CISM Questions – Domain 2

1 Which of the following is the BEST method to ensure the overall

effectiveness of a risk management program?
A. User assessments of changes
B. Comparison of the program results with industry standards
C. Assignment of risk within the organization
D. Participation by all members of the organization

2. In order to highlight to management the importance of network

security, the security manager should FIRST:
A. develop a security architecture.
B. install a network intrusion detection system (NIDS) and prepare a list
of attacks.
C. develop a network security policy.
D. conduct a risk assessment.

3. Which of the following would be the MOST relevant factor when

defining the information classification policy?
A. Quantity of information.
B. Available IT infrastructure.
C. Benchmarking.
D. Requirements of data owners.
4. When a proposed system change violates an existing security
standard, the conflict would be BEST resolved by:
A. calculating the risk.
B. enforcing the security standard.
C. redesigning the system change.
D. implementing mitigating controls.

5 An enterprise is transferring its IT operations to an offshore location.

An information security manager should be PRIMARILY concerned
about:
A. reviewing new laws and regulations.
B. updating operational procedures.
C. validating staff qualifications.
D. conducting a risk assessment.

6 Which of the following would be MOST useful in developing a series of

recovery time objectives (RTOs)?
A. Gap analysis.
B. Regression analysis.
C. Risk analysis.
D. Business impact analysis.
7 An effective risk management program should reduce risk to:
A. zero.
B. an acceptable level.
C. an acceptable per cent of revenue.
D. an acceptable probability of occurrence.

8 The MOST likely reason that management would choose not to

mitigate a risk that exceeds the risk appetite is that it:
A. is the residual risk after controls are applied.
B. is a risk that is expensive to mitigate.
C. falls within the risk tolerance level.
D. is a risk of relatively low frequency.

9 A cost‐benefit analysis is performed on any proposed control to:

A. define budget limitations.
B. demonstrate due diligence to the budget committee.
C. verify that the cost of implementing the control is within the security
budget.
D. demonstrate the costs are justified by the reduction in risk.
10. Which of the following is the MOST important to keep in mind when
assessing the value of information?
A. The potential financial loss
B. The cost of recreating the information
C. The cost of insurance coverage
D. Regulatory requirement

11. Which of the following BEST supports the principle of security

proportionality?
A. Release management
B. Ownership schema
C. Resource dependency analysis
D. Asset classification

12. Which of the following is the MOST important element of information

asset classification?
A. Residual risk
B. Separation of duties
C. Potential impact
D. Need to know
13. The PRIMARY benefit of performing an information asset
classification is to:
A. link security requirements to business objectives.
B. identify controls commensurate to risk.
C. define access rights.
D. establish ownership.

14. The design and implementation of controls and countermeasures

must be PRIMARILY focused on:
A. eliminating IT risk.
B. cost‐benefit balance.
C. resource management.
D. the number of assets protected.

15. Under what circumstances is it MOST appropriate to reduce control

strength?
A. Assessed risk is below acceptable levels.
B. Risk cannot be determined.
C. The control cost is high.
D. The control is not effective.
16. Which of the following techniques MOST clearly indicates whether
specific risk‐reduction controls should be implemented?
A. Cost‐benefit analysis.
B. Penetration testing.
C. Frequent risk assessment programs.
D. Annual loss expectancy (ALE) calculation.

17. The BEST process for assessing an existing risk level is a(n):
A. impact analysis.
B. security review.
C. vulnerability assessment.
D. threat analysis.

18. Asset classification should be MOSTLY based on:

A. business value.
B. book value.
C. replacement cost.
D. initial cost.
19. An organization has learned of a security breach at another
company that utilizes similar technology. The FIRST thing the
information security manager should do is:
A. assess the likelihood of incidents from the reported cause.
B. discontinue the use of the vulnerable technology.
C. report to senior management that the organization is not affected.
D. remind staff that no similar security breaches have taken place.

20. The PRIMARY objective of a risk management program is to:

A. minimize inherent risk.
B. eliminate business risk.
C. implement effective controls.
D. reduce residual risk to acceptable levels.

21. A risk assessment and business impact analysis (BIA) have been
completed for a major proposed purchase and new process for an
organization. There is disagreement between the information security
manager and the business department manager who will own the
process regarding the results and the assigned risk. Which of the
following would be the BEST approach of the information security
manager?
A. Acceptance of the business manager’s decision on the risk to the
corporation.
B. Acceptance of the information security manager’s decision on the risk
to the corporation.
C. Review of the assessment with executive management for final input.
D. A new risk assessment and BIA are needed to resolve the
disagreement.