cism test Practice Exam 2025: Latest Questions

An organization has launched several cloud and SaaS initiatives without consistent security oversight. The CISO is asked to ensure security-related decisions align with business objectives across all business units. What should the CISO do FIRST?

A risk owner asks the information security manager to "accept" a high risk related to legacy servers. What is the BEST next step before the risk can be accepted?

During a tabletop exercise, the incident response team is unsure who has authority to take a critical system offline during an attack. Which document is MOST likely missing or inadequate?

A security program is struggling to gain funding because executives view security initiatives as technical projects with unclear business value. What is the BEST way for the information security manager to improve executive support?

A company wants to reduce the likelihood of unauthorized changes in production. Which control BEST supports this objective while maintaining operational efficiency?

A new regulation requires the organization to report certain security incidents within a defined timeframe. Which action should the incident manager prioritize to ensure compliance?

An enterprise uses a risk register, but different business units assess risks using inconsistent impact scales and likelihood definitions. What is the BEST corrective action?

A security manager wants to select meaningful security program metrics that drive behavior and demonstrate value to leadership. Which metric is BEST aligned to this goal?

A third-party service provider hosts sensitive customer data. The provider refuses to allow on-site audits but offers independent assurance reports and a right-to-audit clause that is difficult to exercise in practice. What is the BEST approach for the information security manager to manage this risk?

After an incident, forensics reveal that the attacker maintained access for weeks due to inconsistent logging and lack of correlation across cloud and on-premises systems. The business requires rapid detection going forward without significantly increasing incident response headcount. What is the BEST program-level action?

A business unit wants to accept a security risk to meet an aggressive product launch date. The CISO believes the residual risk exceeds the organization's risk appetite. What should the information security manager do FIRST?

A risk assessment identifies that a critical business process depends on a single third-party SaaS provider. There is no contractual right to audit, and the provider refuses detailed control evidence. What is the BEST risk response to reduce uncertainty while maintaining business objectives?

During development of an information security program roadmap, several initiatives compete for funding. Which approach BEST ensures alignment with business objectives?

An organization has a mature incident response (IR) process but post-incident reviews repeatedly identify the same root causes (e.g., misconfigurations) across different incidents. What is the MOST effective management action to improve outcomes?

A company is implementing data loss prevention (DLP). Business leaders are concerned about productivity impacts and false positives. What should the security manager do FIRST to increase the likelihood of success?

A security team reports a decrease in the number of detected phishing incidents after implementing a new email security gateway. However, the fraud team reports an increase in account takeovers originating from phishing. What is the MOST likely explanation?

A major incident occurred, and executives want assurance that the organization can restore critical services within required time frames. Which metric BEST demonstrates incident recovery capability?

A global organization is adopting a new security logging platform. Data privacy regulations restrict transferring certain log data across borders. What is the BEST architecture decision to meet both security monitoring and privacy requirements?

After a security incident, the legal department issues a litigation hold. The incident response team wants to reimage affected systems quickly. What should the incident manager do to BEST balance response and evidentiary needs?

A critical vulnerability is discovered in an internally developed application. The patch will take several weeks due to testing and release cycles. Exploit attempts are already observed. Which is the BEST immediate management decision to reduce risk while maintaining essential business operations?

A newly appointed CISO is asked to justify an increase in security budget. Several business leaders argue that security metrics are too technical and do not show business value. What is the BEST approach to report security performance to senior management?

A company relies on a critical SaaS provider for customer billing. The provider refuses to share detailed technical control evidence, citing multi-tenant confidentiality, but offers an independent assurance report and contractual SLAs. What is the MOST appropriate action for the information security manager?

An organization is implementing a new security awareness program. The CEO wants evidence that training reduces real-world risk, not just completion rates. Which of the following is the BEST metric to demonstrate effectiveness?

After a ransomware incident, the incident response team discovers that backups existed but could not be restored within the required recovery time objective (RTO) because the restore process was undocumented and untested. What is the MOST important corrective action to prevent recurrence?

A security program is being criticized for slowing product delivery. Engineering leadership proposes allowing each product team to choose its own security tools and control implementations as long as they meet high-level policy statements. Which approach BEST balances agility with consistent risk management?