CertsOut Isaca-CISM

Text Material Preview

Certified Information
Security Manager
Version: Demo
[ Total Questions: 10]
Web: www.certsout.com
Email: support@certsout.com
Isaca
CISM
https://www.certsout.com
https://www.certsout.com/CISM-test.html
IMPORTANT NOTICE
Feedback
We have developed quality product and state-of-art service to ensure our customers interest. If you have any 
suggestions, please feel free to contact us at feedback@certsout.com
Support
If you have any questions about our product, please provide the following items:
exam code
screenshot of the question
login id/email
please contact us at and our technical experts will provide support within 24 hours.support@certsout.com
Copyright
The product of each order has its own encryption code, so you should use it independently. Any unauthorized 
changes will inflict legal punishment. We reserve the right of final explanation for this statement.
Isaca - CISMCerts Exam
1 of 10Pass with Valid Exam Questions Pool
Exam Topic Breakdown
Exam Topic Number of Questions
Topic 1 : Exam Pool A 4
Topic 3 : Exam Pool C 4
Topic 2 : Exam Pool B 2
TOTAL 10
Isaca - CISMCerts Exam
2 of 10Pass with Valid Exam Questions Pool
A. 
B. 
C. 
D. 
A. 
B. 
C. 
Topic 1, Exam Pool A
Question #:1 - (Exam Topic 1)
Which of the following security processes will BEST prevent the exploitation of system vulnerabilities?
Intrusion detection
Log monitoring
Patch management
Antivirus software
Answer: C
Explanation
= Patch management is the process of applying updates to software and hardware systems to fix security 
vulnerabilities and improve functionality. Patch management is one of the best ways to prevent the 
exploitation of system vulnerabilities, as it reduces the attack surface and closes the gaps that attackers can 
exploit. Patch management also helps to ensure compliance with security standards and regulations, and 
maintain the performance and availability of systems.
Intrusion detection is the process of monitoring network or system activities for signs of malicious or 
unauthorized behavior. Intrusion detection can help to detect and respond to attacks, but it does not prevent 
them from happening in the first place. Log monitoring is the process of collecting, analyzing and reviewing 
log files generated by various systems and applications. Log monitoring can help to identify anomalies, errors 
and security incidents, but it does not prevent them from occurring. Antivirus software is the program that 
scans files and systems for viruses, malware and other malicious code. Antivirus software can help to protect 
systems from infection, but it does not prevent the exploitation of system vulnerabilities that are not related to 
malware.
Therefore, patch management is the best security process to prevent the exploitation of system vulnerabilities, 
as it addresses the root cause of the problem and reduces the risk of compromise.   = CISM Review References
Manual, 16th Edition eBook | Digital | English1, Chapter 4: Information Security Program Development and 
Management, Section 4.3: Information Security Program Resources, Subsection 4.3.1: Information Security 
Infrastructure and Architecture, Page 204.
Question #:2 - (Exam Topic 1)
The MOST important reason for having an information security manager serve on the change management 
committee is to:
identify changes to the information security policy.
ensure that changes are tested.
Isaca - CISMCerts Exam
3 of 10Pass with Valid Exam Questions Pool
C. 
D. 
ensure changes are properly documented.
advise on change-related risk.
Answer: D
Explanation
 The most important reason for having an information security manager serve on the change management 
committee is to advise on change-related risk. Change management is the process of planning, implementing, 
and controlling changes to the organization’s IT systems, processes, or services, in order to achieve the 
desired outcomes and minimize the negative impacts1. Change-related risk is the possibility of adverse 
consequences or events resulting from the changes, such as security breaches, system failures, data loss, 
compliance violations, or customer dissatisfaction2.
The information security manager is responsible for ensuring that the organization’s information assets are 
protected from internal and external threats, and that the information security objectives and requirements are 
aligned with the business goals and strategies3. Therefore, the information security manager should serve on 
the change management committee to advise on change-related risk, and to ensure that the changes are 
consistent with the information security policy, standards, and best practices. The information security 
manager can also help to identify and assess the potential security risks and impacts of the changes, and to 
recommend and implement appropriate security controls and measures to mitigate them. The information 
security manager can also help to monitor and evaluate the effectiveness and performance of the changes, and 
to identify and resolve any security issues or incidents that may arise from the changes4.
The other options are not as important as advising on change-related risk, because they are either more 
specific, limited, or dependent on the information security manager’s role. Identifying changes to the 
information security policy is a task that the information security manager may perform as part of the change 
management process, but it is not the primary reason for serving on the change management committee. The 
information security policy is the document that defines the organization’s information security principles, 
objectives, roles, and responsibilities, and it should be reviewed and updated regularly to reflect the changes 
in the organization’s environment, needs, and risks5. However, identifying changes to the information 
security policy is not as important as advising on change-related risk, because the policy is a high-level 
document that does not provide specific guidance or details on how to implement or manage the changes. 
Ensuring that changes are tested is a quality assurance activity that the change management committee may 
perform or oversee as part of the change management process, but it is not the primary reason for having an 
information security manager on the committee. Testing is the process of verifying and validating that the 
changes meet the expected requirements, specifications, and outcomes, and that they do not introduce any 
errors, defects, or vulnerabilities. However, ensuring that changes are tested is not as important as advising on 
change-related risk, because testing is a technical or operational activity that does not address the strategic or 
holistic aspects of change-related risk. Ensuring changes are properly documented is a governance activity 
that the change management committee may perform or oversee as part of the change management process, 
but it is not the primary reason for having an information security manager on the committee. Documentation 
is the process of recording and maintaining the information and evidence related to the changes, such as the 
change requests, approvals, plans, procedures, results, reports, and lessons learned. However, ensuring 
changes are properly documented is not as important as advising on change-related risk, because 
documentation is a procedural or administrative activity that does not provide any analysis or evaluation of 
change-related risk. References = 1: CISM Review Manual 15th Edition, Chapter 2, Section 2.5 2: CISM 
Review Manual 15th Edition, Chapter 2, Section 2.5 3: CISM Review Manual 15th Edition, Chapter 1, 
Isaca - CISMCerts Exam
4 of 10Pass with Valid Exam Questions Pool
A. 
B. 
C. 
D. 
A. 
B. 
C. 
D. 
Section 1.1 4: CISM Review Manual 15th Edition, Chapter 2, Section 2.5 5: CISM Review Manual 15th 
Edition, Chapter 1, Section 1.3 : CISM Review Manual 15th Edition, Chapter 2, Section 2.5 : CISM ReviewManual 15th Edition, Chapter 2, Section 2.5
Question #:3 - (Exam Topic 1)
Which of the following BEST indicates that information assets are classified accurately?
Appropriate prioritization of information risk treatment
Increased compliance with information security policy
Appropriate assignment of information asset owners
An accurate and complete information asset catalog
Answer: A
Explanation
 The best indicator that information assets are classified accurately is appropriate prioritization of information 
risk treatment. Information asset classification is the process of assigning a level of sensitivity or criticality to 
information assets based on their value, impact, and legal or regulatory requirements. The purpose of 
information asset classification is to facilitate the identification and protection of information assets according 
to their importance and risk exposure. Therefore, if information assets are classified accurately, the 
organization can prioritize the information risk treatment activities and allocate the resources accordingly. The 
other options are not direct indicators of information asset classification accuracy, although they may be 
influenced by it. References = CISM Review Manual 15th Edition, page 671; CISM Review Questions, 
Answers & Explanations Database - 12 Month Subscription, Question ID: 1031
Question #:4 - (Exam Topic 1)
Which of the following is the FIRST step to establishing an effective information security program?
Conduct a compliance review.
Assign accountability.
Perform a business impact analysis (BIA).
Create a business case.
Answer: D
Explanation
 According to the CISM Review Manual, the first step to establishing an effective information security 
program is to create a business case that aligns the program objectives with the organization’s goals and 
Isaca - CISMCerts Exam
5 of 10Pass with Valid Exam Questions Pool
strategies. A business case provides the rationale and justification for the information security program and 
helps to secure the necessary resources and support from senior management and other stakeholders. A 
business case should include the following elements:
The scope and objectives of the information security program
The current state of information security in the organization and the gap analysis
The benefits and value proposition of the information security program
The risks and challenges of the information security program
The estimated costs and resources of the information security program
The expected outcomes and performance indicators of the information security program
The implementation plan and timeline of the information security program
References = CISM Review Manual, 16th Edition, Chapter 3, Section 2, pages 97-99.
Isaca - CISMCerts Exam
6 of 10Pass with Valid Exam Questions Pool
A. 
B. 
C. 
D. 
A. 
B. 
C. 
D. 
Topic 3, Exam Pool C
Question #:5 - (Exam Topic 3)
An organization's research department plans to apply machine learning algorithms on a large data set 
containing customer names and purchase history. The risk of personal data leakage is considered high impact. 
Which of the following is the BEST risk treatment option in this situation?
Accept the risk, as the benefits exceed the potential consequences.
Mitigate the risk by applying anonymization on the data set.
Transfer the risk by purchasing insurance.
Mitigate the risk by encrypting the customer names in the data set.
Answer: B
Question #:6 - (Exam Topic 3)
Which of the following provides the MOST effective response against ransomware attacks?
Automatic quarantine of systems
Thorough communication plans
Effective backup plans and processes
Strong password requirements
Answer: C
Explanation
Comprehensive and Detailed Step-by-Step Explanation:Recovering from ransomware attacks often 
depends on having a robust data recovery strategy:
A. Automatic quarantine of systems: This can limit the spread of ransomware but does not address 
recovery.
B. Thorough communication plans: Communication is important during incidents but does not 
directly mitigate ransomware.
C. Effective backup plans and processes: This is the BEST option because having backups ensures 
that encrypted data can be restored, minimizing downtime and data loss.
D. Strong password requirements: This helps prevent unauthorized access but is not sufficient to 
combat ransomware once it has entered the system.
Isaca - CISMCerts Exam
7 of 10Pass with Valid Exam Questions Pool
A. 
B. 
C. 
D. 
A. 
B. 
C. 
D. 
Reference: CISM Job Practice Area 4 (Information Security Incident Management) stresses the importance 
of backup and recovery strategies to mitigate ransomware risks.
Question #:7 - (Exam Topic 3)
An information security team must obtain approval from the information security steering committee to 
implement a key control. Which of the following is the MOST important input to assist the committee in 
making this decision?
IT strategy
Security architecture
Business case
Risk assessment
Answer: C
Question #:8 - (Exam Topic 3)
Which of the following BEST enables the assignment of risk and control ownership?
Aligning to an industry-recognized control framework
Adopting a risk management framework
Obtaining senior management buy-in
Developing an information security strategy
Answer: C
Explanation
Obtaining senior management buy-in is the best way to enable the assignment of risk and control ownership 
because it helps to establish the authority and accountability of the risk and control owners, as well as to 
provide them with the necessary resources and support to perform their roles. Risk and control ownership 
refers to the assignment of specific responsibilities and accountabilities for managing risks and controls to 
individuals or groups within the organization. Obtaining senior management buy-in helps to ensure that risk 
and control ownership is aligned with the organizational objectives, structure, and culture, as well as to 
communicate the expectations and benefits of risk and control ownership to all stakeholders. Therefore, 
obtaining senior management buy-in is the correct answer.
References:
https://www.protechtgroup.com/en-au/blog/risk-control-management
Isaca - CISMCerts Exam
8 of 10Pass with Valid Exam Questions Pool
https://www.mckinsey.com/~/media/mckinsey/dotcom/client_service/risk/working%20papers
/23_getting_risk_ownership_right.ashx
https://www.linkedin.com/pulse/risk-controls-who-owns-them-david-tattam
Isaca - CISMCerts Exam
9 of 10Pass with Valid Exam Questions Pool
A. 
B. 
C. 
D. 
A. 
B. 
C. 
D. 
Topic 2, Exam Pool B
Question #:9 - (Exam Topic 2)
To help ensure that an information security training program is MOST effective its contents should be
focused on information security policy.
aligned to business processes
based on employees' roles
based on recent incidents
Answer: C
Explanation
“An information security training program should be tailored to the specific roles and responsibilities of 
employees. This will help them understand how their actions affect information security and what they need 
to do to protect it. A generic training program that is focused on policy, business processes or recent incidents 
may not be relevant or effective for all employees.”
Question #:10 - (Exam Topic 2)
To confirm that a third-party provider complies with an organization's information security requirements, it is 
MOST important to ensure:
security metrics are included in the service level agreement (SLA).
contract clauses comply with the organization's information security policy.
the information security policy of the third-party service provider is reviewed.
right to audit is included in the service level agreement (SLA).
Answer: D
Explanation
= To confirm that a third-party provider complies with an organization’s information security requirements, it 
is most important to ensure that the right to audit is included inthe service level agreement (SLA), which is a 
contract that defines the scope, quality, and terms of the services that the third-party provider delivers to the 
organization. The right to audit is a clause that grants the organization the authority and opportunity to inspect 
and verify the third-party provider’s security policies, procedures, controls, and performance, either by itself 
or by an independent auditor, at any time during the contract period or after a security incident. The right to 
audit can help to ensure that the third-party provider adheres to the organization’s information security 
requirements, as well as to the legal and regulatory standards and obligations, and that the organization can 
Isaca - CISMCerts Exam
10 of 10Pass with Valid Exam Questions Pool
monitor and measure the security risks and issues that arise from the outsourcing relationship. The right to 
audit can also help to identify and address any gaps, weaknesses, or errors that could compromise the security 
of the information assets and systems that are shared, stored, or processed by the third-party provider, and to 
provide feedback and recommendations for improvement and optimization of the security posture and 
performance.
Security metrics, contract clauses, and the information security policy of the third-party provider are all 
important elements of ensuring the compliance of the third-party provider with the organization’s information 
security requirements, but they are not the most important ones. Security metrics are quantitative and 
qualitative measures that indicate the effectiveness and efficiency of the security controls and processes that 
the third-party provider implements and reports to the organization, such as the number of security incidents, 
the time to resolve them, the level of customer satisfaction, or the compliance rate. Security metrics can help 
to evaluate and compare the security performance and outcomes of the third-party provider, as well as to 
identify and address any deviations or discrepancies from the expected or agreed levels. Contract clauses are 
legal and contractual terms and conditions that bind the third-party provider to the organization’s information 
security requirements, such as the confidentiality, integrity, and availability of the information assets and 
systems, the roles and responsibilities of the parties, the liabilities and penalties for breach or violation, or the 
dispute resolution mechanisms. Contract clauses can help to enforce and protect the organization’s 
information security interests and rights, as well as to prevent or resolve any conflicts or issues that arise from 
the outsourcing relationship. The information security policy of the third-party provider is a document that 
defines and communicates the third-party provider’s security vision, mission, objectives, and principles, as 
well as the security roles, responsibilities, and rules that apply to the third-party provider’s staff, customers, 
and partners. The information security policy of the third-party provider can help to ensure that the third-party 
provider has a clear and consistent security direction and guidance, as well as to align and integrate the third-
party provider’s security practices and culture with the organization’s security expectations and 
requirements. References = CISM Review Manual 15th Edition, pages 57-581; CISM Practice Quiz, question 
1662
About certsout.com
certsout.com was founded in 2007. We provide latest & high quality IT / Business Certification Training Exam 
Questions, Study Guides, Practice Tests.
We help you pass any IT / Business Certification Exams with 100% Pass Guaranteed or Full Refund. Especially 
Cisco, CompTIA, Citrix, EMC, HP, Oracle, VMware, Juniper, Check Point, LPI, Nortel, EXIN and so on.
View list of all certification exams: All vendors
 
 
 
We prepare state-of-the art practice tests for certification exams. You can reach us at any of the email addresses 
listed below.
Sales: sales@certsout.com
Feedback: feedback@certsout.com
Support: support@certsout.com
Any problems about IT certification or our products, You can write us back and we will get back to you within 24 
hours.
https://www.certsout.com
https://www.certsout.com/vendors.html
https://www.certsout.com/Apple-Practice-Test.html
https://www.certsout.com/Cisco-Practice-Test.html
https://www.certsout.com/Citrix-Practice-Test.html
https://www.certsout.com/CompTIA-Practice-Test.html
https://www.certsout.com/EMC-Practice-Test.html
https://www.certsout.com/ISC-Practice-Test.html
https://www.certsout.com/IBM-Practice-Test.html
https://www.certsout.com/Juniper-Practice-Test.html
https://www.certsout.com/Microsoft-Practice-Test.html
https://www.certsout.com/Oracle-Practice-Test.html
https://www.certsout.com/Symantec-Practice-Test.html
https://www.certsout.com/VMware-Practice-Test.html
mailto:sales@certsout.com
mailto:feedback@certsout.com
mailto:support@certsout.com