CISM Self-Assessment

CISM is unique in the information security credential marketplace because it is designed specifically and exclusively for individuals who have experience managing an information security program. The CISM certification measure an individual's management experience in information security situations, not general practitioner skills. Earning the CISM designation distinguishes you as a qualified information security management professional with experience and knowledge managing, designing and overseeing an enterprise's information security.

ISACA has prepared the CISM self-assessment to help CISM exam candidates assess their knowledge of the CISM job practice areas and determine in which information security areas they may have strengths and weaknesses. This self-assessment contains 50 sample items covering the appropriate proportion of subject matter to match the CISM exam blueprint. The items are not actual CISM exam items, but are representative of items that have appeared on the exam. Note that this self-assessment is not a substitute for the actual exam, nor does the result of the self-assessment test guarantee or indicate future individual success. For additional exam detail coverage, review each area's task and knowledge statements.

This 50 question self-assessment is one of many tools that you can use to help prepare for the CISM exam.

Tips for taking the CISM Self-assessment :

  • If you do not know the answer to a question, do not guess; instead, skip the question so as not to bias your results. Unanswered questions will be counted as missed to give you a better indication for your areas of weakness.
  • Please answer the questions in sequence.
  • After you complete the test, select "Check My Score" to receive your assessment results. Your results will consist of the percent correct in each exam content area.
  • You can retake the CISM Self-assessment as many times as you wish. However, before retaking the test, it is recommended that you review your prior results to study and learn more about the areas in which you were weakest. This process will help with obtaining a truer picture of your competency in the different subject areas.
  • After you have completed the assessment please take a moment to answer the survey questions. ISACA respects your feedback on this self-assessment.

Copyright © 2014 ISACA. All rights reserved. These questions and answers may not be used, copied, modified, displayed, stored in a retrieval system, or transmitted in any form by any means (electronic, mechanical, photocopying, recording or otherwise) without the prior written authorization of ISACA.

Enter your name below so it displays on the quiz results page:


1. Which of the following application systems should have the shortest recovery time objective (RTO)?

2. Which of the following would BEST ensure the success of information security governance within an organization?

3. Which of the following BEST indicates a successful risk management practice?

4. Which of the following BEST indicates the probability that a successful attack will occur?

5. The results of an organizational risk analysis should FIRST be shared with:

6. The GREATEST reduction in overhead costs for security administration would be provided by:

7. Which of the following should be developed FIRST?

8. Which of the following will BEST protect against deletion of data files by a former employee?

9. Which of the following is the MOST important element to ensure the success of a disaster recovery test at a vendor-provided hot site?

10. Which of the following individuals would be in the BEST position to sponsor the creation of an information security steering group?

11. Risk management programs are designed to reduce risk to:

12. Access to a sensitive intranet application by mobile users can BEST be accomplished through:

13. Which of the following is MOST appropriate for inclusion in an information security strategy?

14. The PRIMARY objective of security awareness is to:

15. A business unit intends to deploy a new technology in a manner that places it in violation of existing information security standards. What immediate action should the information security manager take?

16. Which of the following is the BEST method for ensuring that security procedures and guidelines are read and understood?

17. Which of the following is the MOST effective in preventing attacks that exploit weaknesses in operating systems?

18. Which of the following is the MOST important to ensure a successful recovery?

19. Which of the following is MOST likely to be discretionary?

20. The BEST way to determine if an anomaly-based intrusion detection system (IDS) is properly installed is to:

21. Which of the following would be the MOST appropriate task for a chief information security officer to perform?

22. The BEST way to ensure that security settings on each platform are in compliance with information security policies and procedures is to:

23. Which of the following is the MOST important element in ensuring the success of a disaster recovery test at a vendor provided hot site?

24. Which of the following would BEST prepare an information security manager for regulatory reviews?

25. The MOST important reason for conducting the same risk assessment more than once is because:

26. Accountability by business process owners can BEST be obtained through:

27. Which of the following is the BEST indicator that security awareness training has been effective?

28. Which of the following should be mandatory for any disaster recovery test?

29. Which of the following would normally be covered in an insurance policy for computer equipment coverage? Equipment:

30. A business continuity policy document should contain which of the following?

31. Which of the following actions should be taken when an online trading company discovers a network attack in progress?

32. Which of the following should management use to determine the amount of resources to devote to mitigating exposures?

33. Which of the following will MOST likely reduce the likelihood of an unauthorized individual gaining access to computing resources by pretending to be an authorized individual needing to have their password reset?

34. Which of the following is MOST important when deciding whether to build an alternate facility or subscribe to a hot site operated by a third party?

35. The MOST appropriate reporting base for the information security management function would be to report to the:

36. When residual risk is minimized:

37. Which of the following is characteristic of decentralized information security management across a geographically dispersed organization?

38. The BEST reason for an organization to have two discrete firewalls connected directly to the Internet and to the same DMZ would be to:

39. When a large organization discovers that it is the subject of a network probe, which of the following actions should be taken?

40. When a minor security flaw is found in a new system that is about to be moved into production, this should be reported to:

41. Which of the following is MOST indicative of the failure of information security governance within an organization?

42. The decision on whether new risks should fall under periodic or event-driven reporting should be based on:

43. What is the BEST way to ensure that a corporate network is adequately secured against external attack?

44. When an organization hires a new information security manager, which of the following goals should this individual pursue FIRST?

45. Acceptable risk is achieved when:

46. A risk management program should MOST importantly seek to:

47. Which of the following are seldom changed in response to technological changes?

48. The BEST way to integrate risk management into life cycle processes is through:

49. Which of the following is the MOST effective solution for preventing internal users from modifying sensitive and classified information?

50. A risk assessment should be conducted: