CISM Exam Dumps - Certified Information Security Manager

= The first step that the information security manager should recommend when learning of a new standard related to an emerging technology is to determine whether the organization can benefit from adopting the new standard. This involves evaluating the business objectives, needs, and requirements of the organization, as well as the potential advantages, disadvantages, and challenges of implementing the new technology and the new standard. The information security manager should also consider the alignment of the new standard with the organization’s existing policies, procedures, and standards, as well as the impact of the new standard on the organization’s information security governance, risk management, program, and incident management. By conducting a preliminary analysis of the feasibility, suitability, and desirability of the new standard, the information security manager can provide a sound basis for further decision making and planning.

References = CISM Review Manual, 16th Edition, Chapter 1: Information Security Governance, Section: Information Security Standards, page 391; CISM Review Questions, Answers & Explanations Manual, 10th Edition, Question 43, page 412.

The document that should include contact information for representatives of equipment and software vendors is the business continuity plan (BCP) because it provides the guidance and procedures for restoring the organization’s critical business functions and operations in the event of a disruption or disaster, and may require contacting external parties such as vendors for assistance or support. Information security program charter is not a good document for this purpose because it does not provide any guidance or procedures for business continuity or disaster recovery. Business impact analysis (BIA) is not a good document for this purpose because it does not provide any guidance or procedures for business continuity or disaster recovery. Service level agreements (SLAs) are not good documents for this purpose because they do not provide any guidance or procedures for business continuity or disaster recovery. References: https://www.isaca.org/resources/isaca-journal/issues/2017/volume-2/business- continuity-management-lifecycle https://www.isaca.org/resources/isaca-journal/issues/2016/volume-4/business-impact-analysis

The most important thing to include in the vendor selection criteria when procuring security services from a third-party vendor is B. Alignment of the vendor’s business objectives with enterprise security goals. This is because the vendor should be able to understand and support the enterprise’s security vision, mission, strategy, and policies, and provide services that are consistent and compatible with them. The vendor should also be able to demonstrate how their services add value, reduce risk, and enhance the performance and maturity of the enterprise’s information security program. The alignment of the vendor’s business objectives with enterprise security goals can help to ensure a successful and long-term partnership, and avoid any conflicts, gaps, or issues that may arise from misalignment or divergence.

The vendor should be able to understand and support the enterprise’s security vision, mission, strategy, and policies, and provide services that are consistent and compatible with them. (From CISM Manual or related resources)

References = CISM Review Manual 15th Edition, Chapter 3, Section 3.2.1, page 1341; Third-Party Vendor Selection: If Done Right, It’s a Win-Win2; Vendor Selection Criteria: Key Factors in Procurement Success3

A walk-through of the disaster recovery plan (DRP) is a method of testing the plan by simulating a disaster scenario and having the participants review their roles and responsibilities, as well as the procedures and resources required to execute the plan. A walk-through has the greatest positive impact on the ability to execute the DRP, as it helps to identify and resolve any gaps, errors, or inconsistencies in the plan, as well as to enhance the awareness and readiness of the stakeholders involved in the recovery process. References = CISM Review Manual, 16th Edition, Chapter 5, Section 5.3.2.21

Employee accountability is the degree to which employees are responsible for their actions and outcomes related to information security. It reflects the extent to which employees understand their roles and responsibilities, follow the policies and procedures, report incidents and breaches, and comply with legal and regulatory requirements. Embedding security responsibilities into job descriptions helps to clarify the expectations and obligations of employees, as well as the consequences of non-compliance or negligence. It also helps to align the security objectives with the business goals and strategies, and to foster a culture of security awareness and responsibility.

The most important action aligned with Zero Trust principles is ensuring contracts with external parties mandate continuous verification and least privilege access . Zero Trust is based on the principle of “never trust, always verify,” requiring ongoing validation of identity, device posture, access context, and authorization. It also requires limiting access to the minimum necessary for the task. Encryption, audits, and annual training are valuable supporting controls, but they do not capture the core operating model of Zero Trust as directly as continuous verification and least privilege. When engaging external parties, contractual requirements are essential because they create enforceable obligations for how access to organizational systems and data must be managed. CISM governance principles emphasize that third-party access should be controlled through documented requirements, accountability, monitoring, and risk-based oversight. Therefore, the best answer is mandating continuous verification and least privilege access in contracts, because this embeds Zero Trust expectations into third-party governance and access management.