12
CISM Domain 2 Risk Management Quiz – 100 Questions
It is highly recommended to refresh your domain 2 knowledge on this article CISM – Domain 2 Detailed Overview – Information Security Risk Management – Exceediance prior to attempting the below quiz.
📘 CISM Domain 2 · Risk Management
100 practice questions — click any option to check your answer.
✅ Green = correct | ❌ Strikethrough = your wrong pick, with the correct answer highlighted in green.
✅ Green = correct | ❌ Strikethrough = your wrong pick, with the correct answer highlighted in green.
📌 Section 1 · Questions 1–20
1. An information security manager is reviewing the organization's risk register and notes that a critical business process has a residual risk level that exceeds the defined risk tolerance. What should the manager do FIRST?
2. Which of the following is the BEST example of a Key Risk Indicator (KRI) for an organization's third-party vendor risk?
3. A business unit proposes a new initiative that involves collecting and storing sensitive personal data from customers in a new geographic region. The organization's risk appetite is conservative regarding data privacy. What should the information security manager do FIRST?
4. An information security manager has completed a quantitative risk assessment for a critical system. The Annualized Loss Expectancy (ALE) before controls is $500,000. After implementing a proposed control costing $80,000 per year, the ALE is reduced to $100,000. What should the manager recommend?
5. A major security vulnerability is disclosed in a widely used third-party software component that is critical to the organization's e-commerce platform. The vendor has not yet released a patch. What should the information security manager do FIRST?
6. During a routine risk review, the information security manager identifies that a risk owner has not implemented any of the agreed-upon risk treatment actions, and the deadline has passed. What should the manager do?
7. A recent internal audit report highlights that the organization lacks a formal process for monitoring emerging threats and vulnerabilities. What is the GREATEST risk associated with this deficiency?
8. Which of the following is the PRIMARY purpose of a Business Impact Analysis (BIA)?
9. An organization is considering transferring a significant cyber risk to an insurance provider. What is the MOST important consideration for the information security manager?
10. Which of the following describes inherent risk?
11. What is the FIRST step in establishing a third-party/vendor risk management program?
12. Which of the following is an example of risk mitigation?
13. An information security manager is preparing a risk report for the Board of Directors. What is the MOST important consideration?
14. What is the relationship between risk appetite and risk tolerance?
15. A risk has been identified that falls outside the organization's risk tolerance. Which of the following is an acceptable course of action?
16. Which of the following BEST describes residual risk?
17. An organization has identified a risk with high likelihood and high impact. The cost to mitigate is significantly higher than the potential loss. What is the MOST appropriate risk treatment?
18. What is the PRIMARY purpose of a risk register?
19. An information security manager is reviewing a proposed new control. The ALE before the control is $1,000,000. The ALE after the control is $300,000. The annual cost of the control is $150,000. What is the net benefit of the control?
20. Which of the following is the MOST effective way to build a positive risk culture within an organization?
📌 Section 2 · Questions 21–40
21. An organization is implementing a new risk management framework. What is the MOST critical factor for its success?
22. Which of the following is a Key Performance Indicator (KPI) for the security operations team?
23. An information security manager discovers that a critical business process has a single point of failure that could cause significant operational disruption. What should the manager do FIRST?
24. What is the PRIMARY benefit of a quantitative risk assessment over a qualitative one?
25. An organization has signed a contract with a cloud provider that includes a clause requiring the provider to notify the organization within 24 hours of any security incident. This is an example of:
26. Which of the following BEST describes risk capacity?
27. An information security manager is reviewing a vendor's SOC 2 Type II report. What is the PRIMARY value of this report?
28. What is the MOST important factor to consider when selecting a risk treatment option?
29. An organization has identified a risk that is currently within its risk tolerance. The cost to mitigate this risk is high. What should the security manager recommend?
30. Which of the following is the GREATEST risk of not conducting regular risk assessments?
31. An information security manager is developing a risk awareness program. What is the MOST effective approach?
32. What is the PRIMARY purpose of a risk management framework?
33. A risk owner has formally accepted a risk that falls within the organization's risk tolerance. What is the NEXT step?
34. Which of the following is an example of a detective control?
35. An organization is expanding into a new market with different regulatory requirements. What should the information security manager do FIRST?
36. What is the MOST important characteristic of a Key Risk Indicator (KRI)?
37. An information security manager discovers that a vendor has been breached and customer data may have been exposed. What should the manager do FIRST?
38. Which of the following BEST describes the Three Lines of Defense model in risk governance?
39. An organization has a risk appetite statement that says: "We are willing to accept moderate risk in pursuit of innovation, but we have zero tolerance for data privacy violations." This statement is:
40. Which of the following is the GREATEST risk when an organization relies on a single third-party vendor for a mission-critical service?
📌 Section 3 · Questions 41–60
41. An information security manager is reviewing a proposed new product that will collect and process sensitive customer financial data. What is the MOST appropriate first step?
42. Which of the following is an example of risk transfer?
43. An organization has a risk tolerance of "no more than $2 million in annual loss from cyber incidents." This is an example of:
44. What is the PRIMARY purpose of ongoing risk monitoring?
45. An information security manager is presenting a risk report to the Board. The Board asks: "What is our top risk right now?" What is the BEST response?
46. Which of the following is an example of a compensating control?
47. An organization is merging with another company. What is the MOST critical risk management activity during the merger?
48. Which of the following BEST describes the relationship between risk tolerance and risk appetite?
49. An information security manager identifies that a critical business process has a high inherent risk. However, after implementing several controls, the residual risk is now within tolerance. What should the manager do?
50. What is the PRIMARY role of the information security manager in risk governance?
51. An organization has a risk where the ALE is $100,000. A proposed control costs $30,000 per year and reduces the ALE to $20,000. What is the net benefit?
52. Which of the following is the GREATEST risk when risk ownership is unclear or not assigned?
53. An information security manager is selecting controls for a new system. What is the MOST important criterion for control selection?
54. What is the PRIMARY purpose of a risk assessment?
55. An organization has a risk that is currently being mitigated by a control that is no longer effective. What should the manager do FIRST?
56. Which of the following is an example of a preventive control?
57. An organization is considering accepting a risk because the cost of mitigation is too high. What is the MOST important requirement for risk acceptance?
58. Which of the following BEST describes risk evaluation?
59. An information security manager is preparing a risk report for executive management. What is the MOST effective way to present the risk information?
60. What is the GREATEST risk of relying solely on cyber insurance as a risk treatment strategy?
📌 Section 4 · Questions 61–80
61. An organization has identified a new risk but has not yet assigned a risk owner. What should the information security manager do FIRST?
62. Which of the following is the MOST critical component of a vendor risk management program?
63. What is the PRIMARY purpose of a Business Impact Analysis (BIA) in the context of risk management?
64. An information security manager notices that the number of phishing incidents reported by employees has significantly increased over the past month. What should the manager do?
65. Which of the following is an example of a corrective control?
66. An organization has a risk where the SLE is $50,000 and the ARO is 0.2 (once every five years). What is the ALE?
67. What is the MOST important factor in determining the frequency of risk assessments?
68. An information security manager is reviewing a risk that has been accepted by the risk owner. The manager believes the risk is higher than the risk owner assessed. What should the manager do?
69. Which of the following BEST describes the concept of defense in depth in risk management?
70. An organization has a risk that is currently being transferred to a third-party service provider. What is the MOST important ongoing activity for the security manager?
71. What is the PRIMARY purpose of risk reporting to the Board of Directors?
72. An information security manager is selecting a risk assessment methodology. The organization wants to prioritize risks based on financial impact and has accurate data available. Which methodology is MOST appropriate?
73. Which of the following is the GREATEST risk to the accuracy of a risk register?
74. An organization is considering a new cloud migration project. What is the MOST important risk management activity before the project begins?
75. What is the PRIMARY difference between inherent risk and residual risk?
76. An information security manager is developing a risk treatment plan. What is the MOST critical element to include?
77. Which of the following is an example of a deterrent control?
78. An organization has experienced a security incident that revealed a previously unknown vulnerability. What should the information security manager do FIRST?
79. Which of the following BEST describes the role of Internal Audit in the Three Lines of Defense model?
80. An organization is developing a new software application. The security manager wants to ensure security is integrated from the start. What is the MOST effective approach?
📌 Section 5 · Questions 81–100
81. An information security manager is evaluating a risk where the potential impact is catastrophic, but the likelihood is extremely low. What is the MOST appropriate approach?
82. Which of the following is the GREATEST risk to an organization that does not have a formal risk management program?
83. An information security manager is reviewing a vendor contract. The contract includes a clause that requires the vendor to maintain cyber insurance. This is an example of:
84. What is the PRIMARY purpose of a risk heat map?
85. An organization has a risk where the cost to mitigate is $100,000, but the expected annual loss from the risk is only $20,000. What is the MOST appropriate risk treatment?
86. Which of the following is the MOST effective way to measure the effectiveness of a risk awareness program?
87. An information security manager is evaluating a risk that is currently mitigated by a single control. If that control fails, the business would suffer significant losses. What is the GREATEST risk?
88. What is the PRIMARY purpose of risk identification?
89. An organization has a risk that is currently being managed by a risk owner who is leaving the company. What should the information security manager do?
90. Which of the following is an example of a Key Performance Indicator (KPI) for a risk management program?
91. An information security manager is preparing for an external audit. What is the MOST important document the auditor will review?
92. What is the GREATEST risk of accepting a risk without formal documentation?
93. An organization is considering a new partnership with a third-party that will have access to sensitive customer data. What should the information security manager do FIRST?
94. Which of the following BEST describes risk avoidance?
95. An information security manager is evaluating controls for a new system. The manager identifies that a primary control is too expensive to implement. What is the MOST appropriate next step?
96. What is the PRIMARY benefit of integrating risk management with business strategy?
97. An organization has a risk where the SLE is $200,000 and the ARO is 0.5. What is the ALE?
98. Which of the following is the MOST important characteristic of a risk owner?
99. An information security manager is reviewing the organization's risk culture. Which of the following is the STRONGEST indicator of a positive risk culture?
100. What is the FINAL step in the risk management lifecycle?
🔄 Click any option to check your answer · CISM Domain 2 – Information Security Risk Management