Certified Information Security Manager (CISM) Practice Exam 2025 – The All-in-One Guide to Mastering Certification Success!

The statement that technical controls are the only real risk mitigation technique is false because risk mitigation encompasses a broader spectrum of strategies beyond just technical controls. While technical controls, such as firewalls, intrusion detection systems, and encryption, are crucial for protecting information systems from threats, they are not the sole means of managing risks.

Risk mitigation typically involves a combination of approaches, which can be categorized into administrative controls, physical controls, and technical controls. Administrative controls consist of policies, procedures, and training aimed at minimizing risks through management oversight and employee awareness. Physical controls involve measures to protect the physical environment, such as securing facilities and restricting access to sensitive areas.

By utilizing a holistic approach that integrates technical, administrative, and physical controls, organizations can better address the complexities of security threats and create a robust defense posture. The effectiveness of risk mitigation is therefore not limited to technical controls alone, highlighting the importance of a comprehensive security strategy that incorporates multiple layers of protection.