About These CISM Practice Questions
The CISM (Certified Information Security Manager) exam is unlike most technical certifications. ISACA tests your ability to think and make decisions like a senior information security manager, not recall technical specifications. Every question is framed from a governance, risk, and management perspective.
These 25 free CISM practice questions are written to mirror the difficulty and scenario-based style of the real exam. You'll encounter questions that require you to prioritize actions, evaluate risk, align security with business objectives, and respond to incidents — exactly as the CISM exam demands.
💡 How to Use This Guide
Read each question carefully and choose your answer before looking at the explanation. The CISM exam rewards deliberate, manager-level thinking. Time yourself: you have roughly 1.6 minutes per question on the real exam.
Questions are distributed across all 4 CISM domains proportionally to their exam weight. Each answer includes a detailed explanation covering the management rationale — the "why" that ISACA is actually testing.
CISM Domain Weights & Exam Format
Understanding how questions are distributed helps you allocate study time effectively. The CISM exam consists of 150 questions answered in 4 hours. A scaled score of 450 out of 800 is required to pass.
| Domain |
Weight |
~Questions |
| Domain 1: Information Security Governance |
17% |
~26 |
| Domain 2: Information Security Risk Management |
20% |
~30 |
| Domain 3: Information Security Program |
33% |
~50 |
| Domain 4: Incident Management |
30% |
~45 |
⚠️ 2026 Exam Update
ISACA is updating the CISM Exam Content Outline effective
November 3, 2026. If you're testing before that date, study the current domain structure. See our
CISM Exam Changes 2026 guide for full details.
Domain 1: Information Security Governance (Q1–Q5)
Domain 1 tests whether you understand how to align information security with business strategy, establish governance structures, and set organizational security direction. The key mindset: security exists to enable the business, not restrict it.
- A. Deploying a comprehensive suite of technical security controls
- B. Achieving compliance with all applicable regulatory requirements
- C. Obtaining and maintaining senior management commitment and support
- D. Hiring certified security professionals to lead the program
Answer: C — Senior management commitment
Without executive sponsorship, security governance lacks authority, budget, and organizational influence. Compliance (B) is a subset of governance, not its foundation. Technical controls (A) and staff qualifications (D) are implementation details. ISACA consistently emphasizes that governance must be driven from the top down — the CISM exam will test this principle repeatedly.
- A. Understand and align with the organization's overall business strategy and objectives
- B. Conduct a comprehensive technical vulnerability assessment
- C. Benchmark security controls against industry peers
- D. Identify and implement the latest security technologies
Answer: A — Align with business strategy first
The information security strategy must be derived from and support business objectives. Starting with technical assessments (B), benchmarking (C), or technology selection (D) puts the cart before the horse. ISACA's core principle: security strategy without business alignment is security theater.
- A. Number of firewall rule changes implemented during the quarter
- B. Percentage of systems with up-to-date antivirus signatures
- C. Percentage of identified risks that have been remediated or formally accepted within policy timelines
- D. Number of security patches applied across the infrastructure
Answer: C — Risk remediation/acceptance rates
Boards care about risk management outcomes, not operational activity. Options A, B, and D are operational metrics that mean little to executives without business context. Risk treatment progress (C) directly speaks to whether the organization is managing its exposure — which is what governance is designed to accomplish.
- A. Revising the policy annually to incorporate lessons learned
- B. Reporting policy violations to law enforcement agencies
- C. Ensuring the policy is communicated, understood, and enforced throughout the organization
- D. Submitting the policy to regulatory bodies for external validation
Answer: C — Communication, understanding, and enforcement
A policy that exists on paper but is unknown or unenforced provides no protection. After board approval, implementation is the priority. Annual revision (A) is important but not the immediate next step. Regulatory submission (D) depends on jurisdiction and isn't universally required.
- A. Present a list of recent high-profile breaches at competitor organizations
- B. Detail the technical specifications of planned security tools
- C. Present the expected reduction in business risk and the potential cost of security incidents the budget would prevent
- D. Compare the organization's security spending to industry averages
Answer: C — Risk reduction and incident cost prevention
Budget justification must speak in business language: risk reduction and financial impact. Competitor breaches (A) create fear but don't quantify your specific risk. Technical specs (B) are irrelevant to executives. Industry benchmarks (D) are secondary data — they don't establish business value for your specific context.
Domain 2: Information Security Risk Management (Q6–Q11)
Domain 2 tests your ability to identify, assess, treat, and monitor information risk. ISACA expects you to understand risk quantification, treatment options, and how to communicate risk to stakeholders in business terms.
- A. Immediately escalate to the board and request emergency remediation budget
- B. Remediate the vulnerability as the highest priority, given the high likelihood
- C. Evaluate the risk based on the combination of likelihood and impact before determining treatment priority
- D. Accept the risk without further action since the business impact is low
Answer: C — Evaluate likelihood AND impact together
Risk is the product of both likelihood and impact. A high-likelihood, low-impact risk may be lower priority than a medium-likelihood, high-impact risk. Option D is premature — low impact doesn't automatically mean acceptable. Option B ignores the impact dimension entirely. Proper risk treatment decisions require complete risk scoring.
- A. Risk avoidance
- B. Risk mitigation
- C. Risk transfer
- D. Risk acceptance
Answer: C — Risk transfer
Insurance moves the financial consequences of a risk to a third party (the insurer) — this is transfer. Avoidance (A) means eliminating the activity that creates the risk. Mitigation (B) reduces the likelihood or impact through controls. Acceptance (D) acknowledges and consciously bears the risk. Know all four ISACA risk treatment options cold.
- A. Immediately remediate to eliminate the risk entirely
- B. Consider alternative risk treatments such as transfer or acceptance, since remediation cost exceeds expected loss
- C. Escalate to the board to fund the $2 million remediation
- D. Implement partial controls until full funding is available
Answer: B — Consider alternatives when cost exceeds expected loss
This is a cost-benefit analysis. Spending $2M to avoid a $200K ALE is economically irrational. The information security manager must recommend options that make business sense — risk transfer (insurance), risk acceptance with compensating controls, or lower-cost mitigations. ISACA expects CISMs to make financially defensible recommendations.
- A. Recovery Point Objective (RPO)
- B. Recovery Time Objective (RTO)
- C. Maximum Tolerable Downtime (MTD)
- D. Service Delivery Objective (SDO)
Answer: B — Recovery Time Objective (RTO)
RTO is the maximum acceptable time to restore a system after disruption. RPO (A) defines how much data loss is acceptable (measured in time before a backup). MTD (C) is the absolute maximum time before the organization cannot survive — RTO must be less than MTD. SDO (D) defines the level of service deliverable during recovery.
- A. Continue with the accepted risk posture since it was formally approved
- B. Immediately implement emergency controls without management notification
- C. Re-evaluate the risk in light of the changed threat landscape and present updated findings to management for a new treatment decision
- D. Wait until the next scheduled risk assessment cycle to re-evaluate
Answer: C — Re-evaluate and present updated findings
Risk acceptance is based on conditions at the time of the decision. A material change in the threat landscape invalidates the original acceptance. The information security manager must re-evaluate and bring the updated risk picture to management — risk owners must make a new informed decision. Acting unilaterally (B) or waiting (D) are both inappropriate.
- A. A log of all security incidents that have occurred in the past 12 months
- B. A centralized repository that tracks identified risks, their assessment, treatment decisions, owners, and current status
- C. A document that lists all regulatory compliance requirements applicable to the organization
- D. A database of known threat actor tactics, techniques, and procedures
Answer: B — Centralized risk tracking repository
The risk register is the core artifact of an information risk management program. It provides ongoing visibility into the organization's risk posture, treatment decisions, and responsible owners. It is not a historical incident log (A), a compliance checklist (C), or a threat intelligence feed (D) — though all of these may inform the risk register.
Need More Practice Questions?
These 25 questions are just a sample. CISM.app users get 3,500+ expert-verified practice questions with AI-powered gap analysis — so you know exactly where to focus your study time.
Start Free 7-Day Trial →
Domain 3: Information Security Program (Q12–Q19)
Domain 3 is the largest, covering how to develop, manage, and measure an information security program. This includes designing security architectures, managing resources, building security awareness programs, and proving program effectiveness through metrics.
- A. Annual computer-based training modules for all employees
- B. Distributing written security policies and requiring employees to sign acknowledgment forms
- C. Continuous, role-based training reinforced by simulated phishing campaigns and targeted follow-up
- D. Posting security reminders on the intranet and in common areas
Answer: C — Continuous, role-based, reinforced training
Annual training (A) and passive awareness (B, D) produce compliance checkmarks, not behavioral change. The evidence base for security awareness shows that frequent, targeted, scenario-based reinforcement — including simulated attacks — produces measurable and lasting improvement in security behaviors. ISACA tests the "best practice" approach, not just "does something."
- A. Number of employees who completed the annual training module
- B. Number of security policies published and acknowledged
- C. Reduction in phishing click rates and improvement in self-reported suspicious email rates over time
- D. Percentage of budget allocated to security awareness activities
Answer: C — Behavior change metrics over time
Completion rates (A) measure activity, not effectiveness. Policy acknowledgments (B) prove exposure, not understanding. Budget allocation (D) measures input, not output. Behavioral metrics — particularly trends in simulated phishing susceptibility and proactive threat reporting — directly measure whether the program is changing the behaviors it targets.
- A. Purchase and deploy encryption solutions immediately to meet the deadline
- B. Assess the current state of encryption controls and gap against the regulatory requirement
- C. Request an extension from the regulatory body to allow adequate planning time
- D. Brief the legal department and wait for their guidance before taking action
Answer: B — Assess the current state and gap first
You cannot plan implementation without knowing where you currently stand. A gap assessment identifies what already exists, what needs to change, and the true scope of work — enabling realistic planning for the 6-month deadline. Immediately purchasing solutions (A) risks buying the wrong things. Extensions (C) may not be available and shouldn't be the first move.
- A. The controls used by peer organizations in the same industry
- B. Whether the control cost is commensurate with the risk it addresses and its operational impact
- C. The recommendations of the security technology vendor
- D. The controls mandated by the most stringent applicable compliance framework
Answer: B — Cost-effectiveness relative to risk and operational impact
Controls exist to reduce risk at an acceptable cost without unnecessarily impeding business operations. Peer benchmarking (A) ignores your specific risk profile. Vendor recommendations (C) have commercial bias. Compliance-driven selection (D) may under- or over-control actual business risk. ISACA expects risk-based, cost-justified control selection.
- A. Ensuring the acquired company's staff complete the parent organization's security awareness training
- B. Assessing the information security risks introduced by the acquired company before integration
- C. Immediately applying the parent organization's security policies to the acquired company
- D. Replacing the acquired company's security tools with standardized parent organization tools
Answer: B — Risk assessment before integration
Integrating an unknown environment without understanding its risk profile is like unlocking a door without knowing who's on the other side. The risk assessment establishes what threats, vulnerabilities, and existing controls are present — informing safe integration sequencing. Training (A) and tool standardization (D) follow risk assessment; policy imposition (C) without assessment may miss critical gaps.
- A. Include as much technical detail as possible to demonstrate program thoroughness
- B. Be based solely on quantitative data to avoid subjective interpretation
- C. Be meaningful to business objectives and indicate whether security goals are being achieved
- D. Match the KPIs reported by peer organizations for accurate benchmarking
Answer: C — Business-meaningful and goal-indicating
KPIs must answer the question executives care about: "Are we achieving our security objectives and managing our business risk?" Technical detail (A) loses executive audiences. Pure quantitative data (B) can still be meaningless without business context. Peer matching (D) ignores your specific strategy and objectives. Good KPIs connect security activity to business outcomes.
- A. A compliance violation that must be reported to regulators
- B. A concentration risk that must be identified, assessed, and managed as part of the risk program
- C. A requirement to immediately diversify to multiple cloud providers
- D. An inherent risk that cannot be mitigated and must be accepted
Answer: B — Concentration risk requiring management
Single-provider dependency is concentration risk — a legitimate and addressable information security concern. It's not inherently a compliance violation (A). Immediate diversification (C) may not be practical or necessary after proper risk assessment. And concentration risk is not automatically unmitigable (D) — contractual protections, redundancy planning, and exit strategies are all mitigation options.
- A. Immediately terminate the vendor relationship and revoke all access
- B. Invoke the organization's third-party incident response procedures to assess scope, confirm data exposure, and follow contractual notification requirements
- C. Notify affected customers before confirming the scope and nature of the breach
- D. Issue a public statement to preempt negative media coverage
Answer: B — Invoke established third-party incident response procedures
Structured response procedures exist precisely for this scenario. Premature termination (A) may destroy evidence and violate contracts. Notifying customers (C) before confirming scope risks inaccurate communication. Public statements (D) before facts are known can worsen legal and reputational outcomes. The CISM mindset: process first, then informed action.
Domain 4: Incident Management (Q20–Q25)
Domain 4 covers the full incident management lifecycle: preparation, detection, containment, eradication, recovery, and post-incident review. ISACA expects CISMs to understand how incident management integrates with business continuity and how to lead organizational response efforts.
- A. Preparation — developing plans, training teams, and establishing communication procedures before incidents occur
- B. Detection — identifying the incident as quickly as possible
- C. Containment — isolating affected systems to prevent further damage
- D. Recovery — restoring affected systems to normal operations
Answer: A — Preparation
Every subsequent phase of incident response is only as good as the preparation that precedes it. Well-prepared organizations detect faster, contain more effectively, recover more quickly, and learn more systematically. Detection (B), containment (C), and recovery (D) are all improved by thorough preparation. ISACA — and real-world security operations — consistently validate that preparation is the highest-leverage investment.
- A. The incident response team failed to contain the ransomware quickly enough
- B. The organization should negotiate with the ransomware operators to reduce recovery time
- C. A gap between recovery capabilities and business requirements that should have been identified and addressed before the incident
- D. The RTO should be revised upward to match the actual recovery capability
Answer: C — Pre-existing gap between capability and requirement
An RTO gap discovered during an incident represents a failure of planning, not incident response. Business requirements (RTO = 4 hours) and technical capabilities (recovery = 72 hours) should be reconciled during BCP/DR planning — not discovered under fire. Negotiating with attackers (B) validates the criminal business model. Revising RTO upward (D) solves the metric, not the business problem.
- A. Immediately take the system offline to prevent further damage
- B. Notify all employees to be on high alert
- C. Begin an initial assessment to determine whether an incident has actually occurred and its scope, per the incident response plan
- D. Contact law enforcement immediately
Answer: C — Initial assessment per the incident response plan
Suspicion is not confirmed compromise. Acting on a suspicion as if it were confirmed (A, D) may be premature and disruptive. Broad employee notification (B) before facts are established can cause panic and tip off an insider threat. The IR plan exists to guide structured assessment — determine what has actually occurred before escalating response actions.
- A. To assign blame and hold responsible individuals accountable for the incident
- B. To satisfy the documentation requirements of applicable regulatory frameworks
- C. To identify lessons learned, improve response capabilities, and strengthen controls to prevent recurrence
- D. To determine the financial impact of the incident for insurance claim purposes
Answer: C — Lessons learned and continuous improvement
Post-incident reviews are learning opportunities, not blame sessions. Assigning blame (A) damages psychological safety and discourages honest reporting. Regulatory documentation (B) may be an output but is not the purpose. Financial impact (D) is a separate process. The CISM-aligned purpose is systematic improvement of the security program's detection, response, and prevention capabilities.
- A. The IT department's assessment of technical recovery capabilities
- B. Regulatory requirements for business continuity documentation
- C. The business impact analysis (BIA) outcomes identifying critical processes, RTOs, and RPOs
- D. Best practice frameworks such as ISO 22301 or NIST SP 800-34
Answer: C — Business impact analysis outcomes
The BIA establishes what the business truly needs to survive and recover — which critical processes must be restored, in what order, and within what timeframes (RTO/RPO). Technical capabilities (A) must be designed to meet BIA requirements, not define them. Regulatory requirements (B) and frameworks (D) provide structure but don't determine your specific business priorities.
- A. Issue a public statement to demonstrate transparency to affected parties
- B. Contain the breach, preserve evidence, and initiate notification processes per legal and regulatory requirements
- C. Conduct a full forensic investigation before taking any other action
- D. Assess whether the affected individuals are likely to suffer harm before deciding whether to notify
Answer: B — Contain, preserve evidence, and initiate required notifications
A PII breach triggers legal obligations under regulations such as GDPR, CCPA, HIPAA, and state breach notification laws. Notification timelines are often mandatory and fixed (e.g., 72 hours under GDPR). The information security manager must simultaneously contain the incident, preserve forensic evidence, and initiate legal/regulatory notification procedures. Delaying notification pending forensics (C) or harm assessment (D) can violate legal obligations.
Scoring Guide: How Did You Do?
Use this guide to benchmark your performance against CISM readiness. The real CISM uses a scaled score (450/800 to pass), but your percentage correct on practice questions gives a useful directional signal.
20–25
Exam Ready
80%+ Correct
15–19
Needs Work
60–79% Correct
0–14
More Study Needed
Below 60%
More important than your total score is which domains you missed questions in. If you struggled with Domain 3 (Information Security Program) — which has the highest exam weight at 33% — that's where to focus first.
✅ Benchmark Target
Aim for consistent 75%+ on domain-specific practice sets before attempting the real exam. Most candidates who score 80%+ on quality practice exams pass CISM on their first attempt.
CISM Exam Strategy: Think Like a Manager
The single most important CISM test-taking strategy is to think like a senior information security manager, not a technical practitioner. ISACA is examining your judgment, not your ability to recall technical specifications.
Key Decision Frameworks for the CISM Exam
- Business first, security second: Security exists to enable business objectives. When two answers are technically correct, choose the one that better supports business goals.
- Risk-based thinking: Always weigh likelihood AND impact. Never treat a risk based on only one dimension.
- Process before action: When facing an incident or problem, structured assessment and established procedures come before reactive action.
- Governance requires authority: Programs without senior management commitment and ownership will fail. Always choose options that establish proper accountability.
- Metrics measure outcomes, not activity: When asked about reporting or measurement, choose options that demonstrate risk reduction and business value — not operational activity counts.
What to Do When You're Stuck
When two answers seem equally correct, ask yourself:
- Which answer is more strategic (vs. tactical)?
- Which would a CISO present to the board?
- Which comes first in a logical sequence?
- Which reduces risk in a way that's defensible to stakeholders?
💡 The ISACA Manager Mindset
ISACA's preferred answer is almost never "implement technology" or "do it yourself." It's usually "assess first," "align with business," "establish process and ownership," or "communicate to stakeholders." When in doubt, choose the more governance-oriented option.
Next Steps for CISM Prep
These 25 questions give you a solid taste of the CISM exam experience — but the real exam has 150 questions across 6 hours of high-stakes decision-making. Here's how to build on this start:
1. Focus on Your Weak Domains First
Use your results above to identify which domains need the most attention. Domain 3 (Information Security Program, 33%) is the highest-weight domain and deserves the most study time. If you missed multiple questions in Domain 4 (Incident Management, 30%), that's your second priority.
2. Study from ISACA's Perspective
The CISM Review Manual and ISACA's official practice questions are the closest sources to the real exam. When studying, always ask "why does ISACA prefer this answer?" rather than memorizing facts.
3. Build Up with Full-Length Practice Exams
After domain-specific practice, simulate full 150-question exams under timed conditions. Endurance and time management matter — 1.6 minutes per question adds up over 4 hours.
4. Review Your Experience Requirements Early
Don't pass the exam and then realize you need to scramble for experience documentation. Review our CISM experience requirements guide to ensure your work history will qualify before exam day.
Also consider pairing CISM with related certifications. Our CISM vs CISSP comparison explores how these credentials complement each other for security leadership careers. If cloud security is in your scope, CCSP practice questions are also available free.
Ready to Go Deeper?
Practice with 3,500+ expert-verified CISM questions. AI-powered gap analysis tells you exactly where to focus across all 4 domains.
Start Free 7-Day Trial →