CISM Past Paper PDF

Summary

This document contains a set of questions and answers related to information security. It covers topics such as post-incident reviews, incident response testing, and continuous monitoring of security controls.

Full Transcript

IT Certification Guaranteed, The Easy Way!

NO.1 An organization's information security manager is performing a post-incident review of a
security incident in which the following events occurred:
* A bad actor broke into a business-critical FTP server by brute forcing an administrative password
* The third-party service provider hosting the server sent an automated alert message to the help
desk, but was ignored
* The bad actor could not access the administrator console, but was exposed to encrypted data
transferred to the server
* After three hours, the bad actor deleted the FTP directory, causing incoming FTP attempts by
legitimate customers to fail Which of the following could have been prevented by conducting regular
incident response testing?
A. Ignored alert messages
B. The server being compromised
C. The brute force attack
D. Stolen data
Answer: A
Explanation:
Ignored alert messages could have been prevented by conducting regular incident response testing
because it would have ensured that the help desk staff are familiar with and trained on how to
handle different types of alert messages from different sources, and how to escalate them
appropriately. The server being compromised could not have been prevented by conducting regular
incident response testing because it is related to security vulnerabilities or weaknesses in the server
configuration or authentication mechanisms. The brute force attack could not have been prevented
by conducting regular incident response testing because it is related to security threats or attacks
from external sources. Stolen data could not have been prevented by conducting regular incident
response testing because it is related to security breaches or incidents that may occur despite the
incident response plan or process. Reference: https:/ /www.isaca.org/resources/isacajournal/issues/2017/volume-5/incident-response-lessons-learned
https:/ /www.isaca.org/resources/isaca-journal/issues/2018/volume-3/incident-response-lessonslearned

NO.2 An information security manager is reporting on open items from the risk register to senior
management. Which of the following is MOST important to communicate with regard to these risks?
A. Responsible entities
B. Key risk indicators (KRIS)
C. Compensating controls
D. Potential business impact
Answer: D

NO.3 The PRIMARY purpose for continuous monitoring of security controls is to ensure:
A. control gaps are minimized.
B. system availability.
C. effectiveness of controls.
D. alignment with compliance requirements.
Answer: C
2

IT Certification Guaranteed, The Easy Way!

Explanation:
The primary purpose for continuous monitoring of security controls is to ensure the effectiveness of
controls. This involves regularly assessing the controls to ensure that they are meeting their intended
objectives, and that any potential weaknesses are identified and addressed. Continuous monitoring
also helps to ensure that control gaps are minimized, and that systems are available and aligned with
compliance requirements.

NO.4 How does an incident response team BEST leverage the results of a business impact analysis
(BIA)?
A. Assigning restoration priority during incidents
B. Determining total cost of ownership (TCO)
C. Evaluating vendors critical to business recovery
D. Calculating residual risk after the incident recovery phase
Answer: A

NO.5 Following a risk assessment, an organization has made the decision to adopt a bring your own
device (BYOD) strategy. What should the information security manager do NEXT?
A. Develop a personal device policy
B. Implement a mobile device management (MDM) solution
C. Develop training specific to BYOD awareness
D. Define control requirements
Answer: D
Explanation:
Defining control requirements is the next step to ensure the security policy framework encompasses
the new business model because it is a process of identifying and specifying the security measures
and standards that are needed to protect the data and applications accessed by the BYOD devices.
Defining control requirements helps to establish the baseline security level and expectations for the
BYOD strategy, as well as to align them with the business objectives and risks. Therefore, defining
control requirements is the correct answer.
Reference:
https:/ /www.digitalguardian.com/blog/ultimate-guide-byod-security-overcoming-challengescreating-effective-policies-and-mitigating
https:/ /learn.microsoft.com/en-us/mem/intune/fundamentals/byod-technology-decisions

NO.6 To help ensure that an information security training program is MOST effective its contents
should be
A. focused on information security policy.
B. aligned to business processes
C. based on employees' roles
D. based on recent incidents
Answer: C
Explanation:
"An information security training program should be tailored to the specific roles and responsibilities
of employees. This will help them understand how their actions affect information security and what
they need to do to protect it. A generic training program that is focused on policy, business processes
3

IT Certification Guaranteed, The Easy Way!

or recent incidents may not be relevant or effective for all employees."

NO.7 Which of the following processes BEST supports the evaluation of incident response
effectiveness?
A. Root cause analysis
B. Post-incident review
C. Chain of custody
D. Incident logging
Answer: B

NO.8 Which of the following is the BEST option to lower the cost to implement application security
controls?
A. Perform security tests in the development environment.
B. Integrate security activities within the development process
C. Perform a risk analysis after project completion.
D. Include standard application security requirements
Answer: B
Explanation:
Integrating security activities within the development process is the best option to lower the cost to
implement application security controls because it ensures that security is considered and addressed
throughout the software development life cycle (SDLC), from design to deployment, and reduces the
likelihood and impact of security flaws or vulnerabilities that may require costly fixes or patches later
on. Performing security tests in the development environment is not the best option because it may
not detect or prevent all security issues that may arise in different environments or scenarios.
Performing a risk analysis after project completion is not a good option because it may be too late to
identify or mitigate security risks that may have been introduced during the project. Including
standard application security requirements is not a good option because it may not account for
specific or unique security needs or challenges of different applications or projects. Reference:
https:/ /www.isaca.org/resources/isaca-journal/issues/2017/volume-2/secure-softwaredevelopment-lifecycle https:/ /www.isaca.org/resources/isaca-journal/issues/2016/volume4/technical-security-standards-for-information-systems

NO.9 Which of the following is the PRIMARY responsibility of an information security manager in an
organization that is implementing the use of company-owned mobile devices in its operations?
A. Require remote wipe capabilities for devices.
B. Conduct security awareness training.
C. Review and update existing security policies.
D. Enforce passwords and data encryption on the devices.
Answer: C
Explanation:
The primary responsibility of an information security manager in an organization that is implementing
the use of company-owned mobile devices in its operations is to review and update existing security
policies. Security policies are the foundation of an organi-zation's security program, as they define
the goals, objectives, principles, roles, respon-sibilities, and requirements for protecting information
and systems. Security policies should be reviewed and updated regularly to reflect changes in the
4

IT Certification Guaranteed, The Easy Way!

organization's envi-ronment, needs, risks, and technologies1. Implementing the use of companyowned mobile devices in its operations is a significant change that may introduce new threats and
vulnerabilities, as well as new opportunities and benefits, for the organiza-tion. Therefore, the
information security manager should review and update existing security policies to address the
following aspects2:
* The scope, purpose, and ownership of company-owned mobile devices
* The acceptable and unacceptable use of company-owned mobile devices
* The security standards and best practices for company-owned mobile devices
* The roles and responsibilities of users, managers, IT staff, and vendors regarding compa-ny-owned
mobile devices
* The procedures for provisioning, managing, monitoring, and decommissioning company-owned
mobile devices
* The incident response and reporting process for company-owned mobile devices By reviewing and
updating existing security policies, the information security manager can ensure that the
organization's security program is aligned with its business objec-tives and risk appetite, as well as
compliant with applicable laws and regulations. The other options are not the primary responsibility
of an information security manager in an organization that is implementing the use of companyowned mobile devices in its operations. They are possible actions or controls that may be derived
from or support-ed by the updated security policies. Requiring remote wipe capabilities for devices is
a technical control that can help prevent data loss or theft in case of device loss or com-promise3.
Conducting security awareness training is an administrative control that can help educate users about
the security risks and responsibilities associated with using company-owned mobile devices.
Enforcing passwords and data encryption on the de-vices is a technical control that can help protect
data confidentiality and integrity on company-owned mobile devices. Reference: 1: Information
Security Policy - NIST 2: Mobile Device Security Policy - SANS 3: Remote Wipe: What It Is & How I
t Works - Lifewire : Security Awareness Training - NIST : Mobile Device Encryption - NIST

NO.10 Which of the following metrics BEST measures the effectiveness of an organization's
information security program?
A. Increase in risk assessments completed
B. Reduction in information security incidents
C. Return on information security investment
D. Number of information security business cases developed
Answer: C

NO.11 To overcome the perception that security is a hindrance to business activities, it is important
for an information security manager to:
A. rely on senior management to enforce security.
B. promote the relevance and contribution of security.
C. focus on compliance.
D. reiterate the necessity of security.
Answer: B
Explanation:
To overcome the perception that security is a hindrance to business activities, it is important for an
information security manager to promote the relevance and contribution of security. By
5

IT Certification Guaranteed, The Easy Way!

demonstrating the value that security brings to the organization, including protecting assets and
supporting business objectives, the information security manager can help to change the perception
of security from a hindrance to a critical component of business success.
Relying on senior management to enforce security, focusing on compliance, and reiterating the
necessity of security are all important elements of a comprehensive security program, but they do
not directly address the perception that security is a hindrance to business activities. By promoting
the relevance and contribution of security, the information security manager can help to align
security with the overall goals and objectives of the organization, and foster a culture that values and
supports security initiatives.

NO.12 Which of the following is MOST helpful for protecting an enterprise from advanced persistent
threats (APTs)?
A. Updated security policies
B. Defined security standards
C. Threat intelligence
D. Regular antivirus updates
Answer: B

NO.13 When choosing the best controls to mitigate risk to acceptable levels, the information
security manager's decision should be MAINLY driven by:
A. best practices.
B. control framework
C. regulatory requirements.
D. cost-benefit analysis,
Answer: C

NO.14 Which of the following BEST determines the allocation of resources during a security incident
response?
A. Senior management commitment
B. A business continuity plan (BCP)
C. An established escalation process
D. Defined levels of severity
Answer: D
Explanation:
Defined levels of severity is the best determinant of the allocation of resources during a security
incident response. Having defined levels of severity allows organizations to plan for and allocate
resources for each level of incident, depending on the severity of the incident. This ensures that the
right resources are allocated in a timely manner and that incidents are addressed appropriately.

NO.15 Which of the following should an information security manager do FIRST when creating an
organization's disaster recovery plan (DRP)?
A. Conduct a business impact analysis (BIA)
B. Identify the response and recovery learns.
C. Review the communications plan.
6

IT Certification Guaranteed, The Easy Way!

D. Develop response and recovery strategies.
Answer: A
Explanation:
Conducting a business impact analysis (BIA) is the first step when creating an organization's disaster
recovery plan (DRP) because it helps to identify and prioritize the critical business functions or
processes that need to be restored after a disruption, and determine their recovery time objectives
(RTOs) and recovery point objectives (RPOs)2. Identifying the response and recovery teams is not the
first step, but rather a subsequent step that involves assigning roles and responsibilities for executing
the DRP. Reviewing the communications plan is not the first step, but rather a subsequent step that
involves defining the communication channels and protocols for notifying and updating the
stakeholders during and after a disruption. Developing response and recovery strategies is not the
first step, but rather a subsequent step that involves selecting and implementing the appropriate
solutions and procedures for restoring the critical business functions or processes. Reference: 2
https:/ /www.isaca.org/resources/isaca-journal/issues/2018/volume-3/business-impact-analysis-biaand-disaster-recovery-planning-drp

NO.16 Which of the following is the FIRST step to establishing an effective information security
program?
A. Conduct a compliance review.
B. Assign accountability.
C. Perform a business impact analysis (BIA).
D. Create a business case.
Answer: D

NO.17 Which of the following would BEST justify continued investment in an information security
program?
A. Reduction in residual risk
B. Security framework alignment
C. Speed of implementation
D. Industry peer benchmarking
Answer: A
Explanation:
Residual risk is the remaining risk after all security controls have been implemented. It is important to
measure the residual risk of an organization in order to determine the effectiveness of the security
program and to justify continued investment in the program. A reduction in residual risk is an
indication that the security program is effective and that continued investment is warranted.

NO.18 Which of the following has the GREATEST influence on an organization's information security
strategy?
A. The organization's risk tolerance
B. The organizational structure
C. Industry security standards
D. Information security awareness
Answer: A

7

IT Certification Guaranteed, The Easy Way!

Explanation:
An organization's information security strategy should be aligned with its risk tolerance, which is the
level of risk that an organization is willing to accept in pursuit of its objectives. The strategy should
aim to balance the cost of security controls with the potential impact of security incidents on the
organization's objectives. Therefore, an organization's risk tolerance has the greatest influence on its
information security strategy.
The organization's risk tolerance has the greatest influence on its information security strategy
because it determines how much risk the organization is willing to accept and how much resources it
will allocate to mitigate or transfer risk. The organizational structure, industry security standards, and
information security awareness are important factors that affect the implementation and
effectiveness of an information security strategy but not as much as the organization's risk tolerance.
An information security strategy is a high-level plan that defines how an organization will achieve its
information security objectives and address its information security risks. An information security
strategy should align with the organization's business strategy and reflect its mission, vision, values,
and culture. An information security strategy should also consider the external and internal factors
that influence the organization's information security environment such as laws, regulations,
competitors, customers, suppliers, partners, stakeholders, employees etc.

NO.19 Which of the following would be the MOST effective way to present quarterly reports to the
board on the status of the information security program?
A. A capability and maturity assessment
B. Detailed analysis of security program KPIs
C. An information security dashboard
D. An information security risk register
Answer: C
Explanation:
An information security dashboard is an effective way to present quarterly reports to the board on
the status of the information security program. It allows the board to quickly view key metrics and
trends at a glance and to drill down into more detailed information as needed. The dashboard should
include metrics such as total incidents, patching compliance, vulnerability scanning results, and more.
It should also include high-level overviews of the security program and its components, such as the
security policy, security architecture, and security controls.

NO.20 An anomaly-based intrusion detection system (IDS) operates by gathering data on:
A. normal network behavior and using it as a baseline lor measuring abnormal activity
B. abnormal network behavior and issuing instructions to the firewall to drop rogue connections
C. abnormal network behavior and using it as a baseline for measuring normal activity
D. attack pattern signatures from historical data
Answer: A
Explanation:
An anomaly-based intrusion detection system (IDS) operates by gathering data on normal network
behavior and using it as a baseline for measuring abnormal activity. This is important because it
allows the IDS to detect any activity that is outside of the normal range of usage for the network,
which can help to identify potential malicious activity or security threats. Additionally, the IDS will
monitor for any changes in the baseline behavior and alert the administrator if any irregularities are
8

IT Certification Guaranteed, The Easy Way!

detected. By contrast, signature-based IDSs operate by gathering attack pattern signatures from
historical data and comparing them against incoming traffic in order to identify malicious activity.

NO.21 If civil litigation is a goal for an organizational response to a security incident, the PRIMARY
step should be to:
A. contact law enforcement.
B. document the chain of custody.
C. capture evidence using standard server-backup utilities.
D. reboot affected machines in a secure area to search for evidence.
Answer: B

NO.22 Which of the following is MOST effective in monitoring an organization's existing risk?
A. Periodic updates to risk register
B. Risk management dashboards
C. Security information and event management (SIEM) systems
D. Vulnerability assessment results
Answer: B
NO.23 What is the BEST way to reduce the impact of a successful ransomware attack?
A. Perform frequent backups and store them offline.
B. Purchase or renew cyber insurance policies.
C. Include provisions to pay ransoms ih the information security budget.
D. Monitor the network and provide alerts on intrusions.
Answer: A
NO.24 Which of the following BEST facilitates an information security manager's efforts to obtain
senior management commitment for an information security program?
A. Presenting evidence of inherent risk
B. Reporting the security maturity level
C. Presenting compliance requirements
D. Communicating the residual risk
Answer: C

NO.25 Which of the following is the MOST important reason to conduct interviews as part of the
business impact analysis (BIA) process?
A. To facilitate a qualitative risk assessment following the BIA
B. To increase awareness of information security among key stakeholders
C. To ensure the stakeholders providing input own the related risk
D. To obtain input from as many relevant stakeholders as possible
Answer: C

NO.26 Which of the following would BEST enable the timely execution of an incident response plan?
A. The introduction of a decision support tool
9

IT Certification Guaranteed, The Easy Way!

B. Definition of trigger events
C. Clearly defined data classification process
D. Centralized service desk
Answer: B
Explanation:
Definition of trigger events is the best way to enable the timely execution of an incident response
plan because it helps to specify the conditions or criteria that initiate the incident response process.
Trigger events are predefined scenarios or indicators that signal the occurrence or potential
occurrence of a security incident, such as a ransomware attack, a data breach, a denial-of-service
attack, or an unauthorized access attempt. Definition of trigger events helps to ensure that the
incident response team is alerted and activated as soon as possible, as well as to determine the
appropriate level and scope of response based on the severity and impact of the incident. Therefore,
definition of trigger events is the correct answer.
Reference:
https:/ /www.atlassian.com/incident-management/kpis/common-metrics
https:/ /www.varonis.com/blog/incident-response-plan/
https:/ /holierthantao.com/2023/05/03/minimizing-disruptions-a-comprehensive-guide-to-incidentresponse-planning-and-execution/

NO.27 Which of the following change management procedures is MOST likely to cause concern to
the information security manager?
A. Fallback processes are tested the weekend before changes are made
B. Users are not notified of scheduled system changes
C. A manual rather than an automated process is used to compare program versions.
D. The development manager migrates programs into production
Answer: D
Explanation:
According to the Certified Information Security Manager (CISM) Study Guide, one of the primary
responsibilities of an information security manager is to ensure that changes to systems and
processes are managed in a secure and controlled manner. The change management procedure that
is most likely to cause concern for an information security manager is when the development
manager migrates programs into production without proper oversight or control. This can increase
the risk of unauthorized changes being made to systems and data, and can also increase the risk of
configuration errors or other issues that can negatively impact the security and availability of
systems. To mitigate these risks, it is important for the information security manager to work closely
with the development team to establish and enforce change management procedures that ensure
that all changes are properly approved, tested, and implemented in a controlled manner.

NO.28 Which of the following is the GREATEST benefit of conducting an organization-wide security
awareness program?
A. The security strategy is promoted.
B. Fewer security incidents are reported.
C. Security behavior is improved.
D. More security incidents are detected.
Answer: C
10

IT Certification Guaranteed, The Easy Way!

NO.29 Which of the following documents should contain the INITIAL prioritization of recovery of
services?
A. IT risk analysis
B. Threat assessment
C. Business impact analysis (BIA)
D. Business process map
Answer: C
Explanation:
A business impact analysis (BIA) is the document that should contain the initial priori-tization of
recovery of services. A BIA is a process of identifying and analyzing the po-tential effects of
disruptions to critical business functions and processes. A BIA typi-cally includes the following steps1:
* Identifying the critical business functions and processes that support the organization's mission and
objectives.
* Estimating the maximum tolerable downtime (MTD) for each function or process, which is the
longest time that the organization can afford to be without that function or process before suffering
unacceptable consequences.
* Assessing the potential impacts of disruptions to each function or process, such as finan-cial losses,
reputational damage, legal liabilities, regulatory penalties, customer dissatis-faction, etc.
* Prioritizing the recovery of functions or processes based on their MTDs and impacts, and assigning
recovery time objectives (RTOs) and recovery point objectives (RPOs) for each function or process.
RTOs are the target times for restoring functions or processes after a disruption, while RPOs are the
acceptable amounts of data loss in case of a disruption.
* Identifying the resources and dependencies required for each function or process, such as staff,
equipment, software, data, suppliers, customers, etc.
A BIA provides the basis for developing a business continuity plan (BCP), which is a document that
outlines the strategies and procedures for ensuring the continuity or re-covery of critical business
functions and processes in the event of a disruption2. The other options are not documents that
should contain the initial prioritization of recov-ery of services. An IT risk analysis is a process of
identifying and evaluating the threats and vulnerabilities that affect the IT systems and assets of an
organization. It helps to determine the likelihood and impact of potential IT incidents, and to select
and imple-ment appropriate controls to mitigate the risks3. A threat assessment is a process of
identifying and analyzing the sources and capabilities of adversaries that may pose a threat to an
organization's security. It helps to determine the level of threat posed by different actors, and to
develop countermeasures to prevent or respond to attacks. A business process map is a visual
representation of the activities, inputs, outputs, roles, and resources involved in a business process. It
helps to understand how a process works, how it can be improved, and how it relates to other
processes. Reference: 1: Business impact analysis (BIA) - Wikipedia 2: Business continuity plan
- Wikipedia 3: IT risk management - Wikipedia : Threat assessment - Wikipedia : Business process m
ap-ping - Wikipedia

NO.30 Which of the following is the GREATEST inherent risk when performing a disaster recovery
plan (DRP) test?
A. Poor documentation of results and lessons learned
B. Lack of communication to affected users

11

IT Certification Guaranteed, The Easy Way!

C. Disruption to the production environment
D. Lack of coordination among departments
Answer: C
Explanation:
The greatest inherent risk when performing a disaster recovery plan (DRP) test is disruption to the
production environment. A DRP test involves simulating a disaster scenario to ensure that the
organization's plans are effective and that it is able to recover from an incident. However, this
involves running tests on the production environment, which has the potential to disrupt the normal
operations of the organization. This inherent risk can be mitigated by running tests on a nonproduction environment or by running tests at times when disruption will be minimized.

NO.31 Which of the following activities is designed to handle a control failure that leads to a breach?
A. Risk assessment
B. Incident management
C. Root cause analysis
D. Vulnerability management
Answer: B
NO.32 A finance department director has decided to outsource the organization's budget
application and has identified potential providers. Which of the following actions should be initiated
FIRST by IN information security manager?
A. Determine the required security controls for the new solution
B. Review the disaster recovery plans (DRPs) of the providers
C. Obtain audit reports on the service providers' hosting environment
D. Align the roles of the organization's and the service providers' stats.
Answer: A
Explanation:
Before outsourcing any application or service, an information security manager should first
determine the required security controls for the new solution, based on the organization's risk
appetite, security policies and standards, and regulatory requirements. This will help to evaluate and
select the most suitable provider, as well as to define the security roles and responsibilities, service
level agreements (SLAs), and audit requirements. Reference:
https:/ /www.isaca.org/credentialing/cism https:/ /www.wiley.com/enus/CISM+Certified+Information+Security+Manager+Study+Guide-p-9781119801948

NO.33 Which of the following BEST enables the integration of information security governance into
corporate governance?
A. Senior management approval of the information security strategy
B. An information security steering committee with business representation
C. Clear lines of authority across the organization
D. Well-decumented information security policies and standards
Answer: B

NO.34 Which of the following is the BEST course of action for an information security manager to
12

IT Certification Guaranteed, The Easy Way!

align security and business goals?
A. Conducting a business impact analysis (BIA)
B. Reviewing the business strategy
C. Defining key performance indicators (KPIs)
D. Actively engaging with stakeholders
Answer: D

NO.35 The MOST appropriate time to conduct a disaster recovery test would be after:
A. major business processes have been redesigned.
B. the business continuity plan (BCP) has been updated.
C. the security risk profile has been reviewed
D. noncompliance incidents have been filed.
Answer: A
NO.36 Which of the following is the GREATEST benefit of including incident classification criteria
within an incident response plan?
A. Ability to monitor and control incident management costs
B. More visibility to the impact of disruptions
C. Effective protection of information assets
D. Optimized allocation of recovery resources
Answer: D
Explanation:
The explanation given in the manual is:
Incident classification criteria enable an organization to prioritize incidents based on their impact and
urgency. This allows for an optimized allocation of recovery resources to minimize business
disruption and ensure timely restoration of normal operations. The other choices are benefits of
incident management but not directly related to incident classification criteria.

NO.37 An organization has multiple data repositories across different departments. The information
security manager has been tasked with creating an enterprise strategy for protecting dat a. Which of
the following information security initiatives should be the HIGHEST priority for the organization?
A. Data masking
B. Data retention strategy
C. Data encryption standards
D. Data loss prevention (DLP)
Answer: C
Explanation:
Data encryption standards are the best information security initiative for creating an enterprise
strategy for protecting data across multiple data repositories and different departments because
they help to ensure the confidentiality, integrity, and availability of data in transit and at rest. Data
encryption is a process of transforming data into an unreadable format using a secret key or
algorithm, so that only authorized parties can access and decrypt it. Data encryption standards are
the rules or specifications that define how data encryption should be performed, such as the type,
strength, and mode of encryption, the key management and distribution methods, and the
13

IT Certification Guaranteed, The Easy Way!

compliance requirements. Data encryption standards help to protect data from unauthorized access,
modification, or theft, as well as to meet the regulatory obligations for data privacy and security.
Therefore, data encryption standards are the correct answer.
Reference:
https:/ /www.techtarget.com/searchdatabackup/tip/20-keys-to-a-successful-enterprise-dataprotection-strategy
https:/ /cloudian.com/guides/data-protection/data-protection-strategy-10-components-of-aneffective-strategy/
https:/ /www.veritas.com/information-center/enterprise-data-protection

NO.38 Which of the following is MOST useful to an information security manager when determining
the need to escalate an incident to senior?
A. Incident management procedures
B. Incident management policy
C. System risk assessment
D. Organizational risk register
Answer: D
Explanation:
The organizational risk register is the most useful for an information security manager when
determining the need to escalate an incident to senior management because it contains a list of
identified risks to the organization, their likelihood and impact, and their predefined risk thresholds
or targets, which can help the information security manager assess the severity and urgency of the
incident and decide whether it requires senior management's attention or action. Incident
management procedures are not very useful for this purpose because they do not provide any
specific criteria or guidance on when to escalate an incident to senior management. Incident
management policy is not very useful for this purpose because it does not provide any specific
criteria or guidance on when to escalate an incident to senior management. System risk assessment
is not very useful for this purpose because it does not reflect the current risk exposure or status of
the organization as a whole. Reference: https:/ /www.isaca.org/resources/isacajournal/issues/2016/volume-6/how-to-measure-the-effectiveness-of-information-security-using-iso27004 https:/ /www.isaca.org/resources/isaca-journal/issues/2017/volume-5/incident-responselessons-learned

NO.39 Which of the following would be MOST helpful to identify worst-case disruption scenarios?
A. Business impact analysis (BIA)
B. Business process analysis
C. SWOT analysis
D. Cast-benefit analysis
Answer: A
NO.40 A security incident has been reported within an organization. When should an inforrnation
security manager contact the information owner? After the:
A. incident has been confirmed.
B. incident has been contained.
C. potential incident has been logged.
14