Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. ISACA
  5. CISM

ISACA CISM Exam Questions
Certified Information Security Manager (Page 52 )

Updated On: 19-Feb-2026
Page 52 of 345
PDF with 1716 Questions

A risk management program would be expected to:

  1. remove all inherent risk.
  2. maintain residual risk at an acceptable level.
  3. implement preventive controls for every threat.
  4. reduce control risk to zero.

Answer(s): B

Explanation:

The object of risk management is to ensure that all residual risk is maintained at a level acceptable to the business; it is not intended to remove every identified risk or implement controls for every threat since this may not be cost-effective. Control risk, i.e., that a control may not be effective, is a component of the program but is unlikely to be reduced to zero.



Risk assessment should be built into which of the following systems development phases to ensure that risks are addressed in a development project?

  1. Programming
  2. Specification
  3. User testing
  4. Feasibility

Answer(s): D

Explanation:

Risk should be addressed as early as possible in the development cycle. The feasibility study should include risk assessment so that the cost of controls can be estimated before the project proceeds. Risk should also be considered in the specification phase where the controls are designed, but this would still be based on the assessment carried out in the feasibility study. Assessment would not be relevant in choice A or C.



Which of the following would help management determine the resources needed to mitigate a risk to the organization?

  1. Risk analysis process
  2. Business impact analysis (BIA)
  3. Risk management balanced scorecard
  4. Risk-based audit program

Answer(s): B

Explanation:

The business impact analysis (BIA) determines the possible outcome of a risk and is essential to determine the appropriate cost of control. The risk analysis process provides comprehensive data, but does not determine definite resources to mitigate the risk as does the BIA. The risk management balanced scorecard is a measuring tool for goal attainment. A risk-based audit program is used to focus the audit process on the areas of greatest importance to the organization.



A global financial institution has decided not to take any further action on a denial of service (DoS) risk found by the risk assessment team. The MOST likely reason they made this decision is that:

  1. there are sufficient safeguards in place to prevent this risk from happening.
  2. the needed countermeasure is too complicated to deploy.
  3. the cost of countermeasure outweighs the value of the asset and potential loss.
  4. The likelihood of the risk occurring is unknown.

Answer(s): C

Explanation:

An organization may decide to live with specific risks because it would cost more to protect themselves than the value of the potential loss. The safeguards need to match the risk level. While countermeasures could be too complicated to deploy, this is not the most compelling reason. It is unlikely that a global financial institution would not be exposed to such attacks and the frequency could not be predicted.



Which would be one of the BEST metrics an information security manager can employ to effectively evaluate the results of a security program?

  1. Number of controls implemented
  2. Percent of control objectives accomplished
  3. Percent of compliance with the security policy
  4. Reduction in the number of reported security incidents

Answer(s): B

Explanation:

Control objectives are directly related to business objectives; therefore, they would be the best metrics. Number of controls implemented does not have a direct relationship with the results of a security program. Percentage of compliance with the security policy and reduction in the number of security incidents are not as broad as choice B.






Post your Comments and Discuss ISACA CISM exam dumps with other Community members:

Join the CISM Discussion