Information Risk Management for CISM

This page covers the Information Risk Management domain of the CISM certification. Master Cybersecurity offers 252 practice questions in this domain, drawn from the same content we use across our timed exam simulations. Below are five sample questions with full answer explanations.

Sample Practice Questions

  1. Question 1

    An information security risk analysis BEST assists an organization in ensuring that:
    1. A. the infrastructure has the appropriate level of access control.
    2. B. cost-effective decisions are made with regard to which assets need protection
    3. C. an appropriate level of funding is applied to security processes.
    4. D. the organization implements appropriate security technologies
    Explanation

    The correct answer is: B. cost-effective decisions are made with regard to which assets need protection.

    An information security risk analysis best assists an organization in ensuring that cost-effective decisions are made regarding which assets need protection because the analysis quantifies exposure and lets the organization invest where the return on protection is highest. CISM treats risk analysis as the principal cost-effectiveness instrument for security investment. Ensuring the infrastructure has the appropriate level of access control is one specific outcome that the analysis may inform but is narrower than cost-effective decision-making. Ensuring an appropriate level of funding for security processes is a budget outcome that flows from the analysis. Ensuring the organization implements appropriate security technologies is a specific category of decision that the analysis again informs; the unifying contribution is cost-effective allocation across all such decisions.

  2. Question 2

    An information security manager has been asked to determine whether an information security initiative has reduced risk to an acceptable level. Which of the following activities would provide the BEST information for the information security manager to draw a conclusion?
    1. A. Initiating a cost-benefit analysis of the implemented controls
    2. B. Performing a risk assessment
    3. C. Reviewing the risk register
    4. D. Conducting a business impact analysis (BIA)
    Explanation

    The correct answer is: B. Performing a risk assessment.

    The best activity to determine whether an information security initiative has reduced risk to an acceptable level is to perform a risk assessment because the assessment is the analytical method specifically designed to measure current risk against the appetite threshold. CISM treats the post-implementation risk assessment as the canonical evidence that an initiative achieved its objective. Initiating a cost-benefit analysis of the implemented controls addresses the financial efficiency of the controls but does not measure risk reduction directly. Reviewing the risk register surfaces what was tracked but does not constitute a fresh assessment against the current state. Conducting a business impact analysis quantifies disruption impacts but is not the operational measurement of residual risk that the initiative was intended to lower; the risk assessment is the targeted measurement.

  3. Question 3

    Threat and vulnerability assessments are important PRIMARILY because they are:
    1. A. used to establish security investments.
    2. B. needed to estimate risk.
    3. C. the basis for setting control objectives.
    4. D. elements of the organization's security posture.
    Explanation

    The correct answer is: B. needed to estimate risk..

    Threat and vulnerability assessments are important primarily because they are needed to estimate risk, since the risk estimation formula combines threat likelihood with vulnerability exploitability and impact, and the assessments provide the inputs the formula requires. CISM treats threat-and-vulnerability data as the principal raw material of risk estimation. Being used to establish security investments is a downstream use of the resulting risk estimates rather than the assessments' primary purpose. Being the basis for setting control objectives is similarly a downstream output. Being elements of the organization's security posture is a general descriptive statement that does not capture the specific operational purpose of the assessments, which is to feed the risk-estimation process.

  4. Question 4

    Which of the following should be an information security managers PRIMARY focus during the development of a critical system storing highly confidential data?
    1. A. Ensuring the amount of residual risk is acceptable
    2. B. Reducing the number of vulnerabilities detected
    3. C. Avoiding identified system threats
    4. D. Complying with regulatory requirements
    Explanation

    The correct answer is: A. Ensuring the amount of residual risk is acceptable.

    During the development of a critical system storing highly confidential data, the primary focus of the information security manager should be ensuring the amount of residual risk is acceptable because the system's data sensitivity means the residual risk must clearly meet the organization's appetite for that data class. CISM treats appetite alignment as the gating program concern for highly sensitive systems. Reducing the number of vulnerabilities detected is one operational input but the substantive question is whether the residual risk is acceptable, not whether some count is minimized. Avoiding identified system threats is one specific approach within risk treatment. Complying with regulatory requirements is one constraint but the comprehensive measure is whether residual risk meets appetite.

  5. Question 5

    Risk scenarios simplify the risk assessment process by:
    1. A. covering the full range of possible risk.
    2. B. ensuring business risk is mitigated.
    3. C. reducing the need for subsequent risk evaluation.
    4. D. focusing on important and relevant risk.
    Explanation

    The correct answer is: D. focusing on important and relevant risk..

    Risk scenarios simplify the risk assessment process by focusing on important and relevant risks because scenarios are deliberately scoped narratives that surface the specific combinations of threat, asset, and impact that matter most to the organization. CISM treats scenarios as a structured way to make risk assessment tractable by selecting what to analyze. Covering the full range of possible risk would expand rather than simplify the assessment and is not the function of scenarios. Ensuring business risk is mitigated is an outcome of treatment decisions rather than a simplification of the assessment itself. Reducing the need for subsequent risk evaluation is incorrect; scenarios support periodic re-evaluation rather than eliminating it. The focus-on-relevance characteristic is the simplification that scenarios deliver to the assessment process.

Other CISM domains

Practice all 252 Information Risk Management questions · Browse CISM