ONLINE
Total Answered 0
Overall Accuracy 0%
Flagged Items 0
Mock Exams Passed 0

Syllabus Domain Mastery

0%
Domain 1 (24%) Information Security Governance
0%
Domain 2 (30%) Information Risk Management
0%
Domain 3 (27%) Program Development & Mgmt
0%
Domain 4 (19%) Incident Management
Filter Domain:
Domain 1

Term Loading...

Click card to reveal definition

ISACA Definition:

Loading definition content...

Click card to flip back
0 / 0
Domain

Question loading...

CORRECT

Explanation details...

CISM Mock Examination

Simulate the real exam constraints. You will face a randomized selection of CISM domain questions under time pressure. Your scores will be written to the database logs.

Questions 10 Questions
Time Allowed 15 Minutes
Target Score 70% Pass
Question 1 of 10
15:00

Mock question content...

Mock Exam Diagnostics

0% FAILED

Correct Answers: 0 / 0

Duration: 0s

Status: Risk management capability not achieved.

BIA Recovery Metrics Timeline

Business Continuity and Disaster Recovery metrics are heavily tested. The key is understanding how they flow sequentially and their relationship with MTD.

Key ISACA Principles:

  • RPO (Recovery Point Objective): Measures maximum data loss in time (e.g., 4 hours of transactions). It dictates backup frequency.
  • RTO (Recovery Time Objective): The time allowed to get hardware/systems back online (e.g., restore server from OS install).
  • WRT (Work Recovery Time): The time required to restore/verify databases, catch up on transactions, and perform checks.
  • MTD (Maximum Tolerable Downtime): The absolute limit. Formula: RTO + WRT ≤ MTD. Exceeding MTD means operational survival is threatened.
RPO (Data Loss) Last Backup DISASTER Event (t=0) RTO (Restored) WRT (Validated) MTD (Ruin Point) Recovery Time (RTO) Work Recovery (WRT) Max Downtime (MTD)

Risk Capacity, Tolerance & Appetite

These thresholds represent the boundaries of risk an organization faces. They dictate risk responses and controls.

Key ISACA Principles:

  • Risk Capacity: The objective maximum financial limit of risk the company can take on before going out of business.
  • Risk Appetite: The target amount of risk management is willing to accept to achieve business strategies. Set by the Board.
  • Risk Tolerance: The acceptable deviation boundary. If a risk goes slightly over appetite (e.g. temporary project requirements), it's acceptable if approved, as long as it stays below capacity.
RISK APPETITE (Preferred comfort zone) RISK TOLERANCE (Acceptable variance zone) RISK CAPACITY (Absolute survival limit - Ruin)

Incident Response Lifecycle

Understanding the sequence of incident handling is crucial. The priority is containing the damage before performing diagnostics or restoring files.

Key ISACA Principles:

  • Active Threat Priority: When an active breach or data leak is identified, the immediate priority is **Containment** (e.g. isolating infected subnets).
  • Eradication vs. Recovery: You cannot restore system backups (Recovery) until the malware or compromise vector has been completely purged (Eradication).
  • Post-Incident Activity: The Lessons Learned phase is the most critical for governance, ensuring processes are updated to prevent recurrence.
1. Prep Plans/Tools 2. Identify Triage/Confirm 3. Contain Isolate/Stop 4. Eradicate Clean Cause 5. Recover Restore/Test 6. Lessons Review/Fix

Security Control Matrix

Controls are classified by category (how they are enforced) and type (what phase of the threat they act on).

Key ISACA Principles:

  • Preventive: Intended to stop a violation before it starts (e.g., locks, firewalls).
  • Detective: Intended to locate violations after they occur (e.g., audit logs, alarms).
  • Corrective: Intended to restore systems and mitigate further harm (e.g., backups, software restores).
  • Compensating: Alt controls active when standard controls are not possible.
Category Preventive (Before) Detective (During) Corrective (After)
Administrative Background Checks / Policy signing Job Rotation / Audit checks Disciplinary Procedures / IRP updates
Technical (Logical) Firewalls / Encryption / MFA IDS alert log analysis / SIEM System restore / Antivirus quarantine
Physical Biometric lock / High fence CCTV monitoring / Alarm triggers Fire suppression systems

Governance & Risk Accountability Hierarchy

CISM heavily tests the division of security duties and risk ownership. CISOs direct the program, but Business Owners own the risk.

Key ISACA Principles:

  • Strategic Oversight: The Board of Directors sets the overall risk appetite and defines governance strategy.
  • Risk Acceptance Owner: The **Business Unit Owner** (not the CISO) owns the data and system risk. Therefore, only they can authorize risk acceptance or policy exceptions.
  • CISO Role: The CISO is an advisor and strategist. They design controls and recommend responses, but do not own the business assets.
1. Board / CEO Accountability / Appetite 2. Business Unit Managers Risk Owners / Approval 3. CISO & Security Team Execution / Strategy Advisors

Quantitative Risk Math Flow

Quantitative risk assessment evaluates loss values in monetary metrics. You must memorize these three formulas.

Core Implementation Principles:

  • Asset Value (AV): Focuses on replacement cost, productivity loss, and liability.
  • Exposure Factor (EF): The percentage of loss (e.g. partial breach = 0.15).
  • ARO (Annual Rate of Occurrence): Frequency of the event per year.
  • Cost-Justification Rule: A control's cost must not exceed the ALE reduction it brings.
Single Loss Expectancy (SLE)
SLE = Asset Value * Exposure Factor (EF)
Cost of a single impact event (e.g. $100k Asset * 20% EF = $20k SLE)
Annual Loss Expectancy (ALE)
ALE = SLE * Annual Rate of Occurrence (ARO)
Cost of the risk over a year (e.g. $20k SLE * 3 ARO = $60k ALE)
Cost-Benefit Analysis
Net Benefit = ALE_before - ALE_after - Annual_Control_Cost
Control value must exceed its annual upkeep costs to be justified.

Database Study Deck Curator

Expand your exam preparation. Manually enter custom multiple-choice questions or active recall flashcards directly into the SQLite database.

Create Custom Flashcard

Create Custom Practice Question