Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. ISACA
  5. CISM

ISACA CISM Exam Questions
Certified Information Security Manager (Page 64 )

Updated On: 21-Feb-2026
Page 64 of 345
PDF with 1716 Questions

After assessing and mitigating the risks of a web application, who should decide on the acceptance of residual application risks?

  1. Information security officer
  2. Chief information officer (CIO)
  3. Business owner
  4. Chief executive officer (CFO)

Answer(s): C

Explanation:

The business owner of the application needs to understand and accept the residual application risks.



The purpose of a corrective control is to:

  1. reduce adverse events.
  2. indicate compromise.
  3. mitigate impact.
  4. ensure compliance.

Answer(s): C

Explanation:

Corrective controls serve to reduce or mitigate impacts, such as providing recovery capabilities. Preventive controls reduce adverse events, such as firewalls. Compromise can be detected by detective controls, such as intrusion detection systems (IDSs). Compliance could be ensured by preventive controls, such as access controls.



Which of the following is the MOST important requirement for setting up an information security infrastructure for a new system?

  1. Performing a business impact analysis (BIA)
  2. Considering personal information devices as pan of the security policy
  3. Initiating IT security training and familiarization
  4. Basing the information security infrastructure on risk assessment

Answer(s): D

Explanation:

The information security infrastructure should be based on risk. While considering personal information devices as part of the security policy may be a consideration, it is not the most important requirement. A BIA is typically carried out to prioritize business processes as part of a business continuity plan. Initiating IT security training may not be important for the purpose of the information security infrastructure.



Previously accepted risk should be:

  1. re-assessed periodically since the risk can be escalated to an unacceptable level due to revised conditions.
  2. accepted permanently since management has already spent resources (time and labor) to conclude that the risk level is acceptable.
  3. avoided next time since risk avoidance provides the best protection to the company.
  4. removed from the risk log once it is accepted.

Answer(s): A

Explanation:

Acceptance of risk should be regularly reviewed to ensure that the rationale for the initial risk acceptance is still valid within the current business context. The rationale for initial risk acceptance may no longer be valid due to change(s) and. hence, risk cannot be accepted permanently. Risk is an inherent part of business and it is impractical and costly to eliminate all risk. Even risks that have been accepted should be monitored for changing conditions that could alter the original decision.



An information security manager is advised by contacts in law enforcement that there is evidence that his/ her company is being targeted by a skilled gang of hackers known to use a variety of techniques, including social engineering and network penetration. The FIRST step that the security manager should take is to:

  1. perform a comprehensive assessment of the organization's exposure to the hacker's techniques.
  2. initiate awareness training to counter social engineering.
  3. immediately advise senior management of the elevated risk.
  4. increase monitoring activities to provide early detection of intrusion.

Answer(s): C

Explanation:

Information about possible significant new risks from credible sources should be provided to managementalong with advice on steps that need to be taken to counter the threat. The security manager should assess the risk, but senior management should be immediately advised. It may be prudent to initiate an awareness campaign subsequent to sounding the alarm if awareness training is not current. Monitoring activities should also be increased.






Post your Comments and Discuss ISACA CISM exam dumps with other Community members:

Join the CISM Discussion