Information Security Governance for CISM

This page covers the Information Security Governance domain of the CISM certification. Master Cybersecurity offers 290 practice questions in this domain, drawn from the same content we use across our timed exam simulations. Below are five sample questions with full answer explanations.

Sample Practice Questions

  1. Question 1

    In a multinational organization, local security regulations should be implemented over global security policy because:
    1. A. business objectives are defined by local business unit managers.
    2. B. deploying awareness of local regulations is more practical than of global policy.
    3. C. global security policies include unnecessary controls for local businesses.
    4. D. requirements of local regulations take precedence.
    Explanation

    The correct answer is: D. requirements of local regulations take precedence..

    In a multinational organization, local security regulations should be implemented over global security policy because the requirements of local regulations take precedence, since regulations are legally enforceable obligations that the global policy must accommodate. CISM treats regulatory primacy as the canonical principle for global-versus-local policy conflicts. Business objectives being defined by local managers does not justify deviating from a global standard absent regulatory necessity. Awareness practicality is a logistical consideration rather than a substantive basis. Global security policies including unnecessary controls for local businesses is a possible design issue but is addressed by tailoring the global policy rather than by local regulations overriding it; legal precedence is the governing principle.

  2. Question 2

    To gain a clear understanding of the impact that a new regulatory requirement will have on an organization's information security controls, an information security manager should FIRST :
    1. A. conduct a cost-benefit analysis.
    2. B. conduct a risk assessment.
    3. C. interview senior management.
    4. D. perform a gap analysis.
    Explanation

    The correct answer is: D. perform a gap analysis..

    To gain a clear understanding of the impact of a new regulatory requirement on information security controls, the information security manager should first perform a gap analysis because the gap analysis identifies exactly which controls the regulation requires and which the organization is missing. CISM treats gap analysis as the principal regulatory-impact analytical step. Conducting a cost-benefit analysis addresses the financial dimension after gaps are known. Conducting a risk assessment addresses broader risk implications that the gap analysis informs. Interviewing senior management provides governance context but is one input rather than the substantive impact analysis; the gap analysis is the targeted instrument for the impact question.

  3. Question 3

    Which of the following is the BEST way to build a risk-aware culture?
    1. A. Periodically change risk awareness messages.
    2. B. Ensure that threats are communicated organization-wide in a timely manner.
    3. C. Periodically test compliance with security controls and post results.
    4. D. Establish incentives and a channel for staff to report risks.
    Explanation

    The correct answer is: D. Establish incentives and a channel for staff to report risks..

    The best way to build a risk-aware culture is to establish incentives and a channel for staff to report risks because incentivized reporting converts the workforce into an active risk-detection layer. CISM treats incentive-and-channel design as the principal cultural mechanism for engaging staff in risk awareness. Periodically changing risk awareness messages keeps content fresh but does not produce active staff participation. Ensuring that threats are communicated organization-wide in a timely manner provides information but does not engage staff in detection. Periodically testing compliance with security controls and posting results applies pressure but is a control-discipline activity rather than a culture-building one; incentivized reporting builds the bidirectional engagement that culture requires.

  4. Question 4

    Which of the following is MOST likely to be included in an enterprise security policy?
    1. A. Definitions of responsibilities
    2. B. Retention schedules
    3. C. System access specifications
    4. D. Organizational risk
    Explanation

    The correct answer is: A. Definitions of responsibilities.

    The most likely element to be included in an enterprise security policy is definitions of responsibilities because the policy operationalizes accountability across the organization. CISM treats responsibility definitions as the principal enterprise-policy content. Retention schedules are typically maintained outside the security policy as records management artifacts. System access specifications are operational standards that operate within the policy. Organizational risk is captured in the risk register rather than the policy; the responsibility definitions are the substantive policy content.

  5. Question 5

    Which of the following should an information security manager do FIRST when a legacy application is not compliant with a regulatory requirement, but the business unit does not have the budget for remediation?
    1. A. Develop a business case for funding remediation efforts.
    2. B. Advise senior management to accept the risk of noncompliance.
    3. C. Notify legal and internal audit of the noncompliant legacy application.
    4. D. Assess the consequences of noncompliance against the cost of remediation.
    Explanation

    The correct answer is: D. Assess the consequences of noncompliance against the cost of remediation..

    The first action when a legacy application is not compliant with a regulatory requirement and the business unit lacks budget for remediation is to assess the consequences of noncompliance against the cost of remediation because the assessment converts the governance dilemma into a defensible economic comparison. CISM treats this cost-of-noncompliance-vs-remediation comparison as the principal analytical step. Developing a business case for funding remediation efforts is appropriate after the assessment establishes the case. Advising senior management to accept the risk of noncompliance is premature without the comparison. Notifying legal and internal audit is a downstream governance action that the assessment supports; the assessment is the substantive first step.

Other CISM domains

Practice all 290 Information Security Governance questions · Browse CISM