Managing organizational risk
D. Writing application code
Correct Answer: C
Rationale: Managing and reducing information risk at the enterprise level is the
core responsibility of an information security manager, while technical tasks are
delegated to specialists.
2. Which document best aligns information security with business objectives?
A. Incident response plan
B. Information security policy
C. Disaster recovery plan
D. Security procedures manual
Correct Answer: B
Rationale: An information security policy establishes management direction and
ensures security supports business objectives.
, 3. What is the MOST important factor when establishing an information
security governance framework?
A. Technology standards
B. Regulatory requirements
C. Business goals and strategy
D. Threat landscape
Correct Answer: C
Rationale: Governance must be driven by business goals to ensure security
investments provide value and support organizational objectives.
4. Which role is ultimately accountable for information security governance?
A. Information security manager
B. Chief information officer (CIO)
C. Board of directors
D. IT operations manager
Correct Answer: C
Rationale: The board of directors has ultimate accountability for governance,
including information security oversight.
5. Which metric BEST measures the effectiveness of an information security
program?
A. Number of security tools deployed
B. Cost of security incidents
C. Compliance audit findings
D. Reduction in business risk
Correct Answer: D
Rationale: Effectiveness is measured by how well the program reduces risk to
acceptable levels for the business.
, 6. What is the PRIMARY objective of information risk management?
A. Eliminating all risk
B. Reducing risk to zero
C. Managing risk within tolerance
D. Transferring all risk to insurers
Correct Answer: C
Rationale: Risk management focuses on maintaining risk within the
organization’s defined risk appetite and tolerance.
7. Which risk response option involves outsourcing a business process?
A. Risk acceptance
B. Risk mitigation
C. Risk transfer
D. Risk avoidance
Correct Answer: C
Rationale: Outsourcing transfers some or all of the risk to a third party.
8. What should be the FIRST step in the risk management process?
A. Risk analysis
B. Risk evaluation
C. Risk identification
D. Risk treatment
Correct Answer: C
Rationale: Risks must be identified before they can be analyzed, evaluated, or
treated.
, 9. Which factor MOST influences the selection of risk treatment options?
A. Threat frequency
B. Asset value
C. Risk appetite
D. Control cost
Correct Answer: C
Rationale: Risk appetite determines how much risk the organization is willing to
accept and guides treatment decisions.
10.Which scenario BEST demonstrates risk acceptance?
A. Implementing additional controls
B. Purchasing cyber insurance
C. Discontinuing a risky service
D. Acknowledging and monitoring a low-impact risk
Correct Answer: D
Rationale: Risk acceptance occurs when management knowingly accepts a risk
without additional controls.
11.What is the PRIMARY purpose of an information asset classification
scheme?
A. Assign ownership
B. Define retention periods
C. Determine protection requirements
D. Meet audit requirements
Correct Answer: C
Rationale: Classification ensures assets receive protection commensurate with
their value and sensitivity.
Manager (CISM) Examination
QUESTION AND CORRECT ANSWERS
(VERIFIED ANSWERS) PLUS RATIONALES
2026 Q&A INSTANT DOWNLOAD PDF
1. Which activity is primarily the responsibility of an information security
manager?
A. Configuring firewalls
B. Developing encryption algorithms
C. Managing organizational risk
D. Writing application code
Correct Answer: C
Rationale: Managing and reducing information risk at the enterprise level is the
core responsibility of an information security manager, while technical tasks are
delegated to specialists.
2. Which document best aligns information security with business objectives?
A. Incident response plan
B. Information security policy
C. Disaster recovery plan
D. Security procedures manual
Correct Answer: B
Rationale: An information security policy establishes management direction and
ensures security supports business objectives.
, 3. What is the MOST important factor when establishing an information
security governance framework?
A. Technology standards
B. Regulatory requirements
C. Business goals and strategy
D. Threat landscape
Correct Answer: C
Rationale: Governance must be driven by business goals to ensure security
investments provide value and support organizational objectives.
4. Which role is ultimately accountable for information security governance?
A. Information security manager
B. Chief information officer (CIO)
C. Board of directors
D. IT operations manager
Correct Answer: C
Rationale: The board of directors has ultimate accountability for governance,
including information security oversight.
5. Which metric BEST measures the effectiveness of an information security
program?
A. Number of security tools deployed
B. Cost of security incidents
C. Compliance audit findings
D. Reduction in business risk
Correct Answer: D
Rationale: Effectiveness is measured by how well the program reduces risk to
acceptable levels for the business.
, 6. What is the PRIMARY objective of information risk management?
A. Eliminating all risk
B. Reducing risk to zero
C. Managing risk within tolerance
D. Transferring all risk to insurers
Correct Answer: C
Rationale: Risk management focuses on maintaining risk within the
organization’s defined risk appetite and tolerance.
7. Which risk response option involves outsourcing a business process?
A. Risk acceptance
B. Risk mitigation
C. Risk transfer
D. Risk avoidance
Correct Answer: C
Rationale: Outsourcing transfers some or all of the risk to a third party.
8. What should be the FIRST step in the risk management process?
A. Risk analysis
B. Risk evaluation
C. Risk identification
D. Risk treatment
Correct Answer: C
Rationale: Risks must be identified before they can be analyzed, evaluated, or
treated.
, 9. Which factor MOST influences the selection of risk treatment options?
A. Threat frequency
B. Asset value
C. Risk appetite
D. Control cost
Correct Answer: C
Rationale: Risk appetite determines how much risk the organization is willing to
accept and guides treatment decisions.
10.Which scenario BEST demonstrates risk acceptance?
A. Implementing additional controls
B. Purchasing cyber insurance
C. Discontinuing a risky service
D. Acknowledging and monitoring a low-impact risk
Correct Answer: D
Rationale: Risk acceptance occurs when management knowingly accepts a risk
without additional controls.
11.What is the PRIMARY purpose of an information asset classification
scheme?
A. Assign ownership
B. Define retention periods
C. Determine protection requirements
D. Meet audit requirements
Correct Answer: C
Rationale: Classification ensures assets receive protection commensurate with
their value and sensitivity.
