CISM Information Risk Management

Question 1

In the context of CISM, what is the CORRECT formula for calculating risk?

Accepted Answer

Risk = Likelihood × Impact

Answer

Risk = Threat × Asset Value

Answer

Risk = Vulnerability − Control

Answer

Risk = Threat + Vulnerability + Impact

Question 2

A CISM has identified a critical vulnerability but the cost of remediation exceeds the potential loss. The MOST appropriate risk response is:

Accepted Answer

Risk acceptance

Answer

Risk avoidance

Answer

Risk transfer

Answer

Risk mitigation

Question 3

Which of the following is MOST important when prioritizing risks for treatment?

Accepted Answer

The potential business impact and likelihood

Answer

The age of the vulnerability

Answer

The vendor's severity rating

Answer

The number of systems affected

Question 4

What is the purpose of a risk register in information security management?

Accepted Answer

To record identified risks, their assessments, and treatment decisions

Answer

To document all installed security software

Answer

To list all employees with access to sensitive systems

Answer

To track security incident response timelines

Question 5

Which risk assessment approach assigns numerical values to probability and impact to calculate risk scores?

Accepted Answer

Quantitative risk assessment

Answer

Qualitative risk assessment

Answer

Delphi technique

Answer

Scenario-based assessment

Question 6

A CISM is conducting a risk assessment and discovers a high likelihood threat with low potential impact. This risk should be:

Accepted Answer

Evaluated in the context of the organization's risk appetite

Answer

Immediately escalated to the board

Answer

Automatically mitigated regardless of cost

Answer

Transferred to a third-party insurer