CISM Study Guide 2026
Everything you need to pass the CISM exam in one place: the exam format, every topic to study, real practice questions with explanations, flashcards, and full-length practice tests. Free, no sign-up needed.
📋 CISM Exam Format at a Glance
📚 CISM Topics to Study (21)
✍️ Sample CISM Questions & Answers
1. A CISM is conducting a risk assessment and discovers a high likelihood threat with low potential impact. This risk should be:
All risks, regardless of their individual dimensions, must be evaluated against the organization's defined risk appetite before determining the appropriate response.
2. Which of the following represents a governance control rather than a technical control?
An acceptable use policy is a governance (administrative) control that defines rules and expectations for users, rather than a technical enforcement mechanism.
3. Which BC/DR test type carries the GREATEST risk of causing unplanned downtime?
A full interruption test shuts down primary systems and fully activates recovery procedures, carrying the highest risk of real outages if the recovery environment fails.
4. How often should a Business Continuity Plan be tested at MINIMUM according to best practices?
Best practices and most frameworks require BCP testing at least annually and after any significant changes to ensure the plan remains effective and current.
5. An organization's board of directors is MOST responsible for which security governance activity?
The board of directors is responsible for setting the organization's risk appetite and providing oversight of the overall security posture.
6. Which of the following is MOST important when communicating about a security incident to external stakeholders?
External incident communications must be timely, factually accurate, and reviewed by legal counsel to manage liability and maintain stakeholder trust.