CISM Information Risk Management 2

Question 1

Which of the following BEST describes 'inherent risk' in information security?

Accepted Answer

Risk that exists before any controls are implemented

Answer

Inherent risk is the level of risk that exists naturally before any controls or mitigations are put in place.

Question 2

What is 'residual risk' in information security risk management?

Accepted Answer

The risk that remains after controls have been applied

Answer

Residual risk is the amount of risk that remains after security controls have been implemented to reduce or manage the inherent risk.

Question 3

A CISM is evaluating third-party vendors. Which risk is MOST relevant to this activity?

Accepted Answer

Supply chain and third-party risk

Answer

Third-party vendors introduce supply chain and vendor risk, where weaknesses in vendor security posture can compromise the organization's own security.

Question 4

Which of the following BEST describes the purpose of a Business Impact Analysis (BIA)?

Accepted Answer

To determine critical business processes and the impact of their disruption

Answer

A BIA identifies critical business processes, their dependencies, and the potential impact of disruption, which informs risk prioritization and continuity planning.

Question 5

An organization is considering purchasing cyber liability insurance. From a risk management perspective, this is an example of:

Accepted Answer

Risk transfer

Answer

Purchasing cyber liability insurance transfers the financial consequences of a security event to a third-party insurer.

CISM - Certified Information Security Manager Practice Test

CISM - Certified Information Security Manager Practice Test

CISM Information Risk Management 2