CISM - TEST PRACTICE | NEW 2026 UPDATE | QUESTIONS AND ANSWERS | WITH COMPLETE SOLUTION!!

CISM - TEST PRACTICE | NEW 2026 UPDATE |
QUESTIONS AND ANSWERS | WITH COMPLETE
SOLUTION!!




Security governance is most concerned with:
A. Security policy
B. IT policy
C. Security strategy
D. Security executive Answer - C. Security Strategy


A gaming software startup company does not employ penetration testing of its
software. This is an example of:
A. High tolerance of risk
B. Noncompliance
C. Irresponsibility
D. Outsourcing Answer - A. High tolerance of risk


An organization's board of directors wants to see quarterly metrics on risk
reduction. What would be the best metric for this purpose?
A. Number of firewall rules triggered
B. Viruses blocked by the firewall
C. Packets dropped by the firewall
D. Time to patch vulnerabilities on critical servers Answer - D. Time to patch
vulnerabilities on critical servers

,Which of the following metrics is the best example of a leading indicator?
A. Average time to mitigate security incidents
B. Increase in the number of attacks blocked by the intrusion prevention
system (IPS)
C. Increase in the number of attacks blocked by the firewall
D. Percentage of critical servers being patched within service level agreements
(SLAs) Answer - D. Percentage of critical servers being patched within service
level agreements (SLAs)


What are the elements of the business model for information security (BMIS)?
A. Culture, governing, architecture, emergence, enabling and support, human
factors
B. People, process, technology
C. Organization, people, process, technology
D. Financial, customer, internal processes, innovation, and learning Answer - C.
Organization, people, process, technology


The best definition of a strategy is:
A. The objective to achieve a plan
B. The plan to achieve an objective
C. The plan to achieve business alignment
D. The plan to reduce risk Answer - B. The plan to achieve an objective


The primary factor related to the selection of a control framework is:
A. Industry vertical
B. Current process maturity level
C. Size of the organization

, D. Compliance level Answer - A. Industry vertical


As part of understanding the organization's current state, a security strategist is
examining the organization's security policy. What does the policy tell the
strategist?
A. the level of management commitment to security
B. The compliance level of the organization
C. The maturity level of the organization
D. None of these Answer - D. None of these


While gathering and examining various security-related business records, the
security manager has determined that the organization has no security incident
log. What conclusion can the security manager make from this?
A.The organization does not have security incident detection capabilities
B. The organization has not yet experienced a security incident
C. The organization is recording security incidents in its risk register
D. The organization has effective preventive and detective controls. Answer -
A. The organization does not have security incident detection capabilities


The purpose of a balanced scorecard is to:
A. Measure the efficiency of a security organization
B. Evaluate the performance of individual employees
C. Benchmark a process in the organization against peer organizations
D. Measure organizational performance and effectiveness against strategic
goals Answer - D. Measure organizational performance and effectiveness
against strategic goals