CISM Cheat Sheet 2026

The 30 highest-yield CISM facts, distilled from real exam questions. Print it, save it as a PDF, or study it here — free, no sign-up.

150 questions
240 min time limit
70.00% to pass
  1. Which risk assessment approach assigns numerical values to probability and impact to calculate risk scores? Quantitative risk assessment
  2. The following conditions lead to the MOST successful IT risk management activities: Integrated within business processes
  3. What is the FIRST step in developing a Business Continuity Plan? Conducting a Business Impact Analysis (BIA)
  4. What is the purpose of a risk register in information security management? To record identified risks, their assessments, and treatment decisions
  5. When reviewing BC/DR plans, the information security manager should PRIMARILY ensure that: Security controls are maintained and not bypassed during recovery operations
  6. When assigning ownership of information assets, the MOST appropriate owner is typically: The business unit manager responsible for the asset
  7. Who holds ULTIMATE responsibility for ensuring that business continuity planning is adequate and funded? Senior management or the board of directors
  8. A risk assessment reveals that a control is more expensive than the risk it mitigates. A CISM should RECOMMEND: Accepting the risk if it falls within the risk appetite
  9. A CISM is developing a security governance framework. Which document should serve as the TOP-LEVEL foundation? Information security policy
  10. What is the FIRST step in the incident response lifecycle according to best practices? Preparation
  11. The Federal Information Security Modernization Act (FISMA) PRIMARILY applies to: US federal agencies and contractors that handle federal information
  12. Which of the following BEST describes the concept of 'privacy by design' in a compliance context? Embedding privacy protections into systems and processes from the beginning of development
  13. Which of the following BEST describes the role of a CISM during a major security incident? Providing strategic oversight, coordination, and communication
  14. A CISM discovers that business units are making risk decisions without consulting the security team. The BEST corrective action is to: Implement mandatory security reviews into the project management process
  15. A CISM is implementing a security control framework. Which of the following is MOST important when selecting a framework? It should align with the organization's risk profile and industry requirements
  16. A CISM is presenting a security governance roadmap to the CEO. The presentation should PRIMARILY focus on: Security risk in terms of business impact and strategic alignment
  17. A CISM is establishing data classification as part of the security program. The PRIMARY benefit is to: Ensure appropriate controls are applied based on data sensitivity
  18. An organization wants to ensure its security governance program remains effective over time. The BEST mechanism is: Continuous monitoring and periodic program reviews
  19. An organization's board of directors is MOST responsible for which security governance activity? Setting risk appetite and oversight
  20. After an incident is resolved, which activity is MOST important to improve future response? Conducting a post-incident review (lessons learned)
  21. Which of the following is a KEY component of an effective risk communication strategy? Translating risk findings into business terms for stakeholders
  22. Which of the following is the BEST technique to catch an intruder who breaks into a network without doing any damage? Install a honeypot on the network
  23. Unusual server communication between internal and external parties may be observed to: Record the trace of advanced persistent threats
  24. Which of the following is a KEY responsibility of a CISM when managing the security program lifecycle? Ensuring the program evolves in response to changing business and threat conditions
  25. Which BC/DR test type carries the GREATEST risk of causing unplanned downtime? Full interruption test
  26. A CISM wants to ensure that information security governance is integrated into organizational decision-making. The BEST approach is to: Establish a security steering committee with cross-functional representation
  27. Under the Sarbanes-Oxley Act (SOX), which of the following is a KEY information security requirement? Internal controls over financial reporting, including IT general controls
  28. A CISM is developing a compliance program. The FIRST step should be to: Identify all applicable laws, regulations, and contractual obligations
  29. Which of the following is MOST important when prioritizing risks for treatment? The potential business impact and likelihood
  30. Which of the following represents a governance control rather than a technical control? Acceptable use policy
Turn these facts into recall: