10 free, exam-style Certified Information Security Manager (CISM) practice questions with answers and explanations. No signup required. Work through them below, then take the full free CISM practice test to study every exam domain.
Which of the following BEST describes the purpose of information security governance?
Correct answer: B - To align security strategy with business objectives
Governance exists to ensure the security strategy supports what the business is trying to achieve. Controls, operations, and training are how the program gets executed - they are outcomes of governance, not its purpose.
What is the PRIMARY benefit of conducting regular risk assessments?
Correct answer: C - To enable informed risk-based decisions
Risk assessments give management current information to prioritize and decide. Risk can never be eliminated entirely, compliance is a by-product, and budgets may go up or down depending on what the assessment finds.
Which activity should be performed FIRST when developing an information security program?
Correct answer: B - Conduct a risk assessment
Before you can write meaningful policies, choose controls, or size the team, you need to know what you are protecting and from what. The risk assessment provides that foundation, so it comes first.
During incident response, what is the FIRST priority?
Correct answer: B - Containment of the incident
Stopping the damage from spreading comes first. Evidence handling and notifications happen alongside or right after containment per the plan, and root cause analysis is a post-incident activity.
Which of the following is the MOST important factor for the success of an information security program?
Correct answer: C - Senior management support
Without visible senior management support, the program loses funding, authority, and organizational cooperation. Technology, budget, and policies all flow from that commitment - CISM consistently rewards this answer pattern.
What is the PRIMARY purpose of a risk register?
Correct answer: B - To track identified risks and their treatment
The risk register is the living inventory of identified risks, their owners, ratings, and treatment decisions. Incidents, policies, and controls are tracked in other artifacts.
Which metric would BEST help measure the effectiveness of security awareness training?
Correct answer: C - Reduction in security incidents caused by human error
Effectiveness is measured by outcomes, not activity. Sessions held, attendance, and spend prove effort was made; fewer human-error incidents proves behavior actually changed.
What is the PRIMARY objective of an incident response plan?
Correct answer: B - To minimize business impact of incidents
Incidents will happen - the plan exists to limit their impact on the business. Prevention is a control objective, root cause analysis is one step in the process, and compliance is secondary.
When should risk treatment decisions be reviewed?
Correct answer: C - When there are significant changes to the risk landscape
Risk treatment must stay aligned with the current risk landscape, so it is reviewed whenever significant change occurs - new threats, new systems, new business direction - not on an arbitrary calendar.
Which of the following is MOST important when implementing a new security control?
Correct answer: C - It effectively mitigates the identified risk
A control only has value if it reduces the risk it was selected for. Cost, convenience, and technology choices matter, but effectiveness against the identified risk is the deciding factor.
Practice hundreds more CISM questions with instant scoring, weak-area drills, and full exam simulations.