Log in Start practising free
CISM

Incident Management & Response

48 free practice questions with explanations

Practise all 48 questions free →

PassNova has 48 free CISM practice questions on Incident Management & Response, each with a clear explanation. Practise them in the browser with instant feedback — 100% free, no sign-up, on any device. Updated for 2026.

Sample questions

Incident Management & Response: example questions & answers

Here are 6 example questions from this topic. Practise the full set of 48 free in the browser.

  1. An information security manager is developing an incident response plan. What should be defined FIRST?

    • A The annual budget for the security operations centre
    • B The brand of forensic tools to purchase
    • C A clear definition of what constitutes a security incident
    • D The marketing message for affected customers

    Answer: A clear incident definition is foundational, because it determines what triggers the response process and ensures events are recognised and escalated consistently.

  2. What is the PRIMARY objective of incident response?

    • A To increase the security budget for the next year
    • B To replace all affected hardware regardless of need
    • C To assign blame to the individuals responsible
    • D To limit damage and restore normal operations as quickly as possible

    Answer: The primary objective of incident response is to contain damage and restore normal business operations quickly, minimising overall impact.

  3. During a confirmed active security incident, what should the information security manager prioritise FIRST?

    • A Updating the long-term security strategy
    • B Identifying which employee caused the incident
    • C Containing the incident to prevent further damage
    • D Drafting a press release

    Answer: Containment is the immediate priority during an active incident to stop the spread and prevent additional harm before eradication and recovery.

  4. Why is it important to preserve evidence properly during incident response?

    • A To support potential legal action and root cause analysis
    • B To speed up the restoration of services
    • C To reduce the cost of incident handling
    • D To increase the storage capacity of the network

    Answer: Proper evidence preservation maintains a defensible chain of custody for potential legal action and enables accurate root cause analysis.

  5. What is the MOST important activity to perform after an incident has been resolved?

    • A Immediately delete all logs related to the incident
    • B Conduct a post-incident review to identify lessons learned and improve controls
    • C Reduce the size of the incident response team
    • D Disable monitoring to avoid future alerts

    Answer: A post-incident review captures lessons learned and drives improvements to controls and procedures, reducing the likelihood and impact of future incidents.

  6. What is the PRIMARY purpose of regularly testing the incident response plan?

    • A To validate that the plan works and that staff can execute it effectively
    • B To justify purchasing additional security hardware
    • C To replace the need for a business continuity plan
    • D To meet a minimum number of meetings per year

    Answer: Testing validates that the plan is effective and that responders can execute their roles, exposing gaps before a real incident occurs.

Start practising Incident Management & Response →
More CISM topics

Practise another topic

Information Risk Management52 questions Information Security Governance50 questions Information Security Program50 questions
← Back to CISM