Domain 1 – Full Cross-Topic Review: Information Security Governance

This review integrates:

• Enterprise Governance
• Information Security Strategy
• Frameworks and Standards
• Strategic Planning and Budgeting

Expect executive-level decision pressure.

Question 1

A new business expansion increases regulatory exposure in multiple jurisdictions. Security controls exist but are not standardized globally.

What should the information security manager do FIRST?

A. Conduct a cross-jurisdiction compliance risk assessment
B. Deploy global encryption standards
C. Increase monitoring frequency
D. Escalate to regulators

Question 2

Security reports into IT operations. The board questions independence of oversight.

What is the MOST appropriate action?

A. Increase vulnerability scanning
B. Replace technical staff
C. Recommend restructuring reporting lines
D. Outsource monitoring

Question 3

Leadership approves a major framework adoption without resource expansion.

What is the PRIMARY risk?

A. Increased automation
B. Framework implementation failure due to insufficient capacity
C. Improved compliance
D. Reduced vendor risk

Question 4

A breach triggers contractual reporting obligations. The organization lacks a defined escalation process.

What should occur FIRST?

A. Engage legal and assess contractual exposure
B. Public disclosure
C. Implement new detection tools
D. Terminate vendor contracts

Question 5

The security strategy emphasizes zero risk tolerance despite leadership approving moderate risk appetite.

What is the MOST significant issue?

A. Excessive encryption
B. Delayed reporting
C. Increased vendor cost
D. Misalignment between security strategy and enterprise risk tolerance

Question 6

Security investments are justified by industry trends rather than enterprise risk analysis.

What is the PRIMARY weakness?

A. Technical immaturity
B. Encryption weakness
C. Audit delay
D. Lack of business case alignment

Question 7

Employees frequently ignore reporting requirements due to fear of managerial backlash.

What should leadership address FIRST?

A. Cultural tone and executive messaging
B. Monitoring tools
C. Incident playbooks
D. Disciplinary enforcement

Question 8

Multiple frameworks are implemented across departments without central oversight.

What is the PRIMARY governance concern?

A. Reduced encryption
B. Framework fragmentation
C. Increased compliance
D. Vendor inefficiency

Question 9

The board receives detailed technical reports but struggles to interpret enterprise risk exposure.

What adjustment is MOST appropriate?

A. Increase technical detail
B. Provide enterprise-level risk summaries aligned with strategy
C. Reduce reporting frequency
D. Delegate reporting to IT

Question 10

A vendor contract mandates annual security reviews, which have not been conducted.

What is the MOST significant risk?

A. Technical vulnerability
B. Reduced automation
C. Contractual liability
D. Operational delay

Question 11

A new digital initiative bypasses security review to meet launch deadlines.

What should the security manager do FIRST?

A. Engage executive stakeholders to align security strategy
B. Halt deployment
C. Implement emergency controls
D. Issue disciplinary action

Question 12

Security funding increases, but no performance metrics are defined.

What governance gap exists?

A. Encryption weakness
B. Vendor inefficiency
C. Reduced automation
D. Lack of measurable strategic outcomes

Question 13

A decentralized structure allows business units to define their own controls.

What is the PRIMARY risk?

A. Reduced speed
B. Inconsistent governance maturity
C. Improved flexibility
D. Vendor complexity

Question 14

Leadership wants to eliminate all residual risk following a minor incident.

What is the MOST appropriate response?

A. Approve all security investments
B. Increase monitoring
C. Conduct risk-based reassessment aligned with risk appetite
D. Replace vendors

Question 15

A regulatory authority introduces new reporting requirements. Internal policy has not been updated.

What should occur FIRST?

A. Purchase compliance software
B. Increase monitoring
C. Update policy through formal governance process
D. Notify customers

Question 16

Security leadership proposes implementing a complex framework without executive sponsorship.

What is the PRIMARY concern?

A. Increased encryption
B. Vendor delay
C. Lack of governance backing
D. Technical inefficiency

Question 17

Control ownership is unclear, resulting in unresolved audit findings.

What is the MOST appropriate governance correction?

A. Increase monitoring
B. Replace staff
C. Deploy automated tools
D. Assign defined accountability and escalation paths

Question 18

A security initiative improves detection capabilities but does not align with strategic business goals.

What is the PRIMARY weakness?

A. Excessive monitoring
B. Reduced encryption
C. Vendor inefficiency
D. Strategic misalignment

Question 19

Security reports show reduced vulnerability counts but increased enterprise risk exposure due to business expansion.

What should the security manager do?

A. Maintain current strategy
B. Reassess strategic risk alignment
C. Increase encryption
D. Reduce reporting

Question 20

Leadership consistently overrides security recommendations without formal risk acceptance documentation.

What is the MOST significant governance issue?

A. Weak accountability and documentation
B. Encryption gap
C. Vendor inefficiency
D. Reduced automation

Domain 1 Executive Pattern Summary

In CISM Domain 1:

• Governance precedes tools.
• Alignment precedes enforcement.
• Risk appetite guides strategy.
• Frameworks guide structure.
• Business case drives funding.
• Board-level communication matters.
• Accountability determines effectiveness.

If an answer is purely technical, it is usually wrong.