CISM Information Risk Management 2

Question 1

Which of the following BEST describes 'inherent risk' in information security?

Accepted Answer

Risk that exists before any controls are implemented

Answer

Risk remaining after controls are applied

Answer

Risk transferred to a third party via insurance

Answer

Risk associated with third-party vendors only

Question 2

What is 'residual risk' in information security risk management?

Accepted Answer

The risk that remains after controls have been applied

Answer

The original risk before any assessment is performed

Answer

The risk associated with legacy systems only

Answer

The risk transferred to cyber insurance policies

Question 3

A CISM is evaluating third-party vendors. Which risk is MOST relevant to this activity?

Accepted Answer

Supply chain and third-party risk

Answer

Reputational risk

Answer

Market risk

Answer

Liquidity risk

Question 4

Which of the following BEST describes the purpose of a Business Impact Analysis (BIA)?

Accepted Answer

To determine critical business processes and the impact of their disruption

Answer

To identify all network vulnerabilities in the organization

Answer

To calculate the cost of deploying new security technologies

Answer

To assess employee compliance with security policies

Question 5

An organization is considering purchasing cyber liability insurance. From a risk management perspective, this is an example of:

Accepted Answer

Risk transfer

Answer

Risk avoidance

Answer

Risk acceptance

Answer

Risk mitigation

Question 6

Which of the following is a KEY component of an effective risk communication strategy?

Accepted Answer

Translating risk findings into business terms for stakeholders

Answer

Using technical jargon to demonstrate expertise

Answer

Restricting risk reports to IT and security teams only

Answer

Publishing raw vulnerability data on the intranet