What does the CISM Information Security Risk Management domain cover?

CISM Information Security Risk Management covers CISM Domain 2 (~20%) — information security risk management, including risk identification, assessment, treatment, monitoring, and third-party risk. Expect scenario-based questions on Risk Identification & Assessment, Risk Treatment (Avoid / Transfer / Mitigate / Accept), Risk Appetite & Tolerance, Risk Monitoring & Reporting, Quantitative vs Qualitative Analysis, Third-Party / Supply Chain Risk.

Free CISM Information Security Risk Management Practice Test 2026 — Certified Information Security Manager Questions

Q: How many Information Security Risk Management practice questions are on this page?

This free practice set includes 6 CISM Information Security Risk Management questions with detailed explanations. Premium members get unlimited access to the full CISM question bank with 619+ questions.

Q: Is this CISM Information Security Risk Management practice test free?

Yes. The practice test is completely free with no signup required. Instant scoring and detailed explanations on every question.

This free CISM Information Security Risk Management practice test covers CISM Domain 2 (~20%) — information security risk management, including risk identification, assessment, treatment, monitoring, and third-party risk. Each question includes a detailed explanation aligned to the ISACA CISM Review Manual and CISM Job Practice Areas.

Key Topics in CISM Information Security Risk Management

Risk Identification & Assessment
Risk Treatment (Avoid / Transfer / Mitigate / Accept)
Risk Appetite & Tolerance
Risk Monitoring & Reporting
Quantitative vs Qualitative Analysis
Third-Party / Supply Chain Risk

6 Free CISM Information Security Risk Management Practice Questions with Answers

Sample Question 1 — Information Security Risk Management

An organization has recently completed a comprehensive risk assessment and identified several information security risks. The management team is prioritizing these risks for treatment. Which of the following factors should be considered the most critical when determining the priority of risk treatment?

A. The cost of implementing the risk treatment.
B. The potential impact on the organization's objectives. (Correct answer)
C. The ease of implementing the risk treatment.
D. The availability of resources to implement the treatment.

Correct answer: B

Explanation: The most critical factor in prioritizing risk treatment is the potential impact on the organization's objectives. This ensures that the organization's strategic goals are not compromised. The cost, ease, and resources are important, but they should not outweigh the potential impact on achieving business objectives.

Sample Question 2 — Information Security Risk Management

A company is evaluating a new third-party cloud service provider. As part of the risk assessment process, which of the following should be the primary focus to ensure the security of the organization's data?

A. The reputation of the cloud service provider.
B. The provider's compliance with industry standards and regulations. (Correct answer)
C. The cost-effectiveness of the service.
D. The physical location of the provider's data centers.

Correct answer: B

Explanation: The primary focus should be the provider's compliance with industry standards and regulations, as this ensures that the provider adheres to recognized security practices. While the other factors are important, they do not directly address the security controls in place to protect the organization's data.

Sample Question 3 — Information Security Risk Management

During a risk assessment, an organization identifies a critical vulnerability in its web application that could lead to data breaches. What should be the immediate next step in the risk management process?

A. Inform stakeholders about the vulnerability.
B. Implement a temporary fix to mitigate the risk. (Correct answer)
C. Conduct a cost-benefit analysis for a permanent solution.
D. Update the risk register with the new information.

Correct answer: B

Explanation: The immediate next step should be to implement a temporary fix to mitigate the risk, thereby reducing the likelihood of exploitation while a permanent solution is being developed. Informing stakeholders and updating the risk register are important but secondary actions. Conducting a cost-benefit analysis is necessary for a long-term solution but not an immediate response.

Sample Question 4 — Information Security Risk Management

An organization is developing a risk management strategy for its new e-commerce platform. Which of the following actions best demonstrates a proactive approach to managing information security risks?

A. Regularly updating antivirus software on all servers.
B. Conducting a business impact analysis to identify critical processes. (Correct answer)
C. Implementing a firewall to protect the platform from external threats.
D. Scheduling periodic security training for employees.

Correct answer: B

Explanation: Conducting a business impact analysis to identify critical processes demonstrates a proactive approach by understanding which processes are vital to the business and prioritizing them in the risk management strategy. The other options are reactive or operational measures that do not directly address strategic risk management.

Sample Question 5 — Information Security Risk Management

A financial institution has identified a risk of unauthorized access to sensitive customer data. Which of the following risk treatment options should be prioritized to address this risk effectively?

A. Transferring the risk by obtaining cyber insurance.
B. Avoiding the risk by discontinuing online services.
C. Mitigating the risk by implementing multi-factor authentication. (Correct answer)
D. Accepting the risk due to its low likelihood.

Correct answer: C

Explanation: Mitigating the risk by implementing multi-factor authentication is the most effective treatment option as it directly addresses the risk of unauthorized access by adding an additional layer of security. Transferring the risk does not reduce the likelihood of occurrence, avoiding the risk is impractical, and accepting the risk is inappropriate given the sensitivity of the data.

Sample Question 6 — Information Security Risk Management

A multinational corporation is undergoing a major digital transformation, which includes moving critical services to the cloud. As the Information Security Manager, you are tasked with assessing the risks associated with this transition. What should be your primary focus in the initial stage of the risk assessment process?

A. Evaluate the security policies of the cloud service provider.
B. Identify and classify the data and services that will be moved to the cloud. (Correct answer)
C. Review the compliance requirements applicable to cloud services.
D. Conduct a penetration test on the cloud environment.

Correct answer: B

Explanation: The initial stage of the risk assessment process should focus on identifying and classifying the data and services that will be moved to the cloud. This is crucial because understanding what data and services are involved will help determine the potential risks and the necessary security measures. Option A (evaluating the cloud provider's security policies) and Option C (reviewing compliance requirements) are important steps but should follow the initial identification and classification. Option D (conducting a penetration test) is a more advanced step that should be performed after the initial risk assessment.

About the CISM / Certified Information Security Manager Exam

Questions: 150 multiple choice
Time: 4 hours
Passing score: 450 / 800 (scaled)
Cost: $575 (members) / $760 (non-members)
Validity: 3 years (renew with 120 CPEs)
Provider: ISACA
DoD 8570/8140: Approved for IAM II, IAM III, CSSP Manager

Other CISM Practice Domains

Start the free CISM Information Security Risk Management practice test now | 10-question quick start | All CISM domains