How Does Actualtests Isaca CISM testing engine Work?

Want to know Testking CISM Exam practice test features? Want to lear more about Isaca Certified Information Security Manager certification experience? Study Validated Isaca CISM answers to Renovate CISM questions at Testking. Gat a success with an absolute guarantee to pass Isaca CISM (Certified Information Security Manager) test on your first attempt.


Free VCE & PDF File for Isaca CISM Real Exam
(Full Version!)

Pass on Your First TRY 100% Money Back Guarantee Realistic Practice Exam Questions

Free Instant Download NEW CISM Exam Dumps (PDF & VCE):
Available on:

Q51. During which phase of development is it MOST appropriate to begin assessing the risk of a new application system? 

A. Feasibility 

B. Design 

C. Development 

D. Testing 



Risk should be addressed as early in the development of a new application system as possible. In some cases, identified risks could be mitigated through design changes. If needed changes are not identified until design has already commenced, such changes become more expensive. For this reason, beginning risk assessment during the design, development or testing phases is not the best solution. 

Q52. An information security program should be sponsored by: 

A. infrastructure management. 

B. the corporate audit department. 

C. key business process owners. 

D. information security management. 



The information security program should ideally be sponsored by business managers, as represented by key business process owners. Infrastructure management is not sufficiently independent and lacks the necessary knowledge regarding specific business requirements. A corporate audit department is not in as good a position to fully understand how an information security program needs to meet the needs of the business. Audit independence and objectivity will be lost, impeding traditional audit functions. Information security implements and executes the program. Although it should promote it at all levels, it cannot sponsor the effort due to insufficient operational knowledge and lack of proper authority. 

Q53. An information security manager must understand the relationship between information security and business operations in order to: 

A. support organizational objectives. 

B. determine likely areas of noncompliance. 

C. assess the possible impacts of compromise. 

D. understand the threats to the business. 



Security exists to provide a level of predictability for operations, support for the activities of the organization and to ensure preservation of the organization. Business operations must be the driver for security activities in order to set meaningful objectives, determine and manage the risks to those activities, and provide a basis to measure the effectiveness of and provide guidance to the security program. Regulatory compliance may or may not be an organizational requirement. If compliance is a requirement, some level of compliance must be supported but compliance is only one aspect. It is necessary to understand the business goals in order to assess potential impacts and evaluate threats. These are some of the ways in which security supports organizational objectives, but they are not the only ways. 

Q54. The PRIMARY reason for assigning classes of sensitivity and criticality to information resources is to provide a basis for: 

A. determining the scope for inclusion in an information security program. 

B. defining the level of access controls. 

C. justifying costs for information resources. 

D. determining the overall budget of an information security program. 



The assigned class of sensitivity and criticality of the information resource determines the level of access controls to be put in place. The assignment of sensitivity and criticality takes place with the information assets that have already been included in the information security program and has only an indirect bearing on the costs to be incurred. The assignment of sensitivity and criticality contributes to, but does not decide, the overall budget of the information security program. 

Q55. The service level agreement (SLA) for an outsourced IT function does not reflect an 

adequate level of protection. In this situation an information security manager should: 

A. ensure the provider is made liable for losses. 

B. recommend not renewing the contract upon expiration. 

C. recommend the immediate termination of the contract. 

D. determine the current level of security. 



It is important to ensure that adequate levels of protection are written into service level agreements (SLAs) and other outsourcing contracts. Information must be obtained from providers to determine how that outsource provider is securing information assets prior to making any recommendation or taking any action in order to support management decision making. Choice A is not acceptable in most situations and therefore not a good answer. 

Q56. Information security should be: 

A. focused on eliminating all risks. 

B. a balance between technical and business requirements. 

C. driven by regulatory requirements. 

D. defined by the board of directors. 



Information security should ensure that business objectives are met given available technical capabilities, resource constraints and compliance requirements. It is not practical or feasible to eliminate all risks. Regulatory requirements must be considered, but are inputs to the business considerations. The board of directors does not define information security, but provides direction in support of the business goals and objectives. 

Q57. When developing an information security program, what is the MOST useful source of information for determining available resources? 

A. Proficiency test 

B. Job descriptions 

C. Organization chart 

D. Skills inventory 



A skills inventory would help identify- the available resources, any gaps and the training requirements for developing resources. Proficiency testing is useful but only with regard to specific technical skills. Job descriptions would not be as useful since they may be out of date or not sufficiently detailed. An organization chart would not provide the details necessary to determine the resources required for this activity. 

Q58. A security manager meeting the requirements for the international flow of personal data will need to ensure: 

A. a data processing agreement. 

B. a data protection registration. 

C. the agreement of the data subjects. 

D. subject access procedures. 



Whenever personal data are transferred across national boundaries, the awareness and agreement of the data subjects are required. Choices A, B and D are supplementary data protection requirements that are not key for international data transfer. 

Q59. Which of the following is MOST important to understand when developing a meaningful information security strategy? 

A. Regulatory environment 

B. International security standards 

C. Organizational risks 

D. Organizational goals 



Alignment of security with business objectives requires an understanding of what an organization is trying to accomplish. The other choices are all elements that must be considered, but their importance is secondary and will vary depending on organizational goals. 

Q60. An outcome of effective security governance is: 

A. business dependency assessment 

B. strategic alignment. 

C. risk assessment. 

D. planning. 



Business dependency assessment is a process of determining the dependency of a business on certain information resources. It is not an outcome or a product of effective security management. Strategic alignment is an outcome of effective security governance. Where there is good governance, there is likely to be strategic alignment. Risk assessment is not an outcome of effective security governance; it is a process. Planning comes at the beginning of effective security governance, and is not an outcome but a process.