Log in Start practising free
CISM

Information Security Governance

50 free practice questions with explanations

Practise all 50 questions free →

PassNova has 50 free CISM practice questions on Information Security Governance, each with a clear explanation. Practise them in the browser with instant feedback — 100% free, no sign-up, on any device. Updated for 2026.

Sample questions

Information Security Governance: example questions & answers

Here are 6 example questions from this topic. Practise the full set of 50 free in the browser.

  1. An information security manager is establishing a security governance framework. What is the MOST important factor to ensure its success?

    • A Achieving the lowest possible information security budget
    • B Selecting a widely recognised control framework such as ISO 27001
    • C Alignment of the security strategy with business objectives
    • D Deploying advanced technical security controls across the enterprise

    Answer: Effective security governance depends primarily on aligning the security strategy with business objectives so that security supports and enables the organisation's goals.

  2. Who should have ultimate accountability for an organisation's information security governance?

    • A The information security manager
    • B The IT operations department
    • C The board of directors and senior management
    • D The external security auditor

    Answer: Governance is a leadership responsibility; the board and senior management hold ultimate accountability for direction, oversight, and resourcing of information security.

  3. What is the PRIMARY purpose of an information security strategy?

    • A To define disciplinary action for policy violations
    • B To document the technical configuration of security devices
    • C To provide a roadmap that links security activities to organisational goals
    • D To list every known threat facing the organisation

    Answer: A security strategy provides a roadmap that connects security initiatives to business goals, guiding investment and prioritisation over time.

  4. An information security manager wants to demonstrate the value of the security program to executives. Which metric is MOST useful for this purpose?

    • A Number of firewall rules configured
    • B Number of antivirus signatures updated
    • C Key risk indicators showing reduction of business risk exposure
    • D Total count of security patches applied last month

    Answer: Executives value evidence of reduced business risk; key risk indicators tied to business exposure communicate value far better than operational activity counts.

  5. When developing information security policies, what should they be aligned with FIRST?

    • A Industry peer benchmarks
    • B The organisation's business objectives and risk appetite
    • C The personal preferences of the security team
    • D The capabilities of currently deployed security tools

    Answer: Policies must reflect the organisation's business objectives and risk appetite so that the resulting controls are proportionate and support the enterprise.

  6. What BEST defines an organisation's risk appetite?

    • A The amount and type of risk it is willing to accept in pursuit of its objectives
    • B The total monetary value of all its information assets
    • C The number of incidents it experienced in the prior year
    • D The maximum technical capacity of its security controls

    Answer: Risk appetite is the amount and type of risk an organisation is willing to accept in pursuit of its objectives, set by senior management.

Start practising Information Security Governance →
More CISM topics

Practise another topic

Information Risk Management52 questions Information Security Program50 questions Incident Management & Response48 questions
← Back to CISM