Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. ISACA
  5. CISM

ISACA CISM Exam Questions
Certified Information Security Manager (Page 12 )

Updated On: 17-Feb-2026
Page 12 of 345
PDF with 1716 Questions

From an information security manager perspective, what is the immediate benefit of clearly-defined roles and responsibilities?

  1. Enhanced policy compliance
  2. Improved procedure flows
  3. Segregation of duties
  4. Better accountability

Answer(s): D

Explanation:

Without well-defined roles and responsibilities, there cannot be accountability. Choice A is incorrect because policy compliance requires adequately defined accountability first and therefore is a byproduct. Choice B is incorrect because people can be assigned to execute procedures that are not well designed. Choice C is incorrect because segregation of duties is not automatic, and roles may still include conflicting duties.



An internal audit has identified major weaknesses over IT processing. Which of the following should an information security manager use to BEST convey a sense of urgency to management?

  1. Security metrics reports
  2. Risk assessment reports
  3. Business impact analysis (BIA)
  4. Return on security investment report

Answer(s): B

Explanation:

Performing a risk assessment will allow the information security manager to prioritize the remedial measures and provide a means to convey a sense of urgency to management. Metrics reports are normally contained within the methodology of the risk assessment to give it credibility and provide an ongoing tool. The business impact analysis (BIA) covers continuity risks only. Return on security investment cannot be determined until a plan is developed based on the BIA.



Reviewing which of the following would BEST ensure that security controls are effective?

  1. Risk assessment policies
  2. Return on security investment
  3. Security metrics
  4. User access rights

Answer(s): C

Explanation:

Reviewing security metrics provides senior management a snapshot view and trends of an organization's security posture. Choice A is incorrect because reviewing risk assessment policies would not ensure that the controls are actually working. Choice B is incorrect because reviewing returns on security investments provides business justifications in implementing controls, but does not measure effectiveness of the control itself. Choice D is incorrect because reviewing user access rights is a joint responsibility of the data custodian and the data owner, and does not measure control effectiveness.



Which of the following is responsible for legal and regulatory liability?

  1. Chief security officer (CSO)
  2. Chief legal counsel (CLC)
  3. Board and senior management
  4. Information security steering group

Answer(s): C

Explanation:

The board of directors and senior management are ultimately responsible for all that happens in the organization. The others are not individually liable for failures of security in the organization.



While implementing information security governance an organization should FIRST:

  1. adopt security standards.
  2. determine security baselines.
  3. define the security strategy.
  4. establish security policies.

Answer(s): C

Explanation:

The first step in implementing information security governance is to define the security strategy based on which security baselines are determined. Adopting suitable security- standards, performing risk assessment and implementing security policy are steps that follow the definition of the security strategy.






Post your Comments and Discuss ISACA CISM exam dumps with other Community members:

Join the CISM Discussion