Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. ISACA
  5. CISM

ISACA CISM Exam Questions
Certified Information Security Manager (Page 27 )

Updated On: 17-Feb-2026
Page 27 of 345
PDF with 1716 Questions

Effective IT governance is BEST ensured by:

  1. utilizing a bottom-up approach.
  2. management by the IT department.
  3. referring the matter to the organization's legal department.
  4. utilizing a top-down approach.

Answer(s): D

Explanation:

Effective IT governance needs to be a top-down initiative, with the board and executive management setting clear policies, goals and objectives and providing for ongoing monitoring of the same. Focus on the regulatory issues and management priorities may not be reflected effectively by a bottom-up approach. IT governance affects the entire organization and is not a matter concerning only the management of IT. The legal department is part of the overall governance process, but cannot take full responsibility.



The FIRST step to create an internal culture that focuses on information security is to:

  1. implement stronger controls.
  2. conduct periodic awareness training.
  3. actively monitor operations.
  4. gain the endorsement of executive management.

Answer(s): D

Explanation:

Endorsement of executive management in the form of policies provides direction and awareness. The implementation of stronger controls may lead to circumvention. Awareness training is important, but must be based on policies. Actively monitoring operations will not affect culture at all levels.



Which of the following is the BEST method or technique to ensure the effective implementation of aninformation security program?

  1. Obtain the support of the board of directors.
  2. Improve the content of the information security awareness program.
  3. Improve the employees' knowledge of security policies.
  4. Implement logical access controls to the information systems.

Answer(s): A

Explanation:

It is extremely difficult to implement an information security program without the aid and support of the board of directors. If they do not understand the importance of security to the achievement of the business objectives, other measures will not be sufficient. Options B and (' are measures proposed to ensure the efficiency of the information security program implementation, but are of less significance than obtaining the aid and support of the board of directors. Option D is a measure to secure the enterprise information, but by itself is not a measure to ensure the broader effectiveness of an information security program.



When an organization is implementing an information security governance program, its board of directors should be responsible for:

  1. drafting information security policies.
  2. reviewing training and awareness programs.
  3. setting the strategic direction of the program.
  4. auditing for compliance.

Answer(s): C

Explanation:

A board of directors should establish the strategic direction of the program to ensure that it is in sync with the company's vision and business goals. The board must incorporate the governance program into the overall corporate business strategy. Drafting information security policies is best fulfilled by someone such as a security manager with the expertise to bring balance, scope and focus to the policies. Reviewing training and awareness programs may best be handled by security management and training staff to ensure that the training is on point and follows best practices. Auditing for compliance is best left to the internal and external auditors to provide an objective review of the program and how it meets regulatory and statutory compliance.



A risk assessment and business impact analysis (BIA) have been completed for a major proposed purchase and new process for an organization. There is disagreement between the information security manager and the business department manager who will own the process regarding the results and the assigned risk. Which of the following would be the BEST approach of the information security manager?

  1. Acceptance of the business manager's decision on the risk to the corporation
  2. Acceptance of the information security manager's decision on the risk to the corporation
  3. Review of the assessment with executive management for final input
  4. A new risk assessment and BIA are needed to resolve the disagreement

Answer(s): C

Explanation:

Executive management must be supportive of the process and fully understand and agree with the results since risk management decisions can often have a large financial impact and require major changes. Risk management means different things to different people, depending upon their role in the organization, so the input of executive management is important to the process.






Post your Comments and Discuss ISACA CISM exam dumps with other Community members:

Join the CISM Discussion