Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. ISACA
  5. CISM

ISACA CISM Exam Questions
Certified Information Security Manager (Page 4 )

Updated On: 17-Feb-2026
Page 4 of 345
PDF with 1716 Questions

Which of the following individuals would be in the BEST position to sponsor the creation of an information security steering group?

  1. Information security manager
  2. Chief operating officer (COO)
  3. Internal auditor
  4. Legal counsel

Answer(s): B

Explanation:

The chief operating officer (COO) is highly-placed within an organization and has the most knowledge of business operations and objectives. The chief internal auditor and chief legal counsel are appropriate members of such a steering group. However, sponsoring the creation of the steering committee should be initiated by someone versed in the strategy and direction of the business. Since a security manager is looking to this group for direction, they are not in the best position to oversee formation of this group.



The MOST important component of a privacy policy is:

  1. notifications.
  2. warranties.
  3. liabilities.
  4. geographic coverage.

Answer(s): A

Explanation:

Privacy policies must contain notifications and opt-out provisions: they are a high-level management statement of direction. They do not necessarily address warranties, liabilities or geographic coverage, which are more specific.



The cost of implementing a security control should not exceed the:

  1. annualized loss expectancy.
  2. cost of an incident.
  3. asset value.
  4. implementation opportunity costs.

Answer(s): C

Explanation:

The cost of implementing security controls should not exceed the worth of the asset. Annualized loss expectancy represents the losses drat are expected to happen during a single calendar year. A security mechanism may cost more than this amount (or the cost of a single incident) and still be considered cost effective. Opportunity costs relate to revenue lost by forgoing the acquisition of an item or the making of a business decision.



When a security standard conflicts with a business objective, the situation should be resolved by:

  1. changing the security standard.
  2. changing the business objective.
  3. performing a risk analysis.
  4. authorizing a risk acceptance.

Answer(s): C

Explanation:

Conflicts of this type should be based on a risk analysis of the costs and benefits of allowing or disallowing an exception to the standard. It is highly improbable that a business objective could be changed to accommodate a security standard, while risk acceptance* is a process that derives from the risk analysis.



Minimum standards for securing the technical infrastructure should be defined in a security:

  1. strategy.
  2. guidelines.
  3. model.
  4. architecture.

Answer(s): D

Explanation:

Minimum standards for securing the technical infrastructure should be defined in a security architecture document. This document defines how components are secured and the security services that should be in place. A strategy is a broad, high-level document. A guideline is advisory in nature, while a security model shows the relationships between components.






Post your Comments and Discuss ISACA CISM exam dumps with other Community members:

Join the CISM Discussion