Free practice test · no sign-up
ISACA CISMFree Certified Information Security Manager practice test
10 real ISACA CISM practice questions with instant answers and explanations — no account, no credit card, no email. Score yourself, then unlock the full bank of 869questions whenever you’re ready. The ISACA CISM passing score is 450 / 800.
A CISO is reviewing foundational security principles while building out the organization's security program. Which of the following practices is LEAST consistent with proper information security design?
Answer key
All 10 ISACA CISM questions & answers
Prefer to just read the answers and explanations? Here’s the full key for this free ISACA CISM test.
Q1. A CISO is reviewing foundational security principles while building out the organization's security program. Which of the following practices is LEAST consistent with proper information security design?
Correct answer: C. Classifying assets according to their monetary value or purchase price
Asset classification is based on sensitivity and importance to the organization — not on cost or acquisition price. For example, classified government data is tiered by the damage its exposure would cause, not by what the hardware storing it costs. Improper classification can expose the organization to liability. Aligning controls to business requirements ensures both regulatory compliance and cost efficiency. Identifying information resources helps staff recognize emerging threats.
Q2. Conducting a gap analysis is a key step when building an information security program. Within the organizational hierarchy, who holds accountability for ensuring this analysis is completed?
Correct answer: B. Chief Information Security Officer (CISO)
The CISO is accountable for the gap analysis — accountability cannot be delegated. The CEO is not directly involved in this activity. The information security manager and business process owner may carry out the work (they hold responsibility), but accountability rests with the CISO.
Q3. An organization's information security program is experiencing consistently low compliance rates. Which of the following is the MOST probable root cause?
Correct answer: C. Senior leadership has not demonstrated commitment to security
Senior management is responsible for policy administration and enforcement. When leadership does not model commitment to the security program, that attitude propagates through the organization and compliance suffers. A regulatory knowledge gap would affect legal compliance broadly, not just the internal program. If a procedure does not exist, there is nothing to be non-compliant with. An auditor's misunderstanding would more likely affect gap findings than day-to-day employee compliance.
Q4. During a discussion about security investment, a manager explains why the strongest available controls are not always deployed. Which statement BEST captures this reasoning?
Correct answer: C. Organizations must balance maximizing revenue while keeping risk at acceptable levels simultaneously.
Deploying the strongest possible controls is not always practical because organizations must weigh security investment against operational cost and customer impact. The goal is to achieve acceptable risk levels at reasonable expense. Risk ignored in favor of profit can result in losses — regulatory fines, breaches, or litigation — far exceeding the savings. Treating security as a marketing term or a pure cost center is a flawed perspective that can expose a business to serious consequences.
Q5. Within the security governance hierarchy, a policy should be:
Correct answer: A. Directly traceable to strategic objectives
Policies must trace back to the organizational strategy; otherwise either the strategy is incomplete or the policy is misaligned. Procedures support policies — not the other way around. Guidelines help clarify policy intent but do not need to capture the entire strategy. Laws influence strategy, and strategy shapes policy, so legal requirements flow through indirectly rather than being reflected directly in policy.
Q6. An organization needs to produce a long-term security strategy and an accompanying road map. Who is accountable for delivering these artifacts?
Correct answer: A. Chief Information Security Officer (CISO)
The CISO holds accountability for the security strategic plan and road map. The CEO and information security manager would be consulted during development. The Board of Directors would be informed of the outcomes but would not be involved in creating them.
Q7. In a well-structured security governance model, which group is MOST LIKELY accountable for defining enterprise-level goals and objectives?
Correct answer: A. Executive committee
Per the ISACA RACI framework, the executive committee holds accountability for defining enterprise goals and objectives — accountability cannot be delegated. The I&T governance board is typically assigned responsibility for carrying out this work. The enterprise risk committee is consulted to ensure risk considerations inform the goals. Employees are informed of the resulting goals but have no role in their creation.
Q8. Which term describes a measurement that shows how effectively the critical success factors are performing toward achieving a defined objective?
Correct answer: C. Key Performance Indicator (KPI)
Key Performance Indicators (KPIs) measure how well the critical factors needed to reach a specific objective are performing. KGIs represent the objectives themselves. KRIs signal when a risk is approaching or exceeding a defined threshold. 'Key metric' is too broad to be a precise answer, though KPIs and KGIs are both types of metrics that security programs should track.
Q9. When building an information security framework, the CISO is assigned to communicate the IS strategy and direction to stakeholders. In RACI terms, what role does the CISO hold in this activity?
Correct answer: C. Responsible
Both the CISO and CEO carry responsibility for communicating IT strategy. The CIO is typically accountable for the overall IT strategy direction. The information security manager, business process owners, and Board of Directors are informed of the strategy — they receive the communication but do not produce or deliver it.
Q10. An information security program is BEST established when it flows from:
Correct answer: B. Senior management downward through the organization
A security program requires endorsement and direction from the Board of Directors and senior management, cascading down through every level of the organization. Without this top-down support, the program lacks the authority, budget, staffing, and organizational will needed to protect the business effectively. Bottom-up approaches lack the executive mandate necessary to drive meaningful adoption.
Exam facts and objectives sourced from the official ISACA certification page. Last reviewed June 2026.
Ready for the full ISACA CISM bank? Start free.
869 questions, timed mock exams, and missed-question review — 30 free questions, no card.
Start free trial