Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. ISACA
  5. CISM

ISACA CISM Exam Questions
Certified Information Security Manager (Page 24 )

Updated On: 17-Feb-2026
Page 24 of 345
PDF with 1716 Questions

Which of the following BEST contributes to the development of a security governance framework that supports the maturity model concept?

  1. Continuous analysis, monitoring and feedback
  2. Continuous monitoring of the return on security investment (ROSD
  3. Continuous risk reduction
  4. Key risk indicator (KRD setup to security management processes

Answer(s): A

Explanation:

To improve the governance framework and achieve a higher level of maturity, an organization needs to conduct continuous analysis, monitoring and feedback compared to the current state of maturity. Return on security investment (ROSD may show the performance result of the security-related activities; however, the result is interpreted in terms of money and extends to multiple facets of security initiatives. Thus, it may not be an adequate option. Continuous risk reduction would demonstrate the effectiveness of the security governance framework, but does not indicate a higher level of maturity. Key risk indicator (KRD setup is a tool to be used in internal control assessment. KRI setup presents a threshold to alert management when controls are being compromised in business processes. This is a control tool rather than a maturity model support tool.



The MOST complete business case for security solutions is one that.

  1. includes appropriate justification.
  2. explains the current risk profile.
  3. details regulatory requirements.
  4. identifies incidents and losses.

Answer(s): A

Explanation:

Management is primarily interested in security solutions that can address risks in the most cost-effective way. To address the needs of an organization, a business case should address appropriate security solutions in line with the organizational strategy.



Which of the following is MOST important to understand when developing a meaningful information security strategy?

  1. Regulatory environment
  2. International security standards
  3. Organizational risks
  4. Organizational goals

Answer(s): D

Explanation:

Alignment of security with business objectives requires an understanding of what an organization is trying to accomplish. The other choices are all elements that must be considered, but their importance is secondary and will vary depending on organizational goals.



Which of the following is the BEST advantage of a centralized information security organizational structure?

  1. It allows for a common level of assurance across the enterprise.
  2. It is easier to manage and control business unit security teams.
  3. It is more responsive to business unit needs.
  4. It provides a faster turnaround for security waiver requests.

Answer(s): B

Explanation:

It is easier to manage and control a centralized structure. Promoting security awareness is an advantage of decentralization. Decentralization allows you to use field security personnel as security missionaries or ambassadors to spread the security awareness message. Decentralized operations allow security administrators to be more responsive. Being close to the business allows decentralized security administrators to achieve a faster turnaround than that achieved in a centralized operation.



Which of the following would help to change an organization's security culture?

  1. Develop procedures to enforce the information security policy
  2. Obtain strong management support
  3. Implement strict technical security controls
  4. Periodically audit compliance with the information security policy

Answer(s): B

Explanation:

Management support and pressure will help to change an organization's culture. Procedures will support an information security policy, but cannot change the culture of the organization. Technical controls will provide more security to an information system and staff; however, this does not mean the culture will be changed. Auditing will help to ensure the effectiveness of the information security policy; however, auditing is not effective in changing the culture of the company.






Post your Comments and Discuss ISACA CISM exam dumps with other Community members:

Join the CISM Discussion