Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. ISACA
  5. CISM

ISACA CISM Exam Questions
Certified Information Security Manager (Page 56 )

Updated On: 21-Feb-2026
Page 56 of 345
PDF with 1716 Questions

Because of its importance to the business, an organization wants to quickly implement a technical solution which deviates from the company's policies. An information security manager should:

  1. conduct a risk assessment and allow or disallow based on the outcome.
  2. recommend a risk assessment and implementation only if the residual risks are accepted.
  3. recommend against implementation because it violates the company's policies.
  4. recommend revision of current policy.

Answer(s): B

Explanation:

Whenever the company's policies cannot be followed, a risk assessment should be conducted to clarify the risks. It is then up to management to accept the risks or to mitigate them. Management determines the level of risk they are willing to take. Recommending revision of current policy should not be triggered by a single request.



After a risk assessment study, a bank with global operations decided to continue doing business in certain regions of the world where identity theft is rampant. The information security manager should encourage the business to:

  1. increase its customer awareness efforts in those regions.
  2. implement monitoring techniques to detect and react to potential fraud.
  3. outsource credit card processing to a third party.
  4. make the customer liable for losses if they fail to follow the bank's advice.

Answer(s): B

Explanation:

While customer awareness will help mitigate the risks, this is insufficient on its own to control fraud risk. Implementing monitoring techniques which will detect and deal with potential fraud cases is the most effective way to deal with this risk. If the bank outsources its processing, the bank still retains liability. While making the customer liable for losses is a possible approach, nevertheless, the bank needs to be seen to be proactive in managing its risks.



The criticality and sensitivity of information assets is determined on the basis of:

  1. threat assessment.
  2. vulnerability assessment.
  3. resource dependency assessment.
  4. impact assessment.

Answer(s): D

Explanation:

The criticality and sensitivity of information assets depends on the impact of the probability of the threats exploiting vulnerabilities in the asset, and takes into consideration the value of the assets and the impairment of the value. Threat assessment lists only the threats that the information asset is exposed to. It does not consider the value of the asset and impact of the threat on the value. Vulnerability assessment lists only the vulnerabilities inherent in the information asset that can attract threats. It does not consider the value of the asset and the impact of perceived threats on the value. Resource dependency assessment provides process needs but not impact.



Which program element should be implemented FIRST in asset classification and control?

  1. Risk assessment
  2. Classification
  3. Valuation
  4. Risk mitigation

Answer(s): C

Explanation:

Valuation is performed first to identify and understand the assets needing protection. Risk assessment is performed to identify and quantify threats to information assets that are selected by the first step, valuation. Classification and risk mitigation are steps following valuation.



When performing a risk assessment, the MOST important consideration is that:

  1. management supports risk mitigation efforts.
  2. annual loss expectations (ALEs) have been calculated for critical assets.
  3. assets have been identified and appropriately valued.
  4. attack motives, means and opportunities be understood.

Answer(s): C

Explanation:

Identification and valuation of assets provides the basis for risk management efforts as it relates to the criticality and sensitivity of assets. Management support is always important, but is not relevant when determining the proportionality of risk management efforts. ALE calculations are only valid if assets have first been identified and appropriately valued. Motives, means and opportunities should already be factored in as a part of a risk assessment.






Post your Comments and Discuss ISACA CISM exam dumps with other Community members:

Join the CISM Discussion