ISACA CISM Practice Test

Certified Information Security Manager (CISM) is a management-focused information security credential. It emphasizes governance, program ownership, risk management, incident response, and alignment between security decisions and business objectives.

Use these 12 original sample questions for initial self-assessment. The full IT Mastery route for CISM is not available yet; try the preview and use the Notify me form if this is your target route.

What this route should test

• choosing governance and program actions rather than isolated technical controls
• translating security risk into business impact and management priorities
• selecting incident-management, communication, and escalation steps
• distinguishing strategic security management from hands-on security engineering

Common candidate trap

CISM questions usually reward the management answer, not the deepest technical fix. Look for governance, risk ownership, business alignment, communication, and program-level control rather than jumping straight to a tool or configuration change.

Sample Exam Questions

These questions are original IT Mastery preview items for CISM security-management judgment. They are not official ISACA exam questions.

Question 1

Topic: security governance

An information security manager is asked to justify a new security program to executives. What should be emphasized first?

• A. The number of security tools available
• B. Alignment to business objectives, risk reduction, regulatory obligations, and measurable outcomes
• C. The technical configuration of every firewall
• D. The colour of the security dashboard

Best answer: B

Explanation: CISM is management-oriented. A program should be justified by business risk, obligations, and measurable value, not by tool counts or technical detail alone.

Question 2

Topic: risk ownership

A business unit accepts a high residual risk after reviewing treatment options. What is the security manager’s best role?

• A. Secretly override the business decision
• B. Remove all controls
• C. Approve the risk personally without documentation
• D. Ensure the risk decision is informed, documented, within governance expectations, and monitored

Best answer: D

Explanation: Business management owns risk decisions. Security management supports analysis, governance, documentation, and monitoring.

Question 3

Topic: program development

A new security awareness program has low completion and no evidence of behavior change. What should the manager do?

• A. Reassess objectives, audience, delivery, metrics, and reinforcement plan
• B. Send the same training forever
• C. Cancel all awareness activity
• D. Measure only how many slides were created

Best answer: A

Explanation: Program management requires outcomes, not just activity. Completion rates, behavior indicators, audience relevance, and reinforcement all matter.

Question 4

Topic: incident communication

A ransomware event may affect customer-facing systems. What should the security manager prioritize?

• A. Keep the issue inside the technical team only
• B. Disable all communications
• C. Follow the incident communication and escalation plan with legal, business, executive, and technical stakeholders
• D. Publish unverified details immediately

Best answer: C

Explanation: Incident management is cross-functional. Communication should be timely, coordinated, accurate, and aligned with escalation and legal obligations.

Question 5

Topic: metrics

Which metric is most useful for security program oversight?

• A. Number of tools purchased
• B. Number of pages in the policy manual
• C. Number of meetings held
• D. Risk-relevant indicators tied to control performance, incidents, remediation, and business outcomes

Best answer: D

Explanation: Management metrics should support decisions. Tool counts and meeting counts are weak unless tied to risk and performance outcomes.

Question 6

Topic: policy management

A policy is approved but not followed because procedures and responsibilities are unclear. What is the best next step?

• A. Delete the policy
• B. Define ownership, procedures, communication, training, monitoring, and enforcement expectations
• C. Punish users without explanation
• D. Assume approval means implementation is complete

Best answer: B

Explanation: Policy governance includes implementation. Responsibilities, procedures, awareness, monitoring, and enforcement make the policy operational.

Question 7

Topic: third-party security

A vendor handles sensitive customer data. What should the security manager ensure before onboarding?

• A. Risk assessment, contractual security requirements, control assurance, monitoring, and incident-notification expectations
• B. The vendor has a modern website
• C. The vendor uses the same office software
• D. No one reviews the vendor after signing

Best answer: A

Explanation: Third-party security management includes due diligence, contracts, assurance, monitoring, and incident expectations. Vendor appearance is not enough.

Question 8

Topic: security strategy

Executives want security investment prioritized for the next year. What should drive prioritization?

• A. The newest technology trend only
• B. The easiest control to buy
• C. Business risk, threat exposure, regulatory obligations, current control gaps, and value
• D. Vendor marketing claims

Best answer: C

Explanation: A security strategy should prioritize according to risk and business value. CISM candidates should avoid tool-first prioritization.

Question 9

Topic: incident lessons learned

After a major incident, what is the most valuable management action?

• A. Blame the first analyst who touched the ticket
• B. Close the incident and delete the evidence
• C. Assume the same controls are sufficient
• D. Conduct a lessons-learned review and track corrective actions through governance

Best answer: D

Explanation: Post-incident review converts response experience into program improvement. Corrective actions should be owned and tracked.

Question 10

Topic: risk treatment

A critical application has a high-risk vulnerability, but immediate patching could disrupt operations. What should the security manager do?

• A. Patch without consulting anyone
• B. Coordinate risk treatment with business, operations, compensating controls, timing, and documented acceptance if needed
• C. Ignore the vulnerability
• D. Disable the application permanently without approval

Best answer: B

Explanation: Management decisions balance risk and operations. Treatment can include patching, compensating controls, scheduling, transfer, avoidance, or documented acceptance.

Question 11

Topic: business alignment

A security control blocks a revenue-critical process and users are bypassing it. What is the best management response?

• A. Reassess the control design with business owners to reduce risk without breaking the process
• B. Ignore the bypassing
• C. Remove all security controls
• D. Discipline users without understanding the process

Best answer: A

Explanation: CISM emphasizes alignment. A control that drives bypass behavior may need redesign, process change, or better communication while still addressing risk.

Question 12

Topic: security architecture oversight

A project team wants to launch a new cloud service without security review. What should the security manager require?

• A. Launch first and review later
• B. Let the vendor make all risk decisions
• C. Security and risk review integrated into the project lifecycle before production
• D. No documentation

Best answer: C

Explanation: Security should be integrated into project governance and lifecycle processes. Late review increases risk and rework.

CISM quick checklist

Related ISACA pages

• CISA
• CRISC
• ISACA certification updates