CISM Must know cold

What is Information Security Governance? | The system by which information security strategy is directed and controlled so it aligns with business goals, risk appetite, and accountability.

What is Information Security Risk Management? | The process of identifying, assessing, treating, monitoring, and communicating information security risk.

What is an Information Security Program? | The organized set of policies, processes, controls, resources, and activities used to manage information security.

What is Incident Management? | The structured approach for preparing for, detecting, responding to, recovering from, and learning from security incidents.

What is the main purpose of Governance? | To align security with business objectives, provide oversight, assign accountability, and guide decision-making.

What is the main purpose of Risk Management? | To understand and prioritize risk so the organization can make informed business decisions.

What is the main purpose of the Security Program? | To implement and operate the organization’s security strategy and controls.

What is the main purpose of Incident Management? | To reduce the impact of incidents through preparation, response, recovery, and improvement.

What is risk appetite? | The amount and type of risk an organization is willing to pursue or retain.

What is risk tolerance? | The acceptable variation around specific objectives or risk levels.

What is inherent risk? | The level of risk that exists before controls are applied.

What is residual risk? | The level of risk that remains after controls are applied.

What is a control? | A safeguard or countermeasure used to reduce risk.

What is a policy? | A high-level statement of management intent and direction.

What is a standard? | A mandatory rule or requirement that supports a policy.

What is a procedure? | A detailed step-by-step instruction for performing a task.

What is a guideline? | A recommended but optional approach.

What is due care? | Acting responsibly and prudently to protect assets and reduce risk.

What is due diligence? | The ongoing effort to review, monitor, and verify that security measures are appropriate and effective.

What is business alignment in security? | Ensuring security supports business goals instead of operating in isolation.

What is accountability? | Being answerable for results, decisions, or assigned responsibilities.

What is ownership in risk management? | The responsibility for accepting, managing, or escalating a risk.

What is a security strategy? | A long-term plan for achieving the organization’s security objectives.

What is a security roadmap? | A prioritized sequence of initiatives used to implement the security strategy over time.

What is a metric? | A measurable value used to evaluate performance or effectiveness.

What is a KPI? | A key performance indicator that tracks how well an important objective is being achieved.

What is risk treatment? | Choosing and implementing a response to risk such as mitigate, transfer, avoid, or accept.

What is risk acceptance? | A decision to retain a risk after understanding it and deciding it is within tolerance.

What is risk mitigation? | Reducing likelihood or impact through controls or other actions.

What is risk transfer? | Shifting some risk to another party, such as through insurance or contracts.

What is risk avoidance? | Stopping the activity that creates the risk.

What is an incident? | An event that actually threatens or harms confidentiality, integrity, or availability and requires response.

What is an event? | An observable occurrence that may or may not require action.

What is recovery? | Restoring systems, operations, or services after an incident.

What is lessons learned? | The post-incident review used to improve future response and reduce repeat issues.

What is continuous improvement in security? | The ongoing effort to enhance governance, risk management, controls, and response over time.