Management-focused information security certification covering governance, risk, programme management and incident response for the ISACA CISM exam, with a worked explanation on every practice question.
Free sample questions
No account needed. Every question has a worked explanation, just like the full bank.
lock_openFree sampleInformation Security Programeasy
A retailer is building its first data classification scheme. The information security manager must decide what should drive the sensitivity level assigned to each information asset. Which factor should primarily determine the classification level?
- AThe potential business impact if the asset's confidentiality, integrity, or availability were compromisedcheck_circle Correct
- BThe storage format of the asset, such as whether it is held in a database, a spreadsheet, or a paper file
- CThe number of staff who currently request access to the asset during normal operations
- DThe age of the asset and how long it has been retained in the records management system
Information asset classification should be driven by the business impact of a loss of confidentiality, integrity, or availability. Classification expresses the worth of information to the organisation, and that worth is judged by the consequences to the business if the asset is disclosed, altered, or lost, which is why impact is the primary driver rather than format, demand, or age.
Why A is correct: Correct because classification reflects the value and sensitivity of the information, which is measured by the harm to the business if it were disclosed, altered, or made unavailable.
Why B is wrong: Tempting because storage format does affect some control choices, but format is a handling consideration that follows classification; it does not define how sensitive the information itself is.
Why C is wrong: Tempting because high demand can suggest importance, but access volume reflects operational convenience, not the inherent sensitivity that classification is meant to capture.
Why D is wrong: Tempting because retention schedules relate to data governance, but age alone does not set sensitivity; old records can be highly sensitive and new ones trivial.
lock_openFree sampleInformation Security Governancehard
Midway through the financial year, an unforeseen regulatory change forces the information security manager to fund an urgent data-protection project that was not in the approved budget. The annual security budget is already fully committed and the board has frozen requests for additional funds until the next cycle. Which action best reflects sound resource allocation in this situation?
- ADefer the regulatory project to the next budget cycle and formally document the resulting compliance exposure as an accepted risk.
- BRe-prioritise the existing portfolio and reallocate funds from lower-risk initiatives to the regulatory project after assessing the impact.check_circle Correct
- CReduce the scope of every active initiative by an equal percentage to free the funds the regulatory project needs.
- DFund the regulatory project from operational contingency without informing the board until the year-end budget review.
Under a frozen budget, sound resource allocation re-prioritises committed funds toward the highest risk based on an impact assessment. Resource management means continuously steering finite funds toward the greatest risk reduction. Reallocating from lower-risk initiatives, supported by an impact assessment, meets the regulatory obligation without breaching governance, whereas deferral accepts an avoidable breach, equal cuts ignore relative risk, and drawing contingency in secret bypasses board oversight.
Why A is wrong: Tempting because it respects the funding freeze and uses formal risk acceptance, but accepting a known regulatory breach when reallocation is possible is poor stewardship and the manager rarely has authority to accept that level of risk alone.
Why B is correct: Correct because re-prioritising within the committed budget directs scarce resources to the highest-risk obligation while a documented impact assessment keeps the deferred work visible, which is disciplined resource management under constraint.
Why C is wrong: Tempting because spreading the cut feels even-handed, but uniform reductions ignore the relative risk of each initiative and can weaken high-value controls, which is the opposite of risk-based allocation.
Why D is wrong: Tempting because contingency exists for surprises, but quietly drawing it down and bypassing governance for a material regulatory matter breaches transparency and undermines the board's oversight of the budget.
lock_openFree sampleInformation Security Programhard
A strategic outsourcing provider that runs the organisation's order-processing platform notifies the organisation that it intends to exit the market and wind down operations within six months. The board asks the information security manager what protects the organisation from a disorderly handover. Which prior arrangement is the manager most likely to rely on?
- AThe cyber insurance policy the organisation purchased to cover losses from supplier-related incidents
- BThe provider's published business continuity plan describing how it restores its own services after disruption
- CThe exit and transition clause in the contract, setting out data return, transition assistance and knowledge transfer obligationscheck_circle Correct
- DThe non-disclosure agreement that bound the provider to protect the organisation's confidential information
Recognise that a contractual exit and transition clause protects the organisation against a disorderly handover when a strategic provider leaves the engagement. Provider exit is a foreseeable supply-chain risk, so the organisation manages it in advance through an exit and transition clause that compels data return, migration support and knowledge transfer. This is what keeps the service recoverable when the provider winds down, which insurance, confidentiality terms or the provider's own continuity plan do not achieve.
Why A is wrong: Tempting because insurance offsets some financial loss, but a policy pays out after harm occurs and does nothing to keep the service running or to return the organisation's data and processes in usable form during the wind-down.
Why B is wrong: Tempting because continuity planning sounds relevant, but the provider's plan covers recovering its operations, not an orderly handover to the organisation when the provider deliberately leaves the market.
Why C is correct: Correct: a negotiated exit and transition provision obliges the departing provider to return data in a usable form, support migration and transfer knowledge, which is precisely the prior arrangement that prevents a disorderly handover when a provider exits.
Why D is wrong: Tempting because confidentiality remains important during a transition, but a non-disclosure agreement only restricts disclosure of information and does not compel the provider to hand back data or assist migration, so it does not secure the handover.
Examworthy is not affiliated with or endorsed by ISACA. All questions are original, blueprint-aligned practice material. We never reproduce live exam items. CISM and related marks belong to their respective owners.
