CSM® Sample Examination Items (Questions)

Try your hand at the sample questions below and submit your answers to certification@ismi.org.uk to receive your indicative score.


Module 1 - Security Risk Analysis


1. Which of the following is generally true of security risk management?

a. Most business activities attract risk to a greater or lesser degree.  The role of the security professional is to manage risk to as low as reasonably practicable.

b. Most business activities attract risk to a greater or lesser degree.  The role of the security professional is to eliminate that risk.

c. Most business activities attract risk to a greater or lesser degree.  The role of the security professional is to accept that risk.

d. Most business activities if conducted correctly will attract little or no risk.  The role of the security professional is to educate the workforce accordingly in how to conduct risk-free operations.


2. When carrying out a security survey, you discover that the throw of a bolt on a critical door extends only 5mm into the strike.  You would report this as:

a. A threat.

b. An acceptable risk.

c. A consequence.

d. A vulnerability.


3. Your analysis reveals that the probability of occurrence of a particular adverse event with a significant and disruptive impact is estimated as 25%.  How would you record this?

a. Acceptable risk.

b. Low probability.

c. Medium probability.

d. High probability.


Module 2 - Crime Prevention


4. Which of the following categories of perpetrators typically pose the greatest theft risk to an enterprise?

a. Outsiders (professional and opportunist).

b. Insiders.

c. Former insiders (e.g. ex-employees with a grudge).

d. Outsiders working in collusion with insiders.


5. Research has indicated that many employees do not place faith in hotlines for two reasons:

a. The don’t know the number and the process is outsourced.

b. They feel their report may not be taken seriously and they fear retribution.

c. They don’t have the confidence in the ability of the call handler and they don’t trust the promise of anonymity.

d. They fear that calls are recorded and voice recognition software used and they take the view that the company doesn’t care; the facility is cosmetic and is there for external compliance reasons and nothing else.


6. Signing a non-disclosure agreement and making a formal written declaration that there are no copies of any company information, in hardcopy or electronic form in personal possession is often a part of:

a. An annual appraisal.

b. An exit interview.

c. An pre-employment interview.

d. A periodic vetting interview.


Module 3 - Managing the Security Function


7. The 2,000 year old statement “The security of the city depends less on the strength of its fortifications than on the state of mind of its inhabitants” emphasizes the need for:

a. Awareness training and employee socialization.

b. Strong perimeter security.

c. Reporting hotlines.

d. A drug-free workplace.


8. The contemporary view of a security manager is of someone who:

a. Has extensive experience in the police or military.

b. Is multi-skilled, educated to an advanced level, and who is intellectually equipped to contribute to the broader concept of enterprise resilience.

 c. Has worked their way through the ranks from security guard, through supervisor to management, acquiring relevant experience at each level.

 d. Is a subject matter expert on every aspect of security that he or she is responsible for.


9. If on-site training is aimed at enabling staff to perform their jobs to a high standard, which of the following answers best represents the benefits of external training and certifications?

a. It allows you to learn new and innovative ways of doing things by sharing in common best practice and introducing you to new ideas.

b. It gives you more credentials with which to adorn your LinkedIn profile.

c. It gives you breathing space away from the stresses of work and allows you to reflect on your future career path.

d. It motivates you as you feel that the company cares about you.


Module 4 - Leadership and Management Core Skills


10. A project is characterised by having a unique purpose and goal, specific resources and completion within a defined timeframe.    Which of the following activities is not suitable for project management?

a. The procurement and installation of a new CCTV system.

b. Launch of a new product line.

c. New construction and equipping of a security control centre.

d. Investigating a loss resuting from a burglary.


11.  If a business operating on a net profit of 10% incurs, through theft, a loss of $5,000, how many dollars of sales must be achieved in order to recover from the loss?

a. $5,000.

b. $10,000.

c. $50,000.

d. $100,000.


12. A tried and tested way to prepare a security officer for promotion is to:

a. Delegate tasks and coach where necessary.

b. Increase pay.

c. Increase the workload and working hours to put the candidate under extreme pressure to see if they crack.

d. Threaten to promote from outside the organisation as this will motivate your staff to increase performance.


Module 5 - Security Design, Evaluation and Surveying 


13. Which of the following statements is correct?

a. Intrusion detection systems are used primarily to delay.

b. Perimeter barriers are used primarily to delay.

c. CCTV is used primarily to delay.

d. Contraband detection is used primarily to delay.


14. In carrying out an evaluation of different detection systems you are advised that a particular sensor has a Probability of Detection (PD) of 0.9.  This means that theoretically what proportion of adversary attempts will be successful?

a. 1 in 5.

b. 9 in 10.

c. 1 in 10.

d. 0.9 in 10.


15. Which of the following statements is incorrect?

a. Detection can be quantified in terms of the probability of detection PD, expressed as a decimal.

b. Delays can be quantified in terms of penetration time.

c. Disruption can be quantified in terms of the time taken to respond to the event and the probability of adversary neutralisation (PN).

d. Deterrence can be quantified in terms of arrests made.


Module 6 - Perimeter Protection


16. A typical “security fence”, for example, comprising a 2.4m high chain-link fence with 450mm coiled razor wire topping can be considered to provide a delay of how long against a determined and skilled intruder?

a. No more than 30 minutes.

b. No more than 10 minutes.

c. No more than 5 minutes.

d. No more than 10 seconds.


17. In carrying out a survey of a perimeter you discover that on testing, the security officer responded to a location 800m away from the point of intrusion.  Which of the following should be your first point of investigation?

a. The response means of the officer (e.g. foot, bicycle, vehicle etc.)

b. The zoning intervals of the perimeter intrusion detection system.

c. Whether the lens of the CCTV assessment was fogged up.

d. The eyesight of the security officer.


18. The minimum recommend height for a perimeter fence inclusive of hostile topping, is:

a. 2m.

b. 2.4m.

c. 3m.

d. 4m.


Module 7 - Protecting Buildings


19. In carrying out crime analysis research in preparation for the security survey of a building, you ascertain that there is a problem with persons entering building with false ID with intent to commit crime, perhaps posing as a contractor or maintenance person.  Which of the following should be your recommendation?

a. A guard post should be established at the building entrance and this should be manned 24/7.

b. Strong access management and by ensuring contractors are registered, with prior liaison between the contracting company, the host and the security department.

c. CCTV to be installed in all corridors and all rooms in the building.

d. Security personnel should search and clear all potential hiding locations at cessation of work and rooms should be locked and alarmed as appropriate.


20. Valuable assets on display on desks after working hours in open-plan offices, floor plans often available on the internet, flat roofs and large diameter hidden ducting and crawl spaces are all problems often encountered when trying to secure:

a. Government buildings.

b. New buildings.

c. Old buildings.

d. Temporary buildings.


21. In establishing building security regimes, the emphasis on barriers, locks, intrusion detection and response is best applied:

a. At weekends only.

b. Outside working hours when the building is unoccupied.

c. Early mornings, as employees begin to arrive at work.

d. During working hours.


Module 8 - Access Management


22. After working hours the contract cleaners come on site.  Access cards are misused by persons other than the holder and there are suspicions that some of those who come on site don’t have cards.  A simple starting point to addressing this is:

a. Magnetic stripe cards.

b. The two-person rule with the use of “airlock” doors.

c. Anti-passback functionality and tailgating detection.

d. Using an offline access control system.


23. Which one of the following statements is true with regard to mechanical push-button locks?

a. Push-button locks are an effective privacy device in controlling access to manned, restricted areas.

b. Push-button locks are ineffective in controlling access to security control rooms manned 24 hours a day.

c. Push-button locks are an effective high-security defence in preventing access to restricted areas.

d. It takes several months, typically, before the code of a push-button lock is known beyond those authorized to know it.


24. You have a requirement for an electrically-powered locking mechanism that is inherently fail-secure, and is suitable for use on a high-value storage area in which no employee is permanently located. Which one of the following should you select?

    a. Electric deadbolt.

    b. Electric lockset.

    c. Electric strike.

    d. Electromagnetic lock.


Module 9 - Video Surveillance (CCTV)


25. In procuring a new CCTV system when is the best time to write operator procedures and train operators?

a. During the feasibility study.

b. During the design basis threat stage.

c. During installation, commissioning and testing.

d. Once the system has been installed.


26. Making a video stream less susceptible to interference can be achieved by:

a. Transmitting it as analogue.

b. Transmitting it over microwave.

c. Using H.265 compression.

d. Transmitting it by fibre optic.


27. Three of the following four factors determine the camera’s field of view.  Which has no relevance?

a. The lens/camera chip format.

b. The lens focal length.

c. The position of the camera in relation to the scene under surveillance.

d. The compression codec.


Module 10 - Facility Counterterrorism


28. If the threat assessment envisages the use of moving vehicle-borne improvised explosive devices, the following is a key consideration:

a. Speed attenuation measures are required as the driver may attempt to penetrate the building entrance in order to enhance the blast effect to create catastrophic failure of the building fabric.

b. The action is easily recognisable to the extent that rising kerb barriers can be quickly deployed.

c. As the vehicle is moving, there are less casualties.

d. As the vehicle is moving, the charge weight of the explosive material has to be less than that of a stationary vehicle-borne improvised explosive device.


29. Defining the minimum stand-off distance required to protect the building against the blast threat is a fundamental starting strategy when defending against:

a. Person-borne improvised explosive devices.

b. Vehicle-borne improvised explosive devices.

c. Postal improvised explosive devices.

d. Biological weapons.


30. At an entrance checkpoint where there is an elevated risk of terrorism, what is recommended to improve traffic management and reduce the necessity to open an unobstructed route into the site in the event of the arrival of an unauthorised vehicle?

a. An additional security officer.

b. A rejection lane.

c. Metal halide lighting.

d. A double-entry portal (Sally Port).


Module 11 - Protection of Information


31. Which one of the following statements is true?

a. Hostile intelligence services never access hotel room safes of overseas visitors engaged in business negotiations.

b. Hostile intelligence services never plant listening devices in hotel rooms as it would be immoral.

c. Hostile intelligence services never recruit the services of hotel staff to report on the activities of business travellers or particular interest.

d. In several countries, hostile intelligence services working in the interests of domestic companies pose a significant threat to a business traveller’s sensitive company information.


32. A flash (thumb) drive given to you by a friend as a gift or by a vendor at an exhibition:

a. Doesn’t pose a threat to your PC and its information as long as you have antivirus software in place.

b. Doesn’t pose a threat to your PC and its information as long as you have a firewall in place.

c. Doesn’t pose a threat to your PC and its information as long as you have a VPN in place.

d. May pose a significant threat to your PC, its information or to the company network to which it is attached.


33. Dissemination of a company’s information security policy should be:

a. Limited to the top management team only.

b. Limited to the top management team and IT staff only.

c. Limited to the top management team, IT staff and security staff.

d. Available to business units, personnel, temporary employees, vendors, consultants, contractors, and business partners.


Module 12 - Protection of at-Risk Personnel


34. Every employer has a legal and moral obligation to provide a safe working environment.  The employer's obligation extends to:

a. Safeguarding employees, contractors, visitors, and guests on the premises and generally does not distinguish between internal and external sources of danger. 

b. Employees and only in the formal workplace.

c. Employees only in the formal workplace and travel to and from home.

d. Customers only as employees are responsible for ensuring their own workplace health and safety. 


35. Which of the following statements best reflects good practice in facilities where there is a risk of armed robbery?

a. Off-site recording is best as on-site recording can put the employee at risk.  Don’t use dummy cameras as robbers know the difference.  Have several cameras, some visible, some covert.  

b. On-site recording is best so that if robbers demand the recordings they can be given up.  Ensure that all cameras are visible in order not to aggrevate the robbers.  

c. Off-site recording is best as on-site recording can put the employee at risk.  Use dummy cameras to maximise the deterrence effect.

d. On-site recording is best so that if robbers demand the recordings they can be given up.  Don’t use dummy cameras as robbers know the difference.  Have several cameras, some visible, some covert.  


 36. Complete the following sentence:  "The moment an active shooter incident begins,....."

a. Staff should take refuge in the toilets.

b. Somebody must inform law enforcement.  

c. Armed security officers should deploy towards the sound of the gunfire.

d. Staff should lie down and pretend they are dead.


If the questions appear a little difficult at the moment, you will soon be able to answer these - and hundreds more - after studying the ISMI® Security Management Body of Knowledge.