Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. ISACA
  5. CISM

ISACA CISM Exam Questions
Certified Information Security Manager (Page 28 )

Updated On: 17-Feb-2026
Page 28 of 345
PDF with 1716 Questions

Who is responsible for ensuring that information is categorized and that specific protective measures are taken?

  1. The security officer
  2. Senior management
  3. The end user
  4. The custodian

Answer(s): B

Explanation:

Routine administration of all aspects of security is delegated, but top management must retain overall responsibility. The security officer supports and implements information security for senior management. The end user does not perform categorization. The custodian supports and implements information security measures as directed.



An organization's board of directors has learned of recent legislation requiring organizations within the industry to enact specific safeguards to protect confidential customer information. What actions should the board take next?

  1. Direct information security on what they need to do
  2. Research solutions to determine the proper solutions
  3. Require management to report on compliance
  4. Nothing; information security does not report to the board

Answer(s): C

Explanation:

Information security governance is the responsibility of the board of directors and executive management. In this instance, the appropriate action is to ensure that a plan is in place for implementation of needed safeguards and to require updates on that implementation.



Information security should be:

  1. focused on eliminating all risks.
  2. a balance between technical and business requirements.
  3. driven by regulatory requirements.
  4. defined by the board of directors.

Answer(s): B

Explanation:

Information security should ensure that business objectives are met given available technical capabilities, resource constraints and compliance requirements. It is not practical or feasible to eliminate all risks.
Regulatory requirements must be considered, but are inputs to the business considerations. The board of directors does not define information security, but provides direction in support of the business goals and objectives.



What is the MOST important factor in the successful implementation of an enterprise wide information security program?

  1. Realistic budget estimates
  2. Security awareness
  3. Support of senior management
  4. Recalculation of the work factor

Answer(s): C

Explanation:

Without the support of senior management, an information security program has little chance of survival. A company's leadership group, more than any other group, will more successfully drive the program. Their authoritative position in the company is a key factor. Budget approval, resource commitments, and companywide participation also require the buy-in from senior management. Senior management is responsible for providing an adequate budget and the necessary resources. Security awareness is important, but not the most important factor. Recalculation of the work factor is a part of risk management.



What is the MAIN risk when there is no user management representation on the Information Security Steering Committee?

  1. Functional requirements are not adequately considered.
  2. User training programs may be inadequate.
  3. Budgets allocated to business units are not appropriate.
  4. Information security plans are not aligned with business requirements

Answer(s): D

Explanation:

The steering committee controls the execution of the information security strategy, according to the needs of the organization, and decides on the project prioritization and the execution plan. User management is an important group that should be represented to ensure that the information security plans are aligned with the business needs. Functional requirements and user training programs are considered to be part of the projects but are not the main risks. The steering committee does not approve budgets for business units.






Post your Comments and Discuss ISACA CISM exam dumps with other Community members:

Join the CISM Discussion