70+ Free CISM Practice Test Questions to Test your Knowledge

This term combines ‘hacker’ and ‘activist’ and accurately describes individuals or groups who use cyber attacks to protest or advance ideological causes.

The IT BSC translates the IT strategy into a comprehensive set of performance measures across multiple perspectives, linking IT activities to business goals.

This is the classic definition of the Waterfall model, where development flows downward through distinct, non-overlapping phases like a waterfall.

The CA acts as a trusted third party that verifies an entity’s identity and then issues a digital certificate, vouching for the ownership of a public key.

Configuration management is the process for maintaining a consistent state of IT components, and a CMDB serves as the central repository for this configuration data.

Information security governance ensures that security efforts support the strategic objectives set by corporate governance, managing risk and enabling business value.

The data steward is responsible for the day-to-day implementation of data governance policies as delegated by the data owner.

This contractual clause provides the legal basis for an organization or its representatives to assess a vendor’s security posture and ensure they are meeting their obligations.

Only the receiver, who holds the corresponding private key, can decrypt a message encrypted with their public key. This ensures confidentiality.

Phishing is a form of social engineering where attackers use deceptive emails or messages to trick victims into revealing sensitive information.

A KRI is a forward-looking metric designed to be a leading indicator of increasing risk exposure, providing an early warning.

CGEIT is about the high-level governance frameworks that align IT with business goals, whereas CRISC is specifically centered on identifying, assessing, and mitigating IT risks.

The board is primarily concerned with strategic goals, so demonstrating how security initiatives support and protect these objectives is the most effective way to communicate value.

This phase is crucial for organizational learning, identifying what went well and what could be improved in people, processes, and technology to strengthen future responses.

IaaS provides the basic building blocks of IT infrastructure (servers, storage, networking), giving the customer full control over the operating system, applications, and data.

The CMM describes a series of levels through which an organization’s processes can evolve from ad hoc (Level 1) to continuously optimized (Level 5), embodying the principle of ongoing improvement.

The source material notes that some countries where outsourcing is popular may lack nationwide criminal background checks, making employee vetting more challenging.

This model describes a team of subject matter experts from different departments who are assembled ‘virtually’ to respond to an incident as a secondary duty.

BCP is a holistic business-focused plan that ensures the continuity of essential operations, which includes but is not limited to IT.

By creating isolated zones, segmentation limits an attacker’s lateral movement, so a compromise in one segment does not immediately threaten others.

The sources repeatedly mention that AI risk, digital trust, and machine learning adoption are key areas of focus in the updated certification objectives.

The Annualized Rate of Occurrence (ARO) is 0.5 (once every two years). The ALE is calculated as SLE ($50,000) multiplied by ARO (0.5).

The ‘Accountable’ role is the single individual who has the final say and ownership of the task’s success; the buck stops with them.

This follows the standard NIST SP 800-61 model, where proactive preparation enables the subsequent reactive phases of the response.

This is a control put in place to mitigate the risk associated with an exception to a primary control requirement (encryption), which aligns with the definition of a compensating control.

This is the formal definition of the principle of least privilege, a foundational concept in access control.

A gap analysis is a formal process of comparing the actual performance or state with the desired state, typically defined by a framework or policy, to identify deficiencies.

The BCP is the overall strategic plan for maintaining business operations, and the DRP provides the detailed technical procedures for recovering IT infrastructure and systems to support that plan.

The benefit of Option A is $70,000 ($100k – $30k). The net benefit is $70,000 – $20,000 = $50,000. The benefit of Option B is $60,000 ($100k – $40k), and its net benefit is $60,000 – $15,000 = $45,000. Option A’s net benefit is higher.

A SIEM’s core function is to provide a centralized view of security event data, enabling real-time analysis and alerting on suspicious activities that might be missed by looking at individual logs.

A DDoS attack uses many distributed sources (a botnet) to overwhelm a target with traffic, making it unavailable to legitimate users.

RPO defines the maximum acceptable amount of data loss, measured in time. An RPO of one hour means backups or replication must occur at least hourly.

The CAB is a cross-functional group that evaluates proposed changes from multiple perspectives (technical, business, security) to ensure they are managed in a controlled manner.

Tier 3 signifies that risk management practices are formalized in policy and applied consistently across the organization.

This is a classic example of SoD, where a critical process (code deployment) is divided among two or more individuals to prevent fraud or error by a single person.

Vulnerability management is the cyclical process of identifying, classifying, prioritizing, remediating, and mitigating vulnerabilities. A missing patch is a direct failure of this process.

This is the correct term for the risk that is left over after all risk treatment measures have been applied.

This term describes the process of an attacker moving ‘sideways’ from one compromised host to another within a network to expand their access.

STIX is a standardized, structured language designed to represent and share cyber threat information in a consistent and machine-readable format.

Reviewing logs and alerts is an activity that identifies security events that have already occurred, which is the function of a detective control.

DevSecOps is a cultural and technical shift that embeds security as a shared responsibility throughout the entire DevOps pipeline, rather than treating it as a final gate.

When an employee is away, another person must perform their duties, which can uncover irregularities or fraudulent schemes that require the original employee’s constant presence to maintain.

Alignment ensures that security is not a roadblock but an enabler, by embedding security controls into existing business processes like employee onboarding (HR) and vendor selection (Procurement).

RTO is the target time within which a business process must be restored after a disaster or disruption to avoid unacceptable consequences associated with a break in business continuity.

This test involves shutting down the primary site and completely failing over to the recovery site, which is highly disruptive but fully validates the recovery capability.

Purchasing insurance is a classic example of risk transference, where the financial impact of a risk is shifted to a third party (the insurer).

The charter is a foundational governance document that formally authorizes the security program, outlines its scope, objectives, and roles, and is typically approved by senior leadership.

The core function of encryption is to transform plaintext into ciphertext, ensuring that only those with the correct key can read the information.

This is the definition of job rotation, a control used to prevent fraud and provide cross-training.

This describes a fully equipped and synchronized site ready for immediate failover, supporting the lowest RTOs.

Hashing creates a fixed-size, unique value for a piece of data. If the data is altered in any way, the hash value will change, thus verifying its integrity.

Containment strategies, like network segmentation, are aimed at limiting the scope and magnitude of an incident and preventing it from spreading further.

Integrity ensures that data is accurate and has not been subject to unauthorized modification.

CISM stands for Certified Information Security Manager, and its domains cover governance, program development, program management, and incident management.

COBIT’s core principle is to help organizations govern and manage enterprise IT to create optimal value from information and technology by balancing risk, resources, and benefits.

A source code escrow agreement with a neutral third party ensures that the source code will be released to the customer under specific conditions, such as the vendor’s bankruptcy.

RAM is highly volatile, and its contents are lost when the system is powered down. Therefore, collecting a memory dump is the highest priority.

The core risk of shadow IT is that employees use unapproved technology, bypassing established security controls, policies, and risk assessments.

A procedure, or Standard Operating Procedure (SOP), provides detailed, mandatory steps to perform a specific, recurring task consistently.

The ultimate objective of awareness is not just to impart knowledge, but to positively change how employees act and think about security in their daily work.

A black-box test simulates an external attacker with no inside information, making it a realistic test of external defenses.

This principle dictates that organizations should only retain personal data for as long as it is necessary to fulfill the purpose for which it was collected.

A KPI measures performance against a defined objective. Tracking patch time against an established target (e.g., ‘patch criticals within 14 days’) is a direct measure of performance.

DLP systems are specifically designed to classify sensitive data and enforce policies to prevent it from being moved outside of authorized boundaries, such as via email or USB drives.

CISA stands for Certified Information Systems Auditor, and the role of the auditor is to provide independent assurance on the effectiveness of controls.

CapEx is used for acquiring or upgrading significant physical assets, like hardware and perpetual software licenses, that will be used over an extended period.

An audit is a formal, independent review against a specific standard or set of criteria, resulting in a formal opinion or report intended to provide assurance to a third party.

Attestation is the formal process where a responsible party (like a manager) reviews and certifies the correctness of something, in this case, user access rights.

RAID-1 creates an exact copy, or mirror, of a set of data on two or more disks, providing redundancy.

This is the core mindset of threat hunting: assuming attackers are already inside and searching for evidence of their presence, rather than just waiting for an alert.

This category specifically covers the risk of sanctions, fines, or legal penalties resulting from the failure to adhere to laws, regulations, and standards like HIPAA.