Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. ISACA
  5. CISM

ISACA CISM Exam Questions
Certified Information Security Manager (Page 59 )

Updated On: 21-Feb-2026
Page 59 of 345
PDF with 1716 Questions

The PRIMARY reason for initiating a policy exception process is when:

  1. operations are too busy to comply.
  2. the risk is justified by the benefit.
  3. policy compliance would be difficult to enforce.
  4. users may initially be inconvenienced.

Answer(s): B

Explanation:

Exceptions to policy are warranted in circumstances where compliance may be difficult or impossible and the risk of noncompliance is outweighed by the benefits. Being busy is not a justification for policy exceptions, nor is the fact that compliance cannot be enforced. User inconvenience is not a reason to automatically grant exception to a policy.



Which of (lie following would be the MOST relevant factor when defining the information classification policy?

  1. Quantity of information
  2. Available IT infrastructure
  3. Benchmarking
  4. Requirements of data owners

Answer(s): D

Explanation:

When defining the information classification policy, the requirements of the data owners need to be identified. The quantity of information, availability of IT infrastructure and benchmarking may be part of the scheme after the fact and would be less relevant.



To determine the selection of controls required to meet business objectives, an information security manager should:

  1. prioritize the use of role-based access controls.
  2. focus on key controls.
  3. restrict controls to only critical applications.
  4. focus on automated controls.

Answer(s): B

Explanation:

Key controls primarily reduce risk and are most effective for the protection of information assets. The other choices could be examples of possible key controls.



The MOST appropriate owner of customer data stored in a central database, used only by an organization's sales department, would be the:

  1. sales department.
  2. database administrator.
  3. chief information officer (CIO).
  4. head of the sales department.

Answer(s): D

Explanation:

The owner of the information asset should be the person with the decision-making power in the department deriving the most benefit from the asset. In this case, it would be the head of the sales department. The organizational unit cannot be the owner of the asset because that removes personal responsibility. The database administrator is a custodian. The chief information officer (CIO) would not be an owner of this database because the CIO is less likely to be knowledgeable about the specific needs of sales operations and security concerns.



In assessing the degree to which an organization may be affected by new privacy legislation, information security management should FIRST:

  1. develop an operational plan for achieving compliance with the legislation.
  2. identify systems and processes that contain privacy components.
  3. restrict the collection of personal information until compliant.
  4. identify privacy legislation in other countries that may contain similar requirements.

Answer(s): B

Explanation:

Identifying the relevant systems and processes is the best first step. Developing an operational plan for achieving compliance with the legislation is incorrect because it is not the first step. Restricting the collection of personal information comes later. Identifying privacy legislation in other countries would not add much value.






Post your Comments and Discuss ISACA CISM exam dumps with other Community members:

Join the CISM Discussion