CISM Information Risk Management

Question 1

In the context of CISM, what is the CORRECT formula for calculating risk?

Accepted Answer

Risk = Likelihood × Impact

Answer

Risk is calculated as the product of the likelihood that a threat event will occur and the impact it would have on the organization.

Question 2

A CISM has identified a critical vulnerability but the cost of remediation exceeds the potential loss. The MOST appropriate risk response is:

Accepted Answer

Risk acceptance

Answer

When remediation costs exceed the potential impact, accepting the risk is the most cost-effective response, provided it falls within the organization's risk appetite.

Question 3

Which of the following is MOST important when prioritizing risks for treatment?

Accepted Answer

The potential business impact and likelihood

Answer

Risks should be prioritized based on their potential business impact and likelihood of occurrence, not just technical severity or vendor ratings.

Question 4

What is the purpose of a risk register in information security management?

Accepted Answer

To record identified risks, their assessments, and treatment decisions

Answer

A risk register is a formal document that records identified risks, their assessed likelihood and impact, treatment options chosen, and residual risk levels.

Question 5

Which risk assessment approach assigns numerical values to probability and impact to calculate risk scores?

Accepted Answer

Quantitative risk assessment

Answer

Quantitative risk assessment uses numerical values (often monetary) to calculate risk scores, enabling objective comparison and cost-benefit analysis.

CISM - Certified Information Security Manager Practice Test

CISM - Certified Information Security Manager Practice Test

CISM Information Risk Management