- (Topic 3)
A newly appointed information security manager has been asked to update all security- related policies and procedures that have been static for five years or more. What should be done NEXT?

1. A. Update in accordance with the best business practices.
2. B. Perform a risk assessment of the current IT environment.
3. C. Gain an understanding of the current business direction.
4. D. Inventory and review current security policies.

Correct Answer: D
The next step for the information security manager should be to inventory and review the current security policies to understand the existing security requirements, controls, and gaps. This will help to identify the areas that need to be updated, revised, or replaced to align with the current business needs and objectives, as well as the legal and regulatory requirements. Updating the policies in accordance with the best business practices, performing a risk assessment of the current IT environment, or gaining an understanding of the current business direction are important activities, but they should be done after reviewing the current security policies.
References = CISM Review Manual, 16th Edition eBook1, Chapter 1: Information Security Governance, Section: Information Security Policies, Standards, Procedures and Guidelines, Subsection: Information Security Policies, Page 28.

- (Topic 2)
Which of the following is a PRIMARY benefit of managed security solutions?

1. A. Wider range of capabilities
2. B. Easier implementation across an organization
3. C. Greater ability to focus on core business operations
4. D. Lower cost of operations

Correct Answer: C
Managed security solutions are services provided by external vendors that offer security expertise, resources, and tools to help organizations protect their information assets and systems. A primary benefit of managed security solutions is that they allow organizations to focus on their core business operations, while delegating the security tasks to the service provider. This can improve the efficiency and effectiveness of the organization, as well as reduce the complexity and cost of managing security internally. Managed security solutions can also provide a wider range of capabilities, easier
implementation across an organization, and lower cost of operations, but these are not the primary benefits, as they may vary depending on the quality and scope of the service provider. References = CISM Review Manual, 16th Edition, ISACA, 2020, p. 841; CISM Online Review Course, Domain 3: Information Security Program Development and Management, Module 3: Information Security Program Management, ISACA2

- (Topic 1)
Which of the following activities MUST be performed by an information security manager for change requests?

1. A. Perform penetration testing on affected systems.
2. B. Scan IT systems for operating system vulnerabilities.
3. C. Review change in business requirements for information security.
4. D. Assess impact on information security risk.

Correct Answer: D

- (Topic 1)
Which of the following is MOST important to ensuring information stored by an organization is protected appropriately?

1. A. Defining information stewardship roles
2. B. Defining security asset categorization
3. C. Assigning information asset ownership
4. D. Developing a records retention schedule

Correct Answer: C
The most important factor to ensuring information stored by an organization is protected appropriately is assigning information asset ownership. Information asset ownership is the process of identifying and assigning the roles and responsibilities of the individuals or groups who have the authority and accountability for the information assets and their protection. Information asset owners are responsible for defining the business value, classification, and security requirements of the information assets, as well as granting the access rights and privileges to the information users and custodians. Information asset owners are also responsible for monitoring and reviewing the security performance and compliance of the information assets, and reporting and resolving any security issues or incidents. By assigning information asset ownership, the organization can ensure that the information assets are properly identified, categorized, protected, and managed according to their importance, sensitivity, and regulatory obligations. References = CISM Review Manual, 16th Edition, Chapter 1: Information Security Governance, Section: Data Classification, page 331; CISM Review Questions, Answers & Explanations Manual, 10th Edition, Question 62, page 572.

- (Topic 1)
Which of the following is the BEST approach to reduce unnecessary duplication of compliance activities?

1. A. Documentation of control procedures
2. B. Standardization of compliance requirements
3. C. Automation of controls
4. D. Integration of assurance efforts

Correct Answer: B
= Standardization of compliance requirements is the best approach to reduce unnecessary duplication of compliance activities, as it allows for a common understanding of the objectives and expectations of various stakeholders, such as regulators, auditors, customers, and business partners. Standardization also facilitates the alignment of compliance activities with the organization’s risk appetite and tolerance, and enables the identification and elimination of redundant or conflicting controls. References = CISM Review Manual, 27th Edition, page 721; CISM Review Questions, Answers & Explanations Database, 12th Edition, question 952 Learn more: