Certified Information Security Manager (CISM) Practice Questions: Incident Management Domain
Test your Certified Information Security Manager (CISM) knowledge with 10 practice questions from the Incident Management domain. Includes detailed explanations and answers.
Certified Information Security Manager (CISM) Practice Questions
Master the Incident Management Domain
Test your knowledge in the Incident Management domain with these 10 practice questions. Each question is designed to help you prepare for the CISM certification exam with detailed explanations to reinforce your learning.
Question 1
An incident response team is handling a ransomware attack. What is the most important consideration when deciding whether to pay the ransom?
Show Answer & Explanation
Correct Answer: undefined
Explanation: The organization's policy on negotiating with attackers (Option C) should be the guiding factor, as it reflects management's risk tolerance and ethical stance. While cost (Option A), likelihood of recovery (Option B), and legal implications (Option D) are important, they should be considered within the framework of the established policy.
Question 2
During an incident response, it is discovered that the organization’s incident response plan is outdated and lacks procedures for handling the specific type of incident that occurred. What should be the immediate focus of the information security manager?
Show Answer & Explanation
Correct Answer: undefined
Explanation: The immediate focus should be on using existing resources to manage the incident while documenting lessons learned (B). This ensures that the incident is handled promptly and that gaps are identified for future improvements. Developing a new plan (A) or suspending activities (C) would delay response efforts. Engaging external consultants (D) might be necessary but should not replace utilizing internal resources effectively.
Question 3
After an incident has been contained, which of the following actions should be prioritized to ensure lessons learned are effectively captured?
Show Answer & Explanation
Correct Answer: undefined
Explanation: Conducting a formal post-incident review with all stakeholders is essential to capture lessons learned effectively. This process helps identify what worked, what didn’t, and how future incidents can be better managed. Updating policies (A) and investing in technologies (C) may follow the review. Issuing a press release (D) is not directly related to capturing lessons learned.
Question 4
Following a security incident, the incident response team is tasked with updating the incident response plan. What is the most important factor to consider during this update?
Show Answer & Explanation
Correct Answer: undefined
Explanation: Lessons learned from the recent incident (B) are the most important factor to consider, as they provide direct insights into what worked well and what needs improvement. This aligns with ISACA's emphasis on continuous improvement. Feedback from consultants (A), regulatory changes (C), and new technologies (D) are also important but should be integrated into the plan based on the lessons learned.
Question 5
An organization has experienced a data breach affecting customer data due to a phishing attack. As the information security manager, what should be your first priority in managing this incident?
Show Answer & Explanation
Correct Answer: undefined
Explanation: The first priority in managing an incident is to contain it to prevent further damage. This aligns with ISACA best practices, which emphasize minimizing the impact of an incident. While notifying customers, conducting an investigation, and reporting to authorities are important, they should follow containment efforts to ensure the breach does not continue to affect more data.
Question 6
During a security incident, the incident response team discovers that sensitive customer data has been exfiltrated. What is the most important consideration when deciding whether to publicly disclose this information?
Show Answer & Explanation
Correct Answer: undefined
Explanation: The most important consideration is the legal and regulatory requirements for data breach disclosure (Option B). Compliance with applicable laws and regulations is mandatory and often dictates the timing and manner of disclosure. While Options A, C, and D are significant factors, they are secondary to the legal obligations that the organization must fulfill.
Question 7
During a security incident, you discover that critical business data has been encrypted by ransomware. What is the most important action to take first?
Show Answer & Explanation
Correct Answer: undefined
Explanation: The most important initial action is to isolate the affected systems from the network to prevent the ransomware from spreading further. This aligns with ISACA's best practices for containment. Paying the ransom (A) is not recommended as it doesn't guarantee data recovery and may encourage future attacks. Notifying law enforcement (C) and restoring data (D) are important follow-up actions but not immediate priorities.
Question 8
An organization has experienced a ransomware attack. What is the most critical immediate action to take to minimize impact?
Show Answer & Explanation
Correct Answer: undefined
Explanation: Isolating affected systems from the network is the most critical immediate action to prevent the ransomware from spreading to other systems. This containment measure is essential to minimize impact. Paying the ransom is not recommended as it doesn't guarantee data recovery and may encourage further attacks. Restoring data should be done after containment to ensure backups are not infected. Notifying law enforcement is important but not the immediate priority.
Question 9
In the aftermath of a significant security incident, what should be the primary focus of the post-incident review conducted by the information security team?
Show Answer & Explanation
Correct Answer: undefined
Explanation: The primary focus of a post-incident review should be on determining the effectiveness of the incident response plan and identifying areas for improvement. This aligns with ISACA's best practices for continuous improvement and learning from incidents to enhance future responses. Identifying responsible employees and assessing financial impact are secondary considerations. Ensuring systems are restored is part of incident resolution, not the review process.
Question 10
Which of the following is the most important consideration when developing an incident response policy?
Show Answer & Explanation
Correct Answer: undefined
Explanation: Alignment with the organization's business objectives (B) is the most important consideration, as it ensures that the incident response policy supports the overall goals and risk appetite of the organization. Compliance (A) is important but secondary to alignment with business objectives. Technical procedures (C) are part of response plans, not the policy itself. Regular updates (D) are necessary for relevance but follow alignment with objectives.
Ready to Accelerate Your CISM Preparation?
Join thousands of professionals who are advancing their careers through expert certification preparation with FlashGenius.
- ✅ Unlimited practice questions across all CISM domains
- ✅ Full-length exam simulations with real-time scoring
- ✅ AI-powered performance tracking and weak area identification
- ✅ Personalized study plans with adaptive learning
- ✅ Mobile-friendly platform for studying anywhere, anytime
- ✅ Expert explanations and study resources
Already have an account? Sign in here
About Certified Information Security Manager (CISM) Certification
The CISM certification validates your expertise in incident management and other critical domains. Our comprehensive practice questions are carefully crafted to mirror the actual exam experience and help you identify knowledge gaps before test day.