- (Topic 2)
Which of the following is the sole responsibility of the client organization when adopting a Software as a Service (SaaS) model?

1. A. Host patching
2. B. Penetration testing
3. C. Infrastructure hardening
4. D. Data classification

Correct Answer: D
Data classification is the sole responsibility of the client organization when adopting a Software as a Service (SaaS) model. Data classification is the process of categorizing data based on its sensitivity, value and criticality to the organization. Data classification helps to determine the appropriate level of protection, access control and retention for different types of data. Data classification is an essential part of data governance and risk management, as it enables the organization to comply with legal and regulatory requirements, protect its intellectual property and reputation, and optimize its data storage and usage costs.
In a SaaS model, the client organization has the least control and responsibility over the cloud infrastructure, platform and application, as these are fully managed by the cloud service provider (CSP). The client organization only has control and responsibility over its own data and users. Therefore, the client organization is responsible for defining and implementing data classification policies and procedures, and ensuring that its data is properly labeled and handled according to its classification level. The client organization is also responsible for educating its users about the importance of data classification and the best practices for data security and privacy.
The other options are not the sole responsibility of the client organization in a SaaS model, as they are either shared with or delegated to the CSP. Host patching, penetration testing and infrastructure hardening are all related to the security and maintenance of the cloud infrastructure and platform, which are the responsibility of the CSP in a SaaS model. The CSP is expected to provide regular updates, patches and fixes to the host operating system, network and application components, and to conduct periodic security assessments and audits to identify and remediate any vulnerabilities or weaknesses in the cloud environment. The client organization may have some responsibility to monitor and verify the CSP’s performance and compliance with the service level agreement (SLA) and the cloud security standards and regulations, but it does not have direct control or access to the cloud infrastructure and platform. References =
✑ Understanding the Shared Responsibilities Model in Cloud Services - ISACA, Figure 1
✑ CISM Review Manual, Chapter 3, page 121

- (Topic 3)
Which of the following would BEST demonstrate the status of an organization's information security program to the board of directors?

1. A. Information security program metrics
2. B. Results of a recent external audit
3. C. The information security operations matrix
4. D. Changes to information security risks

Correct Answer: A
Information security program metrics are the best way to demonstrate the status of an organization’s information security program to the board of directors, as they provide relevant and meaningful information on the performance, effectiveness, and value of the program, as well as the current and emerging risks and the corresponding mitigation strategies. Information security program metrics should be aligned with the business objectives and risk appetite of the organization, and should be presented in a clear and concise manner that enables the board of directors to make informed decisions and provide oversight. (From CISM Review Manual 15th Edition)
References: CISM Review Manual 15th Edition, page 37, section 1.3.2.2.

- (Topic 2)
Which of the following should be the MOST important consideration of business continuity management?

1. A. Ensuring human safety
2. B. Identifying critical business processes
3. C. Ensuring the reliability of backup data
4. D. Securing critical information assets

Correct Answer: A
= Business continuity management (BCM) is the process of planning and implementing measures to ensure the continuity of critical business processes in the event of a disruption. The most important consideration of BCM is ensuring human safety, as this is the primary responsibility of any organization and the basis of ethical conduct. Human safety includes protecting the health and well-being of employees, customers, suppliers, and other stakeholders who may be affected by a disruption. Identifying critical business processes, ensuring the reliability of backup data, and securing critical information assets
are also important aspects of BCM, but they are secondary to human safety. References = CISM Review Manual, 16th Edition, ISACA, 2020, p. 2111; CISM Online Review Course, Domain 4: Information Security Incident Management, Module 4: Business Continuity and Disaster Recovery, ISACA2

- (Topic 3)
Which of the following should be the PRIMARY outcome of an information security program?

1. A. Strategic alignment
2. B. Risk elimination
3. C. Cost reduction
4. D. Threat reduction

Correct Answer: A
According to the CISM Review Manual (Digital Version), Chapter 3, Section 3.2.1, strategic alignment is the primary outcome of an information security program1. Strategic alignment means that the information security program supports and is tailored to the organization’s objectives and business strategy1. It also means that the information security program is aligned with other assurance functions, such as physical, human resources, quality, and IT1.
The CISM Review Manual (Digital Version) also states that strategic alignment is essential for achieving a competitive advantage, enhancing customer trust, reducing legal and regulatory risks, and improving organizational performance1. Strategic alignment requires effective communication and collaboration among all stakeholders, including senior management, information owners, information security managers, information security steering committees, and external partners1.
The CISM Exam Content Outline also covers the topic of strategic alignment in Domain 3
— Information Security Program Development and Management (33% exam weight)2. The subtopics include:
✑ 3.2.1 Information Security Strategy
✑ 3.2.2 Information Security Governance
✑ 3.2.3 Information Security Risk Management
✑ 3.2.4 Information Security Compliance
I hope this answer helps you prepare for your CISM exam. Good luck!

- (Topic 3)
The ULTIMATE responsibility for ensuring the objectives of an information security framework are being met belongs to:

1. A. )the information security officer.
2. B. the steering committee.
3. C. the board of directors.
4. D. the internal audit manager.

Correct Answer: C
The ultimate responsibility for ensuring the objectives of an information security framework are being met belongs to the board of directors, as they are accountable for the governance of the organization and the oversight of the information security strategy. The board of directors should ensure that the information security framework aligns with the business objectives, supports the business processes, and complies with the legal and regulatory requirements. The board of directors should also monitor the performance and effectiveness of the information security framework and provide guidance and direction for its improvement.
References = CISM Review Manual, 16th Edition eBook1, Chapter 1: Information Security Governance, Section: Enterprise Governance, Subsection: Board of Directors, Page 18.