ISACA CISM Practice Exam

What the ISACA CISM exam covers

• Information Security Governance58 questions
• Information Security Risk Management66 questions
• Information Security Program103 questions
• Incident Management73 questions

Free ISACA CISM sample questions

A sample of 10 questions with answers and explanations. Sign up free to practice all 300.

1. Question 1Information Security Governance

   What is the primary purpose of an information security governance program?

   • ATo align the security strategy with business objectives and ensure executive accountability/oversightCorrect
   • BTo avoid documenting policies
   • CTo let IT operate without management input
   • DTo buy the most security tools possible
   ✓ Correct answer: A

   Information security governance is a subset of enterprise governance that provides strategic direction, ensures objectives are achieved, manages risk appropriately, and verifies that organizational resources are used responsibly. Its primary purpose is to align the security program with the overall mission and objectives of the business so that security investments protect what matters most and enable—rather than impede—business operations. Governance structures such as policies, oversight committees, and defined accountabilities give leadership the mechanisms to steer and verify the security program. Without this alignment, security operates as a technical silo disconnected from business priorities.

   Why the other options are wrong

   • BTo avoid documenting policies is incorrect because governance relies fundamentally on documented policies and standards to communicate management intent and create enforceable expectations across the organization.
   • CTo let IT operate without management input is incorrect because removing management oversight is the opposite of governance; governance requires executive engagement and accountability to ensure resources are directed toward organizational objectives.
   • DTo buy the most security tools possible is incorrect because purchasing tools is a tactical activity, not governance; governance addresses strategic direction, risk appetite, roles, and accountability rather than technology procurement.
2. Question 2Information Security Risk Management

   Which document records identified risks, owners, and treatment status?

   • AA press release
   • BA DNS record
   • CA risk registerCorrect
   • DA brochure
   ✓ Correct answer: C

   A risk register is the organization's central repository for managing identified risks throughout their lifecycle. For each risk it captures the description, affected assets, threat source, vulnerability exploited, likelihood, impact, risk rating, assigned risk owner, chosen treatment strategy, implemented controls, residual risk level, and current status. The register enables ongoing monitoring by risk owners, provides input for management reporting, and creates a documented audit trail showing that identified risks were assessed and treated in accordance with governance obligations. Regulators and auditors often review the risk register as evidence of a functioning risk management program.

   Why the other options are wrong

   • AA press release is incorrect because a press release is a public communications document used to announce news to external audiences; it is not designed to record, track, or manage internal risk information.
   • BA DNS record is incorrect because DNS records are technical network configuration entries mapping domain names to IP addresses; they serve no risk management function and contain none of the risk assessment or treatment information found in a risk register.
   • DA brochure is incorrect because a brochure is a marketing document for external or internal communication purposes; it does not provide the structured tracking of risk ownership, treatment status, and residual exposure needed for risk governance.
3. Question 3Information Security Program

   Which approach BEST optimizes the cost of a security program without weakening protection?

   • AEliminate all controls to save money
   • BBuy the most expensive product in every category
   • CPrioritize control investments based on risk so spending targets the highest-impact exposuresCorrect
   • DSpend an equal amount on every asset regardless of value
   ✓ Correct answer: C

   Cost optimization in security does not mean spending less—it means ensuring each dollar of security investment delivers maximum risk reduction relative to its cost. Risk-based prioritization concentrates resources on controls that address the most probable and impactful threats to the most critical assets, while deferring or accepting investment in low-risk areas. This requires maintaining a current risk register, assessing control effectiveness, and periodically reviewing whether investment allocation matches the risk profile.

   Why the other options are wrong

   • AOrganizations that spend uniformly across all assets regardless of value, or that eliminate controls to save money, either waste resources or create unacceptable exposures. Eliminate all controls to save money is incorrect because removing controls increases residual risk; cost savings achieved by eliminating protection expose the organization to financial losses from incidents that dwarf the cost of the controls removed.
   • BBuy the most expensive product in every category is incorrect because the most expensive solution is not necessarily the most effective at reducing a specific organization's risk; cost-effectiveness requires comparing risk reduction against cost, not defaulting to premium pricing.
   • DSpend an equal amount on every asset regardless of value is incorrect because uniform spending fails to apply greater protection where business impact of compromise is highest; this misallocates budget to low-value assets while potentially under-protecting critical systems and data.
4. Question 4Information Security Program

   On a Linux host, which command hardens SSH by disabling direct root login in the daemon configuration?

   • Arun 'chmod 777 /etc/ssh/sshd_config'
   • Bset 'PermitRootLogin no' in /etc/ssh/sshd_config and reload sshdCorrect
   • Crun 'passwd -l root' to lock the account password only
   • Dadd 'AllowRoot yes' to /etc/ssh/ssh_config
   ✓ Correct answer: B

   Direct root login via SSH is a significant security risk because it allows attackers who obtain root credentials to immediately achieve full system compromise without requiring privilege escalation. The SSH daemon configuration file /etc/ssh/sshd_config controls all daemon behaviors, and the PermitRootLogin directive specifically controls whether direct root authentication is permitted. Setting it to 'no' forces administrators to authenticate as a regular user and then use sudo or su to elevate privileges—creating an additional authentication layer, improving audit trail quality (since actions are attributed to named users rather than root), and limiting the attack surface for remote brute-force attacks targeting root. A service reload (systemctl reload sshd) applies the change without dropping active sessions.

   Why the other options are wrong

   • Arun 'chmod 777 /etc/ssh/sshd_config' is incorrect because granting world-writable permissions to the SSH daemon configuration file is a critical security vulnerability that allows any local user to modify daemon behavior, potentially re-enabling root login or weakening authentication requirements.
   • Crun 'passwd -l root' to lock the account password only is incorrect because locking the root account password prevents password-based local login but does not prevent SSH key-based root login if PermitRootLogin is still enabled in sshd_config; only the sshd_config directive controls SSH daemon behavior.
   • Dadd 'AllowRoot yes' to /etc/ssh/ssh_config is incorrect because /etc/ssh/ssh_config is the client-side SSH configuration file affecting outgoing connections, not the server-side daemon configuration; additionally, 'AllowRoot yes' is not a valid sshd_config directive and would not restrict root login.
5. Question 5Information Security Program

   When designing a defense-in-depth architecture, what is the PRIMARY design rationale for layering controls?

   • ATo ensure every layer uses the same vendor for simplicity
   • BNo single control failure should fully compromise the asset, so overlapping layers reduce the chance any one gap is exploitedCorrect
   • CTo reduce total cost by buying one large appliance
   • DTo eliminate the need for monitoring
   ✓ Correct answer: B

   Defense-in-depth is the architectural principle that multiple independent security controls should protect each critical asset, so that an attacker must defeat multiple barriers rather than a single one. Each layer addresses different attack vectors or stages: perimeter firewalls limit network exposure, web application firewalls filter application-layer attacks, endpoint detection and response catches post-exploitation activity, and identity controls prevent privilege escalation. When one layer fails—as any single control eventually can—the next layer provides residual protection. This principle derives from the observation that no individual control is perfect, making redundant, overlapping controls necessary for resilient security architecture.

   Why the other options are wrong

   • ATo ensure every layer uses the same vendor for simplicity is incorrect because single-vendor architectures create correlated failure risk: a single vulnerability in that vendor's product line or a shared configuration weakness can simultaneously defeat all layers; diverse controls reduce this correlation.
   • CTo reduce total cost by buying one large appliance is incorrect because consolidating all protection into a single appliance creates a single point of failure that violates the defense-in-depth principle; the architectural rationale for layering is resilience against failure, not cost reduction.
   • DTo eliminate the need for monitoring is incorrect because monitoring is a separate and complementary security layer (the detective control layer) that is essential to defense-in-depth; adding preventive and protective layers does not eliminate the need for visibility into whether controls are effective.
6. Question 6Information Security Governance

   A newly hired security manager finds policies that conflict with a recently passed regulation. What should be done FIRST?

   • AIgnore the regulation until an audit occurs
   • BDelete the conflicting policies without replacement
   • CImmediately rewrite all policies overnight
   • DPerform a gap analysis comparing existing policies against the new regulatory requirementsCorrect
   ✓ Correct answer: D

   A gap analysis is the correct first step because it provides a structured, evidence-based comparison between what the organization currently has and what the new regulation requires. Without this analysis, any policy rewrites would be speculative and may leave compliance gaps unaddressed or create unnecessary work. The gap analysis produces a prioritized list of required changes that can be presented to management, enabling informed decisions about remediation sequencing and resource allocation.

   Why the other options are wrong

   • AIgnore the regulation until an audit occurs is incorrect because waiting for an audit creates legal and regulatory exposure; non-compliance penalties can accrue from the regulation's effective date, not from audit discovery.
   • BDelete the conflicting policies without replacement is incorrect because removing policies without substitutes creates uncontrolled operational gaps, eliminates existing controls, and still does not achieve compliance with the new regulation.
   • CImmediately rewrite all policies overnight is incorrect because rewriting policies without first conducting a gap analysis wastes effort on areas that may already comply and risks missing areas that actually require change.
7. Question 7Incident Management

   What is the PRIMARY purpose of a SIEM in incident management?

   • ATo centralize, correlate, and analyze log data from many sources to detect and alert on suspicious activityCorrect
   • BTo replace the need for an incident response plan
   • CTo assign IP addresses to endpoints
   • DTo encrypt all network traffic automatically
   ✓ Correct answer: A

   A Security Information and Event Management platform ingests log and event data from diverse sources including firewalls, endpoints, identity systems, and applications, then applies correlation rules, statistical baselines, and threat intelligence to identify patterns that indicate potential security incidents. This centralization is critical because individual systems in isolation rarely produce enough context to distinguish malicious activity from normal operations; it is the correlation of events across multiple systems and timeframes that reveals attack patterns such as lateral movement, privilege escalation, and data exfiltration.

   Why the other options are wrong

   • BTo replace the need for an incident response plan is incorrect because a SIEM is a detection and alerting tool; what happens after an alert fires, including investigation, containment, and remediation, must be governed by an incident response plan that the SIEM cannot substitute.
   • CTo assign IP addresses to endpoints is incorrect because IP address assignment is the function of a DHCP server; a SIEM consumes network data but does not participate in network address management.
   • DTo encrypt all network traffic automatically is incorrect because network traffic encryption is performed by protocols such as TLS and IPSec at the transport or network layer; a SIEM passively collects and analyzes log data and does not perform encryption of communications.
8. Question 8Information Security Program

   When migrating an on-premises application to a public cloud IaaS provider, which is the MOST important security activity to perform during planning?

   • ADefine a shared responsibility model and reassess control ownership for the new environmentCorrect
   • BDelay all security review until after go-live
   • CDisable all logging to reduce migration noise
   • DCopy the existing firewall rules verbatim without review
   ✓ Correct answer: A

   Cloud IaaS operates under a shared responsibility model in which the cloud provider manages physical infrastructure, hypervisor security, and certain platform services, while the customer retains responsibility for operating system hardening, application security, identity and access management, data classification, and network configuration within the cloud. When migrating an application, many on-premises controls implemented at the data center level, such as physical access controls or hypervisor security, are no longer the customer's responsibility, while new controls, such as cloud security groups, IAM roles, and storage bucket policies, become critical. Mapping this responsibility shift during planning prevents control gaps from emerging after go-live.

   Why the other options are wrong

   • BDelay all security review until after go-live is incorrect because discovering security gaps after go-live means the application has operated with unmitigated risk in production; remediation after go-live is also more disruptive and costly than addressing issues during design.
   • CDisable all logging to reduce migration noise is incorrect because migration periods produce elevated activity that is exactly when logging is most needed to detect unauthorized access to data being transferred; disabling it creates a dangerous blind window.
   • DCopy the existing firewall rules verbatim without review is incorrect because on-premises firewall rules are designed for physical network topology and IP ranges that differ from cloud architectures; copying them verbatim may leave critical cloud-specific attack surfaces unprotected and may open unintended ports due to addressing differences.
9. Question 9Incident Management

   During a ransomware outbreak, the IR team sees encryption spreading laterally via SMB across the network. What action should they take FIRST?

   • ADraft the breach-notification letter to regulators
   • BReimage every workstation before analysis
   • CBegin restoring all servers from backup immediately
   • Disolate affected segments/hosts from the network to contain lateral spreadCorrect
   ✓ Correct answer: D

   SMB-propagating ransomware such as NotPetya and WannaCry demonstrated that network-connected ransomware can encrypt tens of thousands of systems in minutes when lateral movement is not stopped. The immediate priority when observing active SMB propagation is to prevent the spread from reaching additional systems by isolating affected network segments or hosts through VLAN changes, firewall rule modifications, or host-based isolation commands through an EDR platform. Every second of continued connectivity allows additional systems to be encrypted, increasing the scope of recovery required.

   Why the other options are wrong

   • ADraft the breach-notification letter to regulators is incorrect because regulatory notification is a later-stage activity that follows containment, investigation, and assessment of data exposure; drafting notifications before stopping active spread is premature and diverts attention from the immediate containment priority.
   • BReimage every workstation before analysis is incorrect because reimaging before forensic collection destroys the evidence needed to understand the attack path, identify the initial access vector, and prevent reinfection through the same route.
   • CBegin restoring all servers from backup immediately is incorrect because restoring systems to a still-connected network environment would immediately expose the restored systems to the same ransomware still propagating through the environment; containment must precede recovery.
10. Question 10Information Security Governance

    Which factor MOST influences how an information security strategy is shaped?

    • AThe age of the data center building
    • BThe number of switches deployed
    • CThe brand of antivirus in use
    • DThe organization's risk appetite and business objectivesCorrect
    ✓ Correct answer: D

    An information security strategy exists to enable the organization to achieve its business objectives while managing security risk to acceptable levels. The strategy's scope, priorities, and resource allocation must reflect where the organization is going commercially, what risks it is willing to accept to get there, and what regulatory environment it operates within. An organization with a low risk appetite in a regulated industry will develop a fundamentally different strategy from a startup willing to accept more risk to accelerate growth. Without grounding in risk appetite and business objectives, a security strategy becomes a generic framework exercise with no meaningful business alignment.

    Why the other options are wrong

    • AThe age of the data center building is incorrect because facility age is a physical infrastructure consideration; while older facilities may have certain physical security limitations, the building's age has no meaningful influence on the strategic direction of the information security program.
    • BThe number of switches deployed is incorrect because network hardware inventory is an asset management data point that informs capacity and refresh planning but does not drive the strategic vision of how security aligns with organizational risk appetite and business direction.
    • CThe brand of antivirus in use is incorrect because endpoint protection product selection is a tactical procurement decision within the program; the vendor of a single tool does not influence or determine the organization's overall information security strategy.

ISACA CISM practice exam FAQ