Log in Start practising free
CISM

Information Risk Management

52 free practice questions with explanations

Practise all 52 questions free →

PassNova has 52 free CISM practice questions on Information Risk Management, each with a clear explanation. Practise them in the browser with instant feedback — 100% free, no sign-up, on any device. Updated for 2026.

Sample questions

Information Risk Management: example questions & answers

Here are 6 example questions from this topic. Practise the full set of 52 free in the browser.

  1. What is the FIRST step an information security manager should take when establishing a risk management program?

    • A Identify and classify the organisation's information assets
    • B Implement encryption on all databases
    • C Hire additional security analysts
    • D Purchase a risk management software platform

    Answer: You cannot assess or treat risk without first identifying and classifying the assets to be protected; asset identification is the foundational step.

  2. During a risk assessment, the value of an asset is determined PRIMARILY by which of the following?

    • A Its original purchase price
    • B Its importance to the organisation's business operations
    • C The brand of the hardware it runs on
    • D The number of users with access to it

    Answer: Asset value is driven by importance to business operations, since the impact of compromise depends on how the asset supports the organisation, not its purchase cost.

  3. An information security manager has identified a high risk. After analysis, the cost of mitigation greatly exceeds the potential loss. What is the MOST appropriate response?

    • A Accept the risk with appropriate management approval
    • B Ignore the risk entirely and document nothing
    • C Immediately shut down the affected business process
    • D Implement the costly control regardless of cost

    Answer: When mitigation cost exceeds the potential loss, accepting the risk with documented management approval is the rational, risk-based decision.

  4. Which of the following BEST describes residual risk?

    • A The total of all risks transferred to a third party
    • B The risk that has been completely eliminated
    • C The risk that exists before any controls are applied
    • D The risk remaining after controls have been implemented

    Answer: Residual risk is the risk that remains after controls have been applied; it must be compared against risk appetite to decide if further treatment is needed.

  5. Purchasing cyber insurance to cover potential losses from a security breach is an example of which risk treatment option?

    • A Risk transfer
    • B Risk acceptance
    • C Risk avoidance
    • D Risk mitigation

    Answer: Insurance shifts the financial consequences of a risk to a third party, which is the defining characteristic of risk transfer.

  6. What is the PRIMARY benefit of performing a business impact analysis (BIA)?

    • A It identifies all technical vulnerabilities in the network
    • B It determines the potential consequences of disruption to critical business processes
    • C It configures the organisation's backup software
    • D It replaces the need for a risk assessment

    Answer: A BIA identifies critical processes and quantifies the impact of their disruption, informing recovery priorities and acceptable downtime.

Start practising Information Risk Management →
More CISM topics

Practise another topic

Information Security Governance50 questions Information Security Program50 questions Incident Management & Response48 questions
← Back to CISM