CISM Cheat Sheet 2026
The 30 highest-yield CISM facts, distilled from real exam questions. Print it, save it as a PDF, or study it here — free, no sign-up.
150 questions
240 min time limit
70.00% to pass
- Which risk assessment approach assigns numerical values to probability and impact to calculate risk scores? → Quantitative risk assessment
- The following conditions lead to the MOST successful IT risk management activities: → Integrated within business processes
- What is the FIRST step in developing a Business Continuity Plan? → Conducting a Business Impact Analysis (BIA)
- What is the purpose of a risk register in information security management? → To record identified risks, their assessments, and treatment decisions
- When reviewing BC/DR plans, the information security manager should PRIMARILY ensure that: → Security controls are maintained and not bypassed during recovery operations
- When assigning ownership of information assets, the MOST appropriate owner is typically: → The business unit manager responsible for the asset
- Who holds ULTIMATE responsibility for ensuring that business continuity planning is adequate and funded? → Senior management or the board of directors
- A risk assessment reveals that a control is more expensive than the risk it mitigates. A CISM should RECOMMEND: → Accepting the risk if it falls within the risk appetite
- A CISM is developing a security governance framework. Which document should serve as the TOP-LEVEL foundation? → Information security policy
- What is the FIRST step in the incident response lifecycle according to best practices? → Preparation
- The Federal Information Security Modernization Act (FISMA) PRIMARILY applies to: → US federal agencies and contractors that handle federal information
- Which of the following BEST describes the concept of 'privacy by design' in a compliance context? → Embedding privacy protections into systems and processes from the beginning of development
- Which of the following BEST describes the role of a CISM during a major security incident? → Providing strategic oversight, coordination, and communication
- A CISM discovers that business units are making risk decisions without consulting the security team. The BEST corrective action is to: → Implement mandatory security reviews into the project management process
- A CISM is implementing a security control framework. Which of the following is MOST important when selecting a framework? → It should align with the organization's risk profile and industry requirements
- A CISM is presenting a security governance roadmap to the CEO. The presentation should PRIMARILY focus on: → Security risk in terms of business impact and strategic alignment
- A CISM is establishing data classification as part of the security program. The PRIMARY benefit is to: → Ensure appropriate controls are applied based on data sensitivity
- An organization wants to ensure its security governance program remains effective over time. The BEST mechanism is: → Continuous monitoring and periodic program reviews
- An organization's board of directors is MOST responsible for which security governance activity? → Setting risk appetite and oversight
- After an incident is resolved, which activity is MOST important to improve future response? → Conducting a post-incident review (lessons learned)
- Which of the following is a KEY component of an effective risk communication strategy? → Translating risk findings into business terms for stakeholders
- Which of the following is the BEST technique to catch an intruder who breaks into a network without doing any damage? → Install a honeypot on the network
- Unusual server communication between internal and external parties may be observed to: → Record the trace of advanced persistent threats
- Which of the following is a KEY responsibility of a CISM when managing the security program lifecycle? → Ensuring the program evolves in response to changing business and threat conditions
- Which BC/DR test type carries the GREATEST risk of causing unplanned downtime? → Full interruption test
- A CISM wants to ensure that information security governance is integrated into organizational decision-making. The BEST approach is to: → Establish a security steering committee with cross-functional representation
- Under the Sarbanes-Oxley Act (SOX), which of the following is a KEY information security requirement? → Internal controls over financial reporting, including IT general controls
- A CISM is developing a compliance program. The FIRST step should be to: → Identify all applicable laws, regulations, and contractual obligations
- Which of the following is MOST important when prioritizing risks for treatment? → The potential business impact and likelihood
- Which of the following represents a governance control rather than a technical control? → Acceptable use policy
Turn these facts into recall: