Free Preparation Discussions
MENU
Exin CITM Exam Questions
- Topic 1: IT Strategy: This section of the exam measures the skills of an IT Strategy Manager and covers the development and alignment of IT strategy with business objectives. It emphasizes creating strategic plans to support organizational goals, understanding emerging technologies, and ensuring that IT investments contribute to competitive advantage and operational efficiency.
- Topic 2: IT Organization: This domain targets an IT Operations Manager and focuses on the design and management of IT organizational structures. It includes defining roles and responsibilities, establishing governance frameworks, managing resources effectively, and fostering collaboration to support IT service delivery and business needs.
- Topic 3: Vendor Selection / Management: This section measures the expertise of a Vendor Manager and covers the process of selecting and managing third-party providers. It addresses evaluating vendor capabilities, negotiating contracts, monitoring performance, and maintaining productive relationships to ensure service quality and value.
- Topic 4: Project Management: This domain is aimed at an IT Project Manager and encompasses planning, executing, and controlling IT projects. It includes managing scope, time, cost, quality, and risks, applying project methodologies, engaging stakeholders, and delivering projects that meet business requirements.
- Topic 5: Application Management: This section of the exam evaluates an Application Manager’s skills in overseeing the lifecycle of IT applications. It covers application development support, maintenance, upgrades, user support, and ensuring that applications meet functional and performance standards aligned with business needs.
- Topic 6: Service Management: This domain targets a Service Delivery Manager and focuses on managing IT services to ensure consistent and efficient delivery. It includes establishing service level agreements (SLAs), incident and problem management, continuous service improvement, and aligning IT services with business demands.
- Topic 7: Business Continuity Management: This section measures the skills of a Business Continuity Manager and covers planning and implementing strategies to ensure IT availability and resilience during disruptions. It includes risk assessment, disaster recovery planning, backup procedures, and testing to minimize business impact.
- Topic 8: Risk Management: This domain evaluates the capabilities of an IT Risk Manager and involves identifying, assessing, and mitigating IT-related risks. It addresses developing risk frameworks, compliance management, and proactive measures to safeguard IT assets and operations.
- Topic 9: Information Security Management: This section targets an Information Security Manager and focuses on protecting information assets from threats. It covers policy development, security controls implementation, incident response, data protection, and compliance with legal and regulatory requirements to maintain confidentiality, integrity, and availability.
Free Exin CITM Exam Actual Questions
Note: Premium Questions for CITM were last updated On Feb. 22, 2026 (see below)
Controls to manage risk have been implemented and evaluated successfully. Risks are now at the level which the organization is willing to accept. What is the name of this risk?
In risk management, after controls are implemented to mitigate risks, the remaining risk that the organization is willing to accept is called residual risk (C). According to frameworks like ISO/IEC 27001 and COBIT, residual risk represents the level of risk that persists after applying controls, deemed acceptable based on the organization's risk appetite. For example, if a control reduces the likelihood or impact of a threat (e.g., data breach), the remaining exposure is the residual risk, which the organization monitors but does not further mitigate unless necessary.
Reduced risk (A): Not a standard term; implies a general decrease but lacks specificity.
Lowered risk (B): Similar to reduced risk, not a recognized term in risk management frameworks.
Modified risk (D): Implies risk alteration but is not a standard term for post-control risk levels.
Residual risk is a critical concept in risk management, ensuring organizations understand and accept the remaining exposure after mitigation efforts.
What is the correct sequence of activities for a risk assessment?
The correct sequence for a risk assessment, as per ISO 31000 and ISO/IEC 27001, is: Establish context --- identify --- analyse --- evaluate --- treatment (C).
Establish context: Define the scope, objectives, and criteria for the risk assessment (e.g., organizational goals, assets, and risk appetite).
Identify: Identify potential risks (e.g., threats and vulnerabilities) that could impact objectives.
Analyse: Assess the likelihood and impact of identified risks to determine their severity.
Evaluate: Compare risks against risk criteria to prioritize them for treatment.
Treatment: Implement controls or strategies to mitigate, avoid, transfer, or accept risks.
Option A: Incorrect, as ''monitor and review'' is a post-treatment step, not the starting point.
Option B: Incorrect, as ''communication'' is not a distinct step in risk assessment; it's embedded throughout.
Option D: Incorrect, as it skips ''establish context,'' which is essential for defining the assessment's scope.
This sequence ensures a structured, systematic approach to risk assessment, aligning with organizational objectives.
Controls to manage risk have been implemented and evaluated successfully. Risks are now at the level which the organization is willing to accept. What is the name of this risk?
In risk management, after controls are implemented to mitigate risks, the remaining risk that the organization is willing to accept is called residual risk (C). According to frameworks like ISO/IEC 27001 and COBIT, residual risk represents the level of risk that persists after applying controls, deemed acceptable based on the organization's risk appetite. For example, if a control reduces the likelihood or impact of a threat (e.g., data breach), the remaining exposure is the residual risk, which the organization monitors but does not further mitigate unless necessary.
Reduced risk (A): Not a standard term; implies a general decrease but lacks specificity.
Lowered risk (B): Similar to reduced risk, not a recognized term in risk management frameworks.
Modified risk (D): Implies risk alteration but is not a standard term for post-control risk levels.
Residual risk is a critical concept in risk management, ensuring organizations understand and accept the remaining exposure after mitigation efforts.
What is the correct sequence of activities for a risk assessment?
The correct sequence for a risk assessment, as per ISO 31000 and ISO/IEC 27001, is: Establish context --- identify --- analyse --- evaluate --- treatment (C).
Establish context: Define the scope, objectives, and criteria for the risk assessment (e.g., organizational goals, assets, and risk appetite).
Identify: Identify potential risks (e.g., threats and vulnerabilities) that could impact objectives.
Analyse: Assess the likelihood and impact of identified risks to determine their severity.
Evaluate: Compare risks against risk criteria to prioritize them for treatment.
Treatment: Implement controls or strategies to mitigate, avoid, transfer, or accept risks.
Option A: Incorrect, as ''monitor and review'' is a post-treatment step, not the starting point.
Option B: Incorrect, as ''communication'' is not a distinct step in risk assessment; it's embedded throughout.
Option D: Incorrect, as it skips ''establish context,'' which is essential for defining the assessment's scope.
This sequence ensures a structured, systematic approach to risk assessment, aligning with organizational objectives.
Controls to manage risk have been implemented and evaluated successfully. Risks are now at the level which the organization is willing to accept. What is the name of this risk?
In risk management, after controls are implemented to mitigate risks, the remaining risk that the organization is willing to accept is called residual risk (C). According to frameworks like ISO/IEC 27001 and COBIT, residual risk represents the level of risk that persists after applying controls, deemed acceptable based on the organization's risk appetite. For example, if a control reduces the likelihood or impact of a threat (e.g., data breach), the remaining exposure is the residual risk, which the organization monitors but does not further mitigate unless necessary.
Reduced risk (A): Not a standard term; implies a general decrease but lacks specificity.
Lowered risk (B): Similar to reduced risk, not a recognized term in risk management frameworks.
Modified risk (D): Implies risk alteration but is not a standard term for post-control risk levels.
Residual risk is a critical concept in risk management, ensuring organizations understand and accept the remaining exposure after mitigation efforts.
- Select Question Types you want
- Set your Desired Pass Percentage
- Allocate Time (Hours : Minutes)
- Create Multiple Practice tests with Limited Questions
- Customer Support
Precious
6 days agoIlene
14 days agoLai
21 days agoMicah
28 days agoColeen
1 month agoGeorgene
1 month agoEthan
2 months agoAlica
2 months agoDaniel
2 months agoThersa
2 months agoCharlene
3 months agoParis
3 months agoLorenza
3 months agoJoanna
3 months agoBernadine
4 months agoMaricela
4 months agoCherilyn
4 months agoBrianne
4 months agoNina
5 months agoStefan
5 months agoIra
5 months agoTruman
5 months agoBritt
5 months agoClaudia
6 months agoMelinda
6 months agoShenika
6 months agoCordelia
6 months ago