Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. ISACA
  5. CISM

ISACA CISM Exam Questions
Certified Information Security Manager (Page 15 )

Updated On: 17-Feb-2026
Page 15 of 345
PDF with 1716 Questions

A security manager is preparing a report to obtain the commitment of executive management to a security program. Inclusion of which of the following would be of MOST value?

  1. Examples of genuine incidents at similar organizations
  2. Statement of generally accepted best practices
  3. Associating realistic threats to corporate objectives
  4. Analysis of current technological exposures

Answer(s): C

Explanation:

Linking realistic threats to key business objectives will direct executive attention to them. All other options are supportive but not of as great a value as choice C when trying to obtain the funds for a new program.



The PRIMARY concern of an information security manager documenting a formal data retention policy would be:

  1. generally accepted industry best practices.
  2. business requirements.
  3. legislative and regulatory requirements.
  4. storage availability.

Answer(s): B

Explanation:

The primary concern will be to comply with legislation and regulation but only if this is a genuine business requirement. Best practices may be a useful guide but not a primary concern. Legislative and regulatory requirements are only relevant if compliance is a business need. Storage is irrelevant since whatever is needed must be provided



When personal information is transmitted across networks, there MUST be adequate controls over:

  1. change management.
  2. privacy protection.
  3. consent to data transfer.
  4. encryption devices.

Answer(s): B

Explanation:

Privacy protection is necessary to ensure that the receiving party has the appropriate level of protection of personal data. Change management primarily protects only the information, not the privacy of the individuals. Consent is one of the protections that is frequently, but not always, required. Encryption is a method of achieving the actual control, but controls over the devices may not ensure adequate privacy protection and, therefore, is a partial answer.



An organization's information security processes are currently defined as ad hoc. In seeking to improve their performance level, the next step for the organization should be to:

  1. ensure that security processes are consistent across the organization.
  2. enforce baseline security levels across the organization.
  3. ensure that security processes are fully documented.
  4. implement monitoring of key performance indicators for security processes.

Answer(s): A

Explanation:

The organization first needs to move from ad hoc to repeatable processes. The organization then needs to document the processes and implement process monitoring and measurement. Baselining security levels will not necessarily assist in process improvement since baselining focuses primarily on control improvement. The organization needs to standardize processes both before documentation, and before monitoring and measurement.



Who in an organization has the responsibility for classifying information?

  1. Data custodian
  2. Database administrator
  3. Information security officer
  4. Data owner

Answer(s): D

Explanation:

The data owner has full responsibility over data. The data custodian is responsible for securing the information. The database administrator carries out the technical administration. The information security officer oversees the overall classification management of the information.






Post your Comments and Discuss ISACA CISM exam dumps with other Community members:

Join the CISM Discussion