cism test Intermediate Practice Exam: Medium Difficulty 2025

A newly appointed CISO finds that business units are launching SaaS tools without security review, leading to inconsistent controls and unclear accountability. Senior management supports improving oversight but wants to preserve business agility. What should the CISO do FIRST to strengthen information security governance?

An organization has defined an information security strategy, but audits show that key security initiatives are delayed due to competing business priorities. The CISO wants to improve the likelihood of sustained funding and execution. Which action is MOST effective?

A risk assessment shows that a critical business process relies on a legacy system that cannot be patched quickly. Compensating controls exist, but incident history indicates repeated attempts to exploit known weaknesses. The business owner insists the system must remain online. What should the information security manager recommend NEXT?

A global organization uses a centralized risk register, but different regions score risks inconsistently, making it difficult to prioritize remediation. The CISO wants to improve comparability without eliminating regional context. What is the BEST approach?

A company is building a security program for a hybrid environment (on-prem and multiple cloud providers). Different teams implement controls differently, and audits show gaps in configuration management and access reviews. What should the security manager do FIRST to improve program consistency?

A security program has strong preventive controls but limited detection. Leadership asks the security manager to justify investment in monitoring. Which metric would BEST demonstrate improved security capability from enhanced detection and response?

A business unit wants to roll out a new customer-facing application quickly. Security is concerned about inconsistent security requirements and late-stage rework. Which approach BEST balances speed and risk reduction?

After implementing a new data classification policy, the security manager notices low adoption and frequent misclassification by staff. Business leaders complain it adds overhead. What should the security manager do NEXT to improve effectiveness?

A security operations team detects suspicious outbound traffic from a server hosting a critical application. The incident response plan exists, but teams are unsure who can authorize taking the system offline due to revenue impact. What should be addressed FIRST to improve incident handling?

Following a ransomware incident, the organization restored systems successfully but experienced repeated reinfections due to the same underlying weaknesses. The CISO wants to ensure long-term improvement. What is the MOST appropriate next step?