3
CISM Domain 1 Governance Quiz – 100 Questions
📘 CISM Domain 1 · Information Security Governance
100 practice questions — click any option to check your answer.
✅ Green = correct | ❌ Strikethrough = your wrong pick, with the correct answer highlighted in green.
✅ Green = correct | ❌ Strikethrough = your wrong pick, with the correct answer highlighted in green.
📌 Section 1 · Questions 1–10
1. An organization has experienced rapid growth through acquisitions, resulting in inconsistent security policies across business units. Which of the following is the MOST effective approach to establishing consistent security governance across the enterprise?
2. The Board of Directors has requested a report on the organization's information security posture. What is the MOST critical element that should be included in this report?
3. Which of the following BEST describes the primary purpose of information security governance?
4. An organization is developing a new information security strategy. Which of the following is the MOST important input to this strategy?
5. The Chief Information Security Officer (CISO) is presenting a security investment proposal to the Board. What is the MOST effective way to justify the investment?
6. Which of the following is the PRIMARY responsibility of the Board of Directors regarding information security?
7. An organization's security steering committee is reviewing the security program's performance. Which metric would provide the MOST meaningful insight into the program's alignment with business objectives?
8. The CISO is developing a security governance charter for the organization. Which of the following elements is MOST critical to include in this charter?
9. When establishing an information security governance framework, which of the following should be the FIRST step?
10. An organization is considering a significant investment in a new security technology. What is the MOST important factor in making this decision from a governance perspective?
📌 Section 2 · Questions 11–20
11. The Board of Directors has delegated the oversight of information security to the Audit Committee. Which of the following responsibilities should the Audit Committee assume?
12. Which of the following BEST describes the relationship between information security governance and information security management?
13. An organization is implementing a new compliance requirement that significantly impacts security operations. What is the MOST effective way to integrate this requirement into the security governance framework?
14. The security governance framework should ensure that security decisions are made at the appropriate level of the organization. Which of the following is the MOST important governance mechanism for achieving this?
15. A business unit leader proposes a new initiative that involves significant data sharing with external partners. The CISO identifies potential security risks. What should the CISO do FIRST?
16. Which of the following is the BEST indicator that an organization's security governance is effective?
17. The CISO is preparing the annual security budget. What is the MOST appropriate basis for allocating resources across different security domains?
18. An organization's security governance framework includes a security steering committee. Which of the following is the PRIMARY role of this committee?
19. Which of the following is the MOST critical success factor for an information security governance program?
20. The CISO is reviewing the organization's security governance documentation. Which document should define the HIGHEST-level security principles and strategic direction?
📌 Section 3 · Questions 21–30
21. An organization is adopting a new security framework. Which of the following is the MOST important consideration when selecting the appropriate framework?
22. The CEO has asked the CISO to explain why the organization needs to invest in security governance. What is the BEST response?
23. Which of the following is the GREATEST risk when security governance is weak or absent in an organization?
24. The security governance framework should be designed to support which of the following PRIMARY outcomes?
25. An organization is undergoing a significant merger with another company. What is the MOST critical security governance activity during the integration phase?
26. Which of the following is the MOST effective way for the CISO to demonstrate the value of the security program to the Board?
27. An organization has defined its risk appetite and communicated it through governance channels. Which of the following is the MOST important use of this risk appetite statement?
28. The CISO is developing a security strategy for the next three years. Which of the following should be the FOUNDATION of this strategy?
29. Which of the following is the BEST example of a governance-level security metric?
30. An organization is establishing a security governance framework. Which of the following is the MOST effective approach to ensuring the framework is adopted and sustained?
📌 Section 4 · Questions 31–40
31. The Board has requested a security dashboard to monitor the organization's security posture. What should be the PRIMARY focus of this dashboard?
32. Which of the following BEST describes the role of the CISO in the governance structure of an organization?
33. An organization is updating its security policies to reflect changes in the regulatory environment. What is the MOST important consideration in this policy update process?
34. A business unit wants to implement a new cloud-based solution that deviates from the organization's security architecture standards. What should the CISO do FIRST?
35. Which of the following is the MOST effective approach to ensuring that security governance is integrated into the organization's culture?
36. The CISO is presenting the security program's performance to the Audit Committee. Which metric would provide the MOST meaningful assurance to the committee?
37. An organization is developing a security awareness program. What is the MOST important governance consideration for this program?
38. Which of the following is the GREATEST risk when the security governance framework does not include input from business stakeholders?
39. The organization is considering outsourcing a significant security function to a managed security service provider. What is the MOST important governance activity prior to making this decision?
40. Which of the following BEST describes the relationship between security policies and security governance?
📌 Section 5 · Questions 41–50
41. An organization is experiencing rapid growth and has added several new subsidiaries. What is the MOST effective approach to maintaining consistent security governance across the expanded enterprise?
42. The CISO is preparing the security strategy for the next fiscal year. Which of the following should be the PRIMARY driver of the strategy's priorities?
43. Which of the following is the MOST effective way for the CISO to build trust and credibility with the Board of Directors?
44. An organization is implementing a new security governance framework. Which of the following is the MOST critical success factor for this implementation?
45. The security team has identified a new risk that could have a significant impact on the organization's operations. What is the MOST appropriate governance response?
46. Which of the following BEST describes the concept of "tone from the top" in security governance?
47. An organization is developing a security scorecard for executive reporting. Which of the following elements is MOST important to include on this scorecard?
48. The CISO is reviewing the organization's security governance documentation and identifies that several key policies have not been reviewed or updated in over three years. What is the MOST appropriate action?
49. Which of the following is the GREATEST risk when security governance is viewed as solely an IT responsibility rather than an enterprise-wide concern?
50. An organization is implementing a new enterprise resource planning (ERP) system. What is the MOST effective governance approach to ensure security is embedded in the implementation?
📌 Section 6 · Questions 51–60
51. The CISO is preparing a business case for a new security investment. Which of the following is the MOST compelling element to include in this business case?
52. Which of the following BEST describes the role of the Audit Committee in information security governance?
53. An organization is experiencing resistance to new security policies from business units. What is the MOST effective governance approach to address this resistance?
54. The CISO is developing a security program performance report for executive management. Which of the following should be the PRIMARY focus of this report?
55. Which of the following is the MOST effective way to ensure that security governance is responsive to changing business conditions?
56. An organization's Board has approved a new risk appetite statement. What is the MOST important action the CISO should take following this approval?
57. Which of the following BEST describes the difference between a security policy and a security standard?
58. The CISO is establishing a security governance committee. Which of the following is the MOST important consideration in defining the committee's composition?
59. An organization is developing a security metrics program. Which of the following is the MOST important principle for selecting security metrics?
60. Which of the following is the MOST critical element of a security governance framework?
📌 Section 7 · Questions 61–70
61. The CISO is preparing the security budget for the next fiscal year. Which of the following is the MOST appropriate basis for allocating resources across the security program?
62. Which of the following is the BEST indicator that security governance is effectively integrated into the organization?
63. An organization is considering entering a new market that has significantly different regulatory requirements. What is the MOST important governance activity prior to market entry?
64. Which of the following BEST describes the role of the security steering committee in the governance structure?
65. The CISO is developing a security communication plan. Which of the following is the MOST important consideration for this plan?
66. An organization has defined its security governance principles. Which of the following is the MOST important principle to include?
67. The CISO is preparing a report for the Board on the organization's security program. Which of the following should be the PRIMARY focus of this report?
68. Which of the following is the MOST effective way to ensure that security policies are understood and followed by employees?
69. An organization is evaluating its security governance maturity. Which of the following would indicate that governance is at the highest level of maturity?
70. The CISO is developing a security governance charter. Which of the following is the MOST important element to include in this charter?
📌 Section 8 · Questions 71–80
71. Which of the following is the MOST important consideration when designing a security governance framework for a multinational organization?
72. The CISO is reviewing the security program's performance metrics. Which metric would provide the MOST meaningful insight into governance effectiveness?
73. An organization is implementing a new regulatory compliance program. What is the MOST important governance consideration for this program?
74. Which of the following is the GREATEST risk when security governance is not aligned with enterprise risk management?
75. The CISO is presenting the security strategy to the Board. Which of the following is the MOST effective way to begin this presentation?
76. Which of the following BEST describes the relationship between security governance and security culture?
77. An organization is developing a security governance framework. Which of the following should be the FIRST step in this process?
78. The CISO is reviewing the organization's security governance documentation and identifies that several policies are contradictory. What is the MOST appropriate action?
79. Which of the following is the MOST effective way to measure the effectiveness of security governance?
80. An organization is facing a significant security incident that requires immediate executive attention. What is the MOST appropriate governance response?
📌 Section 9 · Questions 81–90
81. The CISO is developing a security governance framework for the organization. Which of the following is the MOST important benefit of establishing this framework?
82. Which of the following is the MOST important consideration when defining the CISO's role in the governance structure?
83. An organization is establishing a security awareness program. Which of the following governance elements is MOST critical for the program's success?
84. Which of the following is the MOST effective way for the CISO to influence security governance decisions?
85. An organization is developing a security metrics program. Which of the following is the MOST important principle to follow?
86. The CISO is preparing the security strategy for the organization. Which of the following is the MOST appropriate basis for the strategy's priorities?
87. Which of the following is the MOST effective way to ensure that security governance is sustainable over time?
88. An organization is evaluating its security governance framework. Which of the following indicates that the framework is effective?
89. The CISO is reviewing the organization's security governance framework. Which of the following should be the PRIMARY objective of this framework?
90. Which of the following is the GREATEST risk of not having a formal security governance framework in place?
📌 Section 10 · Questions 91–100
91. The CISO is preparing a report on the security program's maturity. Which of the following should be the PRIMARY focus of this report?
92. Which of the following is the MOST effective way for the CISO to manage stakeholder expectations regarding security?
93. An organization is developing a security governance framework. Which of the following is the MOST critical element to include in the framework?
94. The CISO is evaluating the effectiveness of the security governance committee. Which of the following is the BEST indicator of the committee's effectiveness?
95. Which of the following is the MOST important factor in building a security governance culture in the organization?
96. An organization is evaluating its security governance framework. Which of the following indicates that the framework is mature and effective?
97. The CISO is developing a security investment plan for the organization. Which of the following is the MOST appropriate basis for prioritizing security investments?
98. Which of the following is the MOST important consideration when delegating security authority to business unit leaders?
99. An organization is developing a security governance framework. Which of the following is the MOST effective approach to ensure the framework is adopted and sustained?
100. Which of the following BEST describes the ultimate objective of information security governance?
🔄 Click any option to check your answer · CISM Domain 1 – Information Security Governance