Questions for the CISM were updated on : Dec 01 ,2025
An organization has implemented controls to mitigate risks resulting from identified vulnerabilities in
an application. Which of the following is the BEST way to verify all weaknesses have been addressed?
C
Explanation:
After implementing controls, performing a vulnerability assessment is the best way to verify that all
previously identified weaknesses have been addressed. The CISM Review Manual specifies that
vulnerability assessments systematically scan for known vulnerabilities and confirm remediation
effectiveness. Penetration testing is valuable but is typically used to exploit vulnerabilities, not
comprehensively verify their remediation as efficiently as vulnerability assessments.
Reference:ISACA CISM Review Manual, 16th Edition, Page 164-165, "Vulnerability Management and
Assessment".
Which of the following would be the BEST way to reduce the risk of disruption resulting from an
emergency system change?
C
Explanation:
The best way to reduce the risk of disruption from an emergency system change is to confirm
rollback plans are in place. According to the CISM Review Manual, having an effective rollback (or
backout) plan ensures that if the emergency change causes unexpected issues, the organization can
quickly revert to a known, stable state. This minimizes downtime and impact to business operations.
Approval and communication are important, but only a rollback plan directly addresses risk reduction
during unexpected disruptions.
Reference:ISACA CISM Review Manual, 16th Edition, Page 210, "Change Management – Rollback
Planning".
An organization has an ongoing security awareness training program. Employee participation has
been decreasing over the year, while the number of malware and phishing incidents from email has
been increasing. What is the information security manager's BEST course of action?
D
Explanation:
If participation in security awareness training is decreasing while incidents are rising, making the
training program mandatory for all employees is the best course of action. The CISM Review Manual
notes that mandatory training ensures organizational-wide coverage and directly addresses the lack
of participation, which is likely contributing to increased incidents.
Reference:ISACA CISM Review Manual, 16th Edition, Page 220-221, "Awareness and Training –
Ensuring Coverage".
Which type of system is MOST effective for prioritizing cyber incidents based on impact and tracking
them until they are closed?
A
Explanation:
A SIEM system provides the ability to collect, correlate, and analyze security events, enabling
effective prioritization of incidents based on risk and impact. SIEM solutions also support tracking
incidents from detection through resolution, as stated in the CISM Review Manual under incident
management and monitoring.
Reference:ISACA CISM Review Manual, 16th Edition, Page 303-304, "SIEM and Incident
Prioritization".
The BEST way to integrate information security governance with corporate governance is to ensure:
B
Explanation:
The best way to integrate information security governance with corporate governance is for
management teams to embed information security into business processes. The CISM Review
Manual explains that aligning security objectives and activities with organizational goals and
business processes ensures that security is a core part of business operations and strategy, not an
isolated activity.
Reference:ISACA CISM Review Manual, 16th Edition, Page 38-39, "Integration of Information Security
with Business Processes".
Which of the following should be an information security manager's FIRST course of action when a
potential business breach is discovered in a critical business system?
D
Explanation:
The first step when a potential breach is discovered is to validate the breach. According to the CISM
Review Manual, Domain 4, the information security manager must confirm the event to avoid
unnecessary escalation or resource allocation. This validation ensures that the incident is real and
justifies further response actions. Invoking the incident response plan or informing management
comes after the breach is validated.
Reference:ISACA CISM Review Manual, 16th Edition, Page 280, "Incident Detection and Validation".
An information security manager is updating the organization's incident response plan. Which of the
following is the BEST way to validate that the process and procedures provided by IT and business
units are complete, accurate, and known by all responsible teams?
B
Explanation:
Conducting a tabletop exercise is the best method to validate the completeness, accuracy, and
awareness of incident response procedures. The CISM Review Manual details that tabletop exercises
simulate scenarios, allowing teams to test responses, clarify responsibilities, and reveal gaps in the
process in a controlled environment.
Reference:ISACA CISM Review Manual, 16th Edition, Page 295, "Testing and Validating Incident
Response Plans".
Which of the following should an information security manager do FIRST when developing an
organization's disaster recovery plan (DRP)?
D
Explanation:
The business impact analysis (BIA) is the foundational step in disaster recovery planning. The CISM
Review Manual states that BIA should be performed first to determine critical business functions,
recovery priorities, and the impact of disruptions. Risk assessments and documentation follow after
the BIA.
Reference:ISACA CISM Review Manual, 16th Edition, Page 237-238, "Business Impact Analysis (BIA)
in DRP Development".
Which of the following is the PRIMARY reason to involve stakeholders from various business units
when developing an information security policy?
D
Explanation:
The main reason to involve stakeholders from various business units is to gain their acceptance and
buy-in for the information security policy. The CISM Review Manual underlines that policies are more
effective and enforceable when stakeholders understand and agree with them, which also aids in
smooth policy implementation across the organization.
Reference:ISACA CISM Review Manual, 16th Edition, Page 45, "Stakeholder Involvement in Policy
Development".
A department has reported that a security control is no longer effective. Which of the following is the
information security manager's BEST course of action?
A
Explanation:
Upon learning a control is ineffective, the first action should be to assess the state of the control to
verify the issue, determine its root cause, and assess the risk exposure. The CISM Review Manual
emphasizes that assessment comes before taking further steps like replacement or escalation, as it
informs appropriate, risk-based action.
Reference:ISACA CISM Review Manual, 16th Edition, Page 131-132, "Control Assessment and
Continuous Improvement".
When defining a security baseline, it is MOST important that the baseline:
B
Explanation:
A security baseline is a set of minimum security requirements for a system or asset type. The CISM
Review Manual states that a baseline should be uniform for all assets of the same type to ensure
consistency, enforceability, and ease of monitoring. This standardization supports effective
compliance and security operations. While other factors can influence baseline adjustments,
uniformity for similar asset types is most critical.
Reference:ISACA CISM Review Manual, 16th Edition, Page 207, "Establishing Security Baselines".
Which of the following has the GREATEST impact on the ability to successfully execute a disaster
recovery plan (DRP)?
C
Explanation:
The CISM Review Manual emphasizes that the success of a DRP (Disaster Recovery Plan) depends
greatly on clear communication of the plan to all stakeholders. Stakeholders must be aware of their
roles and responsibilities during an incident to ensure the plan can be effectively executed. While
testing, updating, and reviewing the plan are also important, communication is critical to effective
execution.
Reference:ISACA CISM Review Manual, 16th Edition, Page 250-251, "Disaster Recovery Planning –
Key Success Factors".
Which of the following is MOST likely to reduce the effectiveness of a SIEM system?
B
Explanation:
The effectiveness of a SIEM (Security Information and Event Management) system heavily relies on
properly configured alert thresholds. Misconfiguration of alert thresholds can result in missed
detection of significant incidents (false negatives) or an overwhelming number of false positives,
making it difficult to identify real threats. According to the CISM Review Manual, 16th Edition,
Domain 4: Information Security Incident Management, the configuration and tuning of monitoring
tools like SIEMs are crucial for timely and accurate detection of incidents.
Reference:ISACA CISM Review Manual, 16th Edition, Page 304-305, "Security Event Management
Tools and Techniques".
An organization plans to implement a new e-commerce operation in a highly regulated market.
Which of the following is MOST important to consider when updating the risk management strategy?
D
Explanation:
When operating in a highly regulated market, compliance requirements become paramount, as
failure to comply can lead to severe legal penalties, financial losses, and reputational harm.
According to the CISM Review Manual, 16th Edition, Domain 2: Information Risk Management, Task
2, understanding and addressing legal, regulatory, and contractual requirements is critical in risk
management, especially in regulated environments. This ensures that the risk management strategy
is aligned with mandatory regulations and industry standards. Other factors (such as outsourcing and
business culture) are important, but compliance is the primary driver in highly regulated markets.
Reference:ISACA CISM Review Manual, 16th Edition, Page 120-122, "Legal, Regulatory and
Contractual Requirements".
Which type of system is MOST effective for monitoring cyber incidents based on impact and tracking
them until they are closed?
D
Explanation:
SIEM systems collect and analyze log data from across the organization, allowing for real-time
monitoring, incident correlation, and end-to-end tracking of response activities — including severity
classification and closure.
“SIEM tools enable centralized management, prioritization, and documentation of incidents, making
them essential for impact tracking and incident lifecycle management.”
— CISM Review Manual 15th Edition, Chapter 4: Incident Management Systems*
While EDR and XDR help detect threats, SIEMs offer the full scope for impact-based tracking.