Free Preparation Discussions
MENU
Exin CITM Exam Questions
- Topic 1: IT Strategy: This section of the exam measures the skills of an IT Strategy Manager and covers the development and alignment of IT strategy with business objectives. It emphasizes creating strategic plans to support organizational goals, understanding emerging technologies, and ensuring that IT investments contribute to competitive advantage and operational efficiency.
- Topic 2: IT Organization: This domain targets an IT Operations Manager and focuses on the design and management of IT organizational structures. It includes defining roles and responsibilities, establishing governance frameworks, managing resources effectively, and fostering collaboration to support IT service delivery and business needs.
- Topic 3: Vendor Selection / Management: This section measures the expertise of a Vendor Manager and covers the process of selecting and managing third-party providers. It addresses evaluating vendor capabilities, negotiating contracts, monitoring performance, and maintaining productive relationships to ensure service quality and value.
- Topic 4: Project Management: This domain is aimed at an IT Project Manager and encompasses planning, executing, and controlling IT projects. It includes managing scope, time, cost, quality, and risks, applying project methodologies, engaging stakeholders, and delivering projects that meet business requirements.
- Topic 5: Application Management: This section of the exam evaluates an Application Manager’s skills in overseeing the lifecycle of IT applications. It covers application development support, maintenance, upgrades, user support, and ensuring that applications meet functional and performance standards aligned with business needs.
- Topic 6: Service Management: This domain targets a Service Delivery Manager and focuses on managing IT services to ensure consistent and efficient delivery. It includes establishing service level agreements (SLAs), incident and problem management, continuous service improvement, and aligning IT services with business demands.
- Topic 7: Business Continuity Management: This section measures the skills of a Business Continuity Manager and covers planning and implementing strategies to ensure IT availability and resilience during disruptions. It includes risk assessment, disaster recovery planning, backup procedures, and testing to minimize business impact.
- Topic 8: Risk Management: This domain evaluates the capabilities of an IT Risk Manager and involves identifying, assessing, and mitigating IT-related risks. It addresses developing risk frameworks, compliance management, and proactive measures to safeguard IT assets and operations.
- Topic 9: Information Security Management: This section targets an Information Security Manager and focuses on protecting information assets from threats. It covers policy development, security controls implementation, incident response, data protection, and compliance with legal and regulatory requirements to maintain confidentiality, integrity, and availability.
Free Exin CITM Exam Actual Questions
Note: Premium Questions for CITM were last updated On Aug. 07, 2025 (see below)
During Post Implementation Review (PIR) of changes, it is lately concluded that an unusual high number of changes failed to meet their objectives. What is the most likely cause of this?
A high failure rate of changes during Post Implementation Review (PIR) in ITIL's change management process suggests a deficiency in the assessment and evaluation of change requests (A). Proper assessment involves analyzing risks, impacts, and feasibility before approving changes. If this step is inadequate (e.g., overlooking conflicts or underestimating impacts), changes are more likely to fail, as they may not align with objectives or be poorly planned.
Insufficient resources (B): May cause delays but is less directly tied to failed objectives compared to poor assessment.
CAB meetings not taking place (C): The CAB reviews changes, but the scenario doesn't indicate meetings are absent; poor assessment can occur even with CAB involvement.
Insufficient budget (D): May limit implementation but is less likely the primary cause of failed objectives.
A technical team investigating possible controls concludes that the most preferred control cannot be implemented as a result of too many constraints and decides to propose the second-best control. How is this control being referred to?
A compensating control is an alternative control implemented when the preferred control cannot be applied due to constraints (e.g., technical, financial, or operational). According to frameworks like COBIT or ISO/IEC 27001, compensating controls provide equivalent or partial risk mitigation when the primary control is infeasible.
Deterrent controls (A) discourage violations, detective controls (C) identify incidents, and corrective controls (D) address issues after they occur. Only compensating control (B) fits the scenario of a second-best alternative due to constraints.
What is the correct sequence of activities for a risk assessment?
The correct sequence for a risk assessment, as per ISO 31000 and ISO/IEC 27001, is: Establish context --- identify --- analyse --- evaluate --- treatment (C).
Establish context: Define the scope, objectives, and criteria for the risk assessment (e.g., organizational goals, assets, and risk appetite).
Identify: Identify potential risks (e.g., threats and vulnerabilities) that could impact objectives.
Analyse: Assess the likelihood and impact of identified risks to determine their severity.
Evaluate: Compare risks against risk criteria to prioritize them for treatment.
Treatment: Implement controls or strategies to mitigate, avoid, transfer, or accept risks.
Option A: Incorrect, as ''monitor and review'' is a post-treatment step, not the starting point.
Option B: Incorrect, as ''communication'' is not a distinct step in risk assessment; it's embedded throughout.
Option D: Incorrect, as it skips ''establish context,'' which is essential for defining the assessment's scope.
This sequence ensures a structured, systematic approach to risk assessment, aligning with organizational objectives.
Senior management requests a service requirement analysis to justify the need for a vendor. During the analysis, it is concluded that the internal IT provider has insufficient manpower and lacks the skills to deliver the work required. Which gaps are identified?
The analysis identifies insufficient manpower (a staffing issue) and lack of skills (a capability issue) within the internal IT provider. These gaps correspond to organizational (manpower, related to staffing and resource allocation) and technical (skills, related to expertise and technical capabilities) deficiencies (B).
Financial and organizational (A): Financial gaps (e.g., budget constraints) are not mentioned in the scenario.
Financial and technical (C): Financial issues are not indicated; the focus is on manpower and skills.
According to vendor management frameworks, identifying gaps in internal capabilities (e.g., staffing and technical expertise) justifies outsourcing to a vendor to fill these deficiencies.
Controls to manage risk have been implemented and evaluated successfully. Risks are now at the level which the organization is willing to accept. What is the name of this risk?
In risk management, after controls are implemented to mitigate risks, the remaining risk that the organization is willing to accept is called residual risk (C). According to frameworks like ISO/IEC 27001 and COBIT, residual risk represents the level of risk that persists after applying controls, deemed acceptable based on the organization's risk appetite. For example, if a control reduces the likelihood or impact of a threat (e.g., data breach), the remaining exposure is the residual risk, which the organization monitors but does not further mitigate unless necessary.
Reduced risk (A): Not a standard term; implies a general decrease but lacks specificity.
Lowered risk (B): Similar to reduced risk, not a recognized term in risk management frameworks.
Modified risk (D): Implies risk alteration but is not a standard term for post-control risk levels.
Residual risk is a critical concept in risk management, ensuring organizations understand and accept the remaining exposure after mitigation efforts.
- Select Question Types you want
- Set your Desired Pass Percentage
- Allocate Time (Hours : Minutes)
- Create Multiple Practice tests with Limited Questions
- Customer Support
Currently there are no comments in this discussion, be the first to comment!