The questions are phrased similarly to ISACA’s official style—scenario-based, sometimes deliberately tricky, and focused on the best answer from a manager’s perspective, not just a technically correct one. This helped me train my brain to think “CISM way.”
This domain focuses on aligning security with business goals. Questions often involve the Board of Directors, policies, and resource allocation.
Effectiveness is about outcomes, not activity. Identifying many vulns (A) is good, but if you never fix them, it’s useless. Remediation time (B) shows how quickly risk is reduced. Scan count (C) and tool cost (D) are meaningless for effectiveness. cism practice questions and answers
The PRIMARY reason for obtaining senior management's commitment to information security is to:
: What should be the primary objective of a risk management strategy? A : Determine the organization's risk appetite. The questions are phrased similarly to ISACA’s official
A risk register is a living document for risk management. It does not list every vulnerability (A) — only those that pose a risk. It is not an incident log (C) or a compliance repository (D).
During a risk assessment, you identify a critical vulnerability in a legacy system that cannot be patched. The system supports a revenue-generating process. The business owner refuses to accept the risk. What is the BEST course of action? Effectiveness is about outcomes, not activity
Best method for continuous improvement? (A) Quarterly reviews with stakeholders.