Domain 1 – Section A Review: Enterprise Governance

This review integrates:

• Organizational Culture
• Legal, Regulatory and Contractual Requirements
• Organizational Structures, Roles and Responsibilities

Expect scenario-driven questions that test governance alignment — not technical knowledge.

Question 1

A global organization expands into a highly regulated market. Local business leaders insist that existing security controls are sufficient and resist policy changes.

What should the information security manager do FIRST?

A. Enforce updated controls across all regions
B. Engage executive leadership to assess regulatory exposure and align governance strategy
C. Conduct internal audits of all regional offices
D. Escalate resistance directly to regulators

Question 2

Security oversight reports into IT operations. Audit findings consistently remain unresolved.

What is the PRIMARY governance weakness?

A. Technical skill gap
B. Reporting inefficiency
C. Lack of independence and accountability
D. Budget shortfall

Question 3

A vendor contract requires incident notification within 24 hours. The organization currently requires 72 hours for internal investigation before escalation.

What is the MOST appropriate action?

A. Ignore contractual requirement
B. Revise internal processes to align with contractual obligations
C. Terminate the vendor relationship
D. Delay notifications until investigation is complete

Question 4

Employees frequently bypass security controls to maintain productivity.

What should be assessed FIRST?

A. Deploy stronger technical controls
B. Increase monitoring tools
C. Alignment between controls and business processes
D. Immediate disciplinary action

Question 5

A regulator announces increased oversight in your industry. Security documentation exists but monitoring is informal.

What is the MOST effective next step?

A. Purchase compliance automation software
B. Conduct a formal compliance risk assessment
C. Issue awareness training to staff
D. Publicly announce compliance improvements

Question 6

Security control ownership is unclear across multiple departments. Findings remain unresolved due to confusion over responsibility.

What should the information security manager establish FIRST?

A. Automated monitoring
B. Centralized technical enforcement
C. Clearly defined control ownership and escalation paths
D. External audit engagement

Question 7

Senior leadership verbally supports security initiatives but repeatedly reallocates security budgets to other projects.

What is the MOST significant governance concern?

A. Technical vulnerability
B. Cultural misalignment between messaging and action
C. Control testing inefficiency
D. Procurement weakness

Question 8

A breach occurs that may trigger mandatory reporting laws. Leadership suggests delaying disclosure to protect reputation.

What should the information security manager do?

A. Delay reporting until media attention subsides
B. Immediately disclose publicly without consultation
C. Engage legal counsel and assess reporting obligations
D. Ignore the breach due to limited financial impact

Question 9

A decentralized organization allows each business unit to define its own security controls.

What is the PRIMARY risk?

A. Increased cost efficiency
B. Inconsistent governance and control maturity
C. Reduced technical performance
D. Slower procurement cycles

Question 10

The board requests quarterly updates on enterprise security posture. The security team prepares detailed vulnerability reports.

What is the MOST appropriate adjustment?

A. Increase report frequency
B. Provide raw technical data
C. Translate findings into enterprise risk impact aligned with risk appetite
D. Delegate reporting to IT operations

Section A Review Pattern Summary

In Enterprise Governance questions:

• Fix structure before tools.
• Align culture before enforcement.
• Engage legal before reacting.
• Define ownership before escalation.
• Translate technical risk into enterprise language.

CISM evaluates whether you think like a security leader — not a technician.