Practice questions

CISM (ISACA): Practice Questions

By The Exam Atlas Editorial Team · Verified 2026-05-31

Ten original concept-check questions on core CISM ideas. Choose an answer to reveal the explanation. Answer as a risk-focused security manager, not a technician.

1. Compared with CISSP, CISM is most focused on:

   A Hands-on technical configuration B Security governance, risk and management C Penetration testing D Network engineering

2. The primary goal of information security governance is to:

   A Buy the latest tools B Align the security strategy with business objectives C Eliminate all risk D Pass audits

3. 'Risk appetite' is best described as:

   A The amount of risk an organisation is willing to accept in pursuit of its objectives B The total risk that exists C The cost of controls D The number of incidents per year

4. When an identified risk exceeds the organisation's risk appetite, the security manager should FIRST:

   A Ignore it B Recommend a risk response and escalate per the risk process C Buy insurance immediately D Shut down the system

5. The primary purpose of a Business Impact Analysis (BIA) is to:

   A List all assets B Identify critical functions and the impact of their disruption C Test backups D Train staff

6. A Key Risk Indicator (KRI) differs from a Key Performance Indicator (KPI) in that a KRI:

   A Measures past performance B Signals rising risk exposure C Tracks budget D Counts staff

7. 'Residual risk' is the risk that remains:

   A Before any controls B After controls have been applied C Only in third parties D After insurance only

8. When establishing a new security programme, the BEST first step is to:

   A Deploy a firewall B Understand business strategy and obtain governance/management support C Hire a SOC team D Write technical standards

9. During a serious incident, the security manager's priority is to:

   A Find who to blame B Contain and recover according to the incident response plan C Notify the press D Rebuild everything immediately

10. Third-party (vendor) risk should be managed by:

    A Trusting vendor marketing B Assessing and contractually addressing the vendor's security before and during the relationship C Ignoring it if they are large D Only after an incident

Sources

• ISACA — CISM ↗