CISM - TeST PraCTICe exaM NeweST 2025/2026 wITh
CoMPleTe QueSTIoNS aNd CorreCT aNSwerS |already
Graded a+||BraNd New VerSIoN!
Security governance is most concerned with:
A. Security policy
B. IT policy
C. Security strategy
D. Security executive - ANSWER-C. Security Strategy
A gaming software startup company does not employ penetration testing of its software. This is
an example of:
A. High tolerance of risk
B. Noncompliance
C. Irresponsibility
D. Outsourcing - ANSWER-A. High tolerance of risk
An organization's board of directors wants to see quarterly metrics on risk reduction. What
would be the best metric for this purpose?
A. Number of firewall rules triggered
B. Viruses blocked by the firewall
C. Packets dropped by the firewall
D. Time to patch vulnerabilities on critical servers - ANSWER-D. Time to patch vulnerabilities on
critical servers
Which of the following metrics is the best example of a leading indicator?
A. Average time to mitigate security incidents
, B. Increase in the number of attacks blocked by the intrusion prevention system (IPS)
C. Increase in the number of attacks blocked by the firewall
D. Percentage of critical servers being patched within service level agreements (SLAs) - ANSWER-
D. Percentage of critical servers being patched within service level agreements (SLAs)
What are the elements of the business model for information security (BMIS)?
A. Culture, governing, architecture, emergence, enabling and support, human factors
B. People, process, technology
C. Organization, people, process, technology
D. Financial, customer, internal processes, innovation, and learning - ANSWER-C. Organization,
people, process, technology
The best definition of a strategy is:
A. The objective to achieve a plan
B. The plan to achieve an objective
C. The plan to achieve business alignment
D. The plan to reduce risk - ANSWER-B. The plan to achieve an objective
The primary factor related to the selection of a control framework is:
A. Industry vertical
B. Current process maturity level
C. Size of the organization
D. Compliance level - ANSWER-A. Industry vertical
As part of understanding the organization's current state, a security strategist is examining the
organization's security policy. What does the policy tell the strategist?
A. the level of management commitment to security
B. The compliance level of the organization
C. The maturity level of the organization
CoMPleTe QueSTIoNS aNd CorreCT aNSwerS |already
Graded a+||BraNd New VerSIoN!
Security governance is most concerned with:
A. Security policy
B. IT policy
C. Security strategy
D. Security executive - ANSWER-C. Security Strategy
A gaming software startup company does not employ penetration testing of its software. This is
an example of:
A. High tolerance of risk
B. Noncompliance
C. Irresponsibility
D. Outsourcing - ANSWER-A. High tolerance of risk
An organization's board of directors wants to see quarterly metrics on risk reduction. What
would be the best metric for this purpose?
A. Number of firewall rules triggered
B. Viruses blocked by the firewall
C. Packets dropped by the firewall
D. Time to patch vulnerabilities on critical servers - ANSWER-D. Time to patch vulnerabilities on
critical servers
Which of the following metrics is the best example of a leading indicator?
A. Average time to mitigate security incidents
, B. Increase in the number of attacks blocked by the intrusion prevention system (IPS)
C. Increase in the number of attacks blocked by the firewall
D. Percentage of critical servers being patched within service level agreements (SLAs) - ANSWER-
D. Percentage of critical servers being patched within service level agreements (SLAs)
What are the elements of the business model for information security (BMIS)?
A. Culture, governing, architecture, emergence, enabling and support, human factors
B. People, process, technology
C. Organization, people, process, technology
D. Financial, customer, internal processes, innovation, and learning - ANSWER-C. Organization,
people, process, technology
The best definition of a strategy is:
A. The objective to achieve a plan
B. The plan to achieve an objective
C. The plan to achieve business alignment
D. The plan to reduce risk - ANSWER-B. The plan to achieve an objective
The primary factor related to the selection of a control framework is:
A. Industry vertical
B. Current process maturity level
C. Size of the organization
D. Compliance level - ANSWER-A. Industry vertical
As part of understanding the organization's current state, a security strategist is examining the
organization's security policy. What does the policy tell the strategist?
A. the level of management commitment to security
B. The compliance level of the organization
C. The maturity level of the organization
