CISM Questions – Domain 1

1 A security manager is preparing a report to obtain the commitment of

executive management to a security program. Inclusion of which of the
following would be of MOST value?
A. Examples of genuine incidents at similar organizations
B. Statement of generally accepted best practices
C. Associating realistic threats to corporate objectives
D. Analysis of current technological exposures

2 The PRIMARY objective of a security steering group is to:

A. Ensure information security covers all business functions
B. Ensure information security aligns with business goals
C. Raise information security awareness across the organization
D. Implement all decisions on security management across the
organization

3 When implementing effective security governance within the

requirements of the company security strategy, which of the following is
the MOST important factor to consider?
A. Preserving the confidentiality of sensitive data
B. Establishing international security standards for data sharing
C. Adhering to corporate privacy standards
D. Establishing system manager responsibility for information security
4. What is the MOST important item to be included in an information
security policy?
A. The definition of roles and responsibilities
B. The scope of the security program
C. The key objectives of the security program
D. Reference to procedures and standards of the security program

5. Which of the following factors is MOST important for the successful

implementation of an organizations information security program?
A. Senior management support
B. Budget for security activities
C. Regular vulnerability assessments
D. Knowledgeable security administrators

6. A new regulation for safeguarding information processed by a specific

type of transaction has come to the attention of an information security
officer. The officer should FIRST
A. Meet with stakeholders to decide how to comply
B. Analyse key risks in the compliance process
C. Assess whether existing controls meet the regulation
D. Update the existing security/privacy policy
7. Information security policies should:
A. Address corporate network vulnerabilities
B. Address the process for communicating a violation
C. Be straightforward and easy to understand
D. Be customized to specific groups and roles

8. The MOST basic requirement for an information security governance

program is to:
A. Be aligned with the corporate business strategy
B. Be based on a sound risk management approach
C. Provide adequate regulatory compliance
D. Provide best practices for security initiatives

9. Which of the following roles performs the day ‐to‐day duties required
to ensure the protection and integrity of data?
A. Data owners
B. Data users
C. Steering committees
D. Data custodians
10. Which of the following will BEST ensure that management takes
ownership of the decision making process for information security?
A. Security policies and procedures
B. Annual self‐assessment by management
C. Security steering committees
D. Security awareness campaigns

11. A good privacy statement should include:

A. Notification of liability on accuracy of information.
B. Notification that information will be encrypted.
C. What the company will do with information it collects.
D. A description of the information classification process.

12. The BEST way to standardize security configurations in similar

devices is through the use of:
A. Policies.
B. Procedures.
C. Technical guides.
D. Baselines.
13. The PRIMARY goal of developing an information security program is
to:
A. Implement the strategy.
B. Optimize resources.
C. Deliver on metrics.
D. Achieve assurance.

14. The MOST important reason for formally documenting security

procedures is to ensure:
A. Processes are repeatable and sustainable.
B. Alignment with business objectives.
C. Auditability by regulatory agencies.
D. Objective criteria for the application of metrics.

15. Which of the following documents includes detailed requirements?

A. A policy
B. A guideline
C. A procedure
D. A standard

16. Monitoring the information security program primarily ensures that:

A. The security strategy is aligned with the business strategy.
B. Information security objectives are achieved.
C. Resources are performing efficiently.
D. Accepted risk is monitored effectively.
17. The formal declaration of organizational security goals and
objectives should be found in which of the following documents?
A. Information security procedures
B. Information security principles
C. An employee code of conduct
D. An information security policy

18. Senior management commitment and support for information

security can BEST be obtained through presentations that:
A. Use illustrative examples of successful attacks.
B. Explain the technical risks to the organization.
C. Evaluate the organization against best security practices.
D. Tie security risks to key business objectives.

19. The MOST important factor in ensuring the success of an

information security program is effective:
A. Communication of information security requirements to all users in the
organization.
B. Formulation of policies and procedures for information security.
C. Alignment with organizational goals and objectives.
D. Monitoring compliance with information security policies and
procedures.
20. Which of the following would be the MOST important goal of an
information security governance program?
A. Review of internal control mechanisms
B. Effective involvement in business decision making
C. Total elimination of risk factors
D. Ensuring trust in data