Domain 4: Incident Management Capstone Review — 47 of 47

Domain 4 Capstone Review: Incident Management

CISM Domain 4 — Incident Management Capstone Review 30–40 min

This capstone tests:

  • Preparedness before incidents
  • Structured execution during incidents
  • Governance alignment after incidents

Think impact. Think proportionality. Think defensibility.


Question 1

An organization restores systems in arbitrary order during an outage.

What is the MOST likely root cause?

  1. Incomplete impact analysis
  2. Unclear recovery ownership
  3. Lack of BIA-driven recovery prioritization
  4. Unvalidated response procedure
Answer & Explanation

Correct Answer: C

Recovery sequencing must align with BIA-defined impact.


Question 2

An IRP exists but does not define severity-based escalation thresholds.

What is the PRIMARY risk?

  1. Inconsistent escalation and executive visibility
  2. Unvalidated response procedure
  3. Encryption gap
  4. Unclear recovery ownership
Answer & Explanation

Correct Answer: A

Severity tiers drive structured escalation.


Question 3

RPO is 2 hours, but backups occur once daily.

What is the PRIMARY issue?

  1. Unvalidated response procedure
  2. Vendor oversight
  3. Encryption deficiency
  4. Misalignment between backup frequency and recovery objective
Answer & Explanation

Correct Answer: D

Backup strategy must align with RPO.


Question 4

During investigation, logs are overwritten before analysis.

What is the MOST significant risk?

  1. Encryption gap
  2. Loss of forensic evidence and legal defensibility
  3. Unclear recovery ownership
  4. Unvalidated response procedure
Answer & Explanation

Correct Answer: B

Evidence preservation is critical.


Question 5

A ransomware attack is contained but credentials are not reset.

What is the PRIMARY concern?

  1. Unvalidated response procedure
  2. Incomplete impact analysis
  3. Continued unauthorized access risk
  4. Unclear recovery ownership
Answer & Explanation

Correct Answer: C

Credential reset is part of eradication.


Question 6

Executives are not included in tabletop exercises.

What is the MOST significant governance risk?

  1. Leadership unpreparedness during crisis
  2. Encryption gap
  3. Unclear recovery ownership
  4. Monitoring delay
Answer & Explanation

Correct Answer: A

Executive participation validates decision readiness.


Question 7

A breach is classified as medium severity to avoid board reporting.

What principle is violated?

  1. Automation discipline
  2. Monitoring frequency
  3. Vendor governance
  4. Objective severity classification
Answer & Explanation

Correct Answer: D

Severity must reflect business impact.


Question 8

Containment shuts down all systems, including critical revenue platforms, without assessment.

What was ignored?

  1. Encryption deficiency
  2. Proportional response aligned with business impact
  3. Vendor oversight
  4. Unvalidated response procedure
Answer & Explanation

Correct Answer: B

Containment must consider business continuity.


Question 9

Regulatory notification is delayed pending full investigation.

What is the PRIMARY risk?

  1. Incomplete impact analysis
  2. Unclear recovery ownership
  3. Regulatory noncompliance and penalties
  4. Monitoring delay
Answer & Explanation

Correct Answer: C

Deadlines must be met even during ongoing investigation.


Question 10

After recovery, no additional monitoring is implemented.

What is the PRIMARY weakness?

  1. Failure to validate eradication success
  2. Unvalidated response procedure
  3. Encryption deficiency
  4. Vendor oversight
Answer & Explanation

Correct Answer: A

Post-recovery monitoring confirms control effectiveness.


Question 11

A DRP has not been updated after major cloud migration.

What is the MOST significant risk?

  1. Unvalidated response procedure
  2. Unclear recovery ownership
  3. Encryption gap
  4. Recovery procedures no longer reflect infrastructure reality
Answer & Explanation

Correct Answer: D

DRP must reflect current architecture.


Question 12

An organization conducts annual exercises using the same scenario.

What is the PRIMARY issue?

  1. Encryption deficiency
  2. Limited preparedness for diverse threat landscape
  3. Vendor oversight
  4. Monitoring delay
Answer & Explanation

Correct Answer: B

Testing must evolve with risk landscape.


Question 13

Investigation concludes quickly without assessing third-party involvement.

What is the PRIMARY risk?

  1. Incomplete impact analysis
  2. Unclear recovery ownership
  3. Incomplete scope determination
  4. Unvalidated response procedure
Answer & Explanation

Correct Answer: C

Scope must include potential vendor exposure.


Question 14

A BCP focuses only on IT system restoration.

What is the PRIMARY misunderstanding?

  1. Confusion between business continuity and disaster recovery
  2. Encryption gap
  3. Vendor oversight
  4. Unvalidated response procedure
Answer & Explanation

Correct Answer: A

BCP ensures operations continue beyond IT recovery.


Question 15

Containment actions are undocumented.

What is the MOST significant issue?

  1. Encryption deficiency
  2. Monitoring delay
  3. Vendor oversight
  4. Reduced governance traceability and defensibility
Answer & Explanation

Correct Answer: D

Documentation supports legal and governance review.


Question 16

After an incident, remediation actions are identified but not assigned.

What is the PRIMARY weakness?

  1. Encryption gap
  2. Lack of accountability for corrective measures
  3. Unclear recovery ownership
  4. Unvalidated response procedure
Answer & Explanation

Correct Answer: B

Remediation must have defined ownership.


Question 17

An organization restores from backups but does not validate integrity.

What is the PRIMARY risk?

  1. Encryption deficiency
  2. Vendor oversight
  3. Reintroduction of compromised systems
  4. Monitoring delay
Answer & Explanation

Correct Answer: C

Validation ensures clean recovery.


Question 18

Incident communication occurs through informal messaging tools.

What is the MOST significant governance concern?

  1. Lack of centralized documentation and control
  2. Encryption gap
  3. Unclear recovery ownership
  4. Unvalidated response procedure
Answer & Explanation

Correct Answer: A

Communication must be structured and documented.


Question 19

Incident classification criteria are undefined.

What is the PRIMARY risk?

  1. Incomplete impact analysis
  2. Unvalidated response procedure
  3. Unclear recovery ownership
  4. Inconsistent escalation and reporting
Answer & Explanation

Correct Answer: D

Defined criteria ensure consistent handling.


Question 20

Root cause analysis identifies patching failures, but no policy updates occur.

What is the PRIMARY governance gap?

  1. Unvalidated response procedure
  2. Failure to integrate lessons learned
  3. Encryption deficiency
  4. Vendor oversight
Answer & Explanation

Correct Answer: B

Policy updates reflect program improvement.


Question 21

A major breach is resolved but not reported to the board.

What is the PRIMARY concern?

  1. Lack of governance transparency
  2. Incomplete impact analysis
  3. Unclear recovery ownership
  4. Monitoring delay
Answer & Explanation

Correct Answer: A

Material incidents require executive visibility.


Question 22

Incident tools are purchased but not integrated with case management processes.

What is the PRIMARY weakness?

  1. Unvalidated response procedure
  2. Vendor oversight
  3. Encryption deficiency
  4. Tool capability without governance alignment
Answer & Explanation

Correct Answer: D

Tools must support structured response processes.


Question 23

A severe breach is fully contained, but no post-incident review occurs.

What is the MOST significant risk?

  1. Encryption gap
  2. Unclear recovery ownership
  3. Lost opportunity to improve program resilience
  4. Unvalidated response procedure
Answer & Explanation

Correct Answer: C

Continuous improvement defines maturity.


Question 24

An organization lacks a documented IRP but has strong technical staff.

What is the PRIMARY governance issue?

  1. Encryption deficiency
  2. Absence of structured escalation and accountability
  3. Vendor oversight
  4. Monitoring delay
Answer & Explanation

Correct Answer: B

Structure ensures consistency and defensibility.


Question 25

A mature incident management program should demonstrate:

  1. Integrated readiness, disciplined execution, and continuous improvement
  2. Advanced forensic tools
  3. Daily vulnerability scans
  4. Vendor certifications
Answer & Explanation

Correct Answer: A

Maturity integrates preparedness, structured response, and governance feedback.

Up Next Back to CISM — Complete