[Jan 08, 2026] CITM Questions Truly Valid For Your EXIN Exam!
CITM Actual Questions - Instant Download Tests Free Updated Today!
EXIN CITM Exam Syllabus Topics:
| Topic | Details |
|---|---|
| Topic 1 |
|
| Topic 2 |
|
| Topic 3 |
|
| Topic 4 |
|
NEW QUESTION # 14
During the system (application) development project, the customer wants to know how software will be maintained to assure that future functional requirements are incorporated. What type of system maintenance is the customer looking for?
- A. Preventive maintenance
- B. Corrective maintenance
- C. Adaptive maintenance
- D. Perfective maintenance
Answer: D
Explanation:
The customer's focus on incorporatingfuture functional requirementsindicates a need forperfective maintenance(B). Inapplication management, perfective maintenance involves enhancing software to add new features or improve functionality to meet evolving business needs, such as adding new modules or capabilities.
* Preventive maintenance (A):Focuses on preventing issues by optimizing performance or addressing potential problems, not adding new features.
* Corrective maintenance (C):Involves fixing bugs or errors, not incorporating new functionality.
* Adaptive maintenance (D):Adapts software to environmental changes (e.g., new operating systems), not specifically for new functional requirements.
Perfective maintenance aligns with theSDLC's maintenance phase, ensuring the software evolves to support future business requirements.
Reference:EPI CITM study guide, under Application Management, likely covers software maintenance types in the SDLC, emphasizing perfective maintenance for enhancements. Refer to sections on application lifecycle or maintenance strategies.
NEW QUESTION # 15
From the list below, which activity is not considered to be an activity in the software development phase?
- A. Implementation
- B. Documenting
- C. Testing
- D. Code writing
Answer: A
Explanation:
In theSoftware Development Life Cycle (SDLC), thedevelopment phasetypically includescode writing(A), testing(B), anddocumenting(C) to build and verify the software.Implementation(D) is part of the deployment phase, where the software is installed and made operational in the production environment, not part of development.
Reference:EPI CITM study guide, under Application Management, likely covers SDLC phases, distinguishing development from implementation. Refer to sections on software development or application lifecycle management.
NEW QUESTION # 16
The introduction of a security awareness program has resulted in a quick decrease in security incidents. Eight months later, security incidents are showing a sudden increase, and the blame is put on a non-functioning security awareness program. What is most likely the cause?
- A. Insufficient budget
- B. Scope of the program is too narrow, not covering all areas of interest
- C. Lack of resources for instructor-led sessions
- D. Message materials are few and static, and renewal is not taking place
Answer: D
Explanation:
Security awareness programs require ongoing engagement to remain effective. If security incidents decrease initially but increase after eight months, the most likely cause is thatmessage materials are few and static, and renewal is not taking place(C). Static content becomes outdated or ignored over time, reducing its impact. Regular updates, new campaigns, and varied delivery methods (e.g., videos, quizzes) are essential to maintain employee awareness and adapt to evolving threats, as perISO/IEC 27001orNISTsecurity awareness guidelines.
* Insufficient budget (A):While budget constraints could limit program scope, there's no evidence in the scenario to suggest this is the primary issue.
* Scope too narrow (B):A narrow scope might limit effectiveness initially, but the initial success suggests the scope was adequate; the issue is sustaining engagement.
* Lack of resources for instructor-led sessions (D):Instructor-led sessions are one delivery method, but the core issue is likely outdated content rather than delivery format.
Reference:EPI CITM study guide, under Information Security Management, likely discusses security awareness program maintenance, emphasizing the need for regular content updates. Refer to sections on security awareness or human factors in security.
NEW QUESTION # 17
Being part of service management, business relationship management follows the principles of the service lifecycle. Which of the below is not part of activities defined in service operation?
- A. Define service strategy
- B. Communicate scheduled outages
- C. Report service performance
- D. Escalation
Answer: A
Explanation:
InITIL, theservice operationphase focuses on delivering and managing services, including activities like communicating scheduled outages (A), reporting service performance (B), and handling escalations (C).
Defining service strategy(D) is part of theservice strategyphase, not service operation, as it involves planning and aligning services with business goals.
Reference:EPI CITM study guide, under Service Management, likely references ITIL's service lifecycle, specifically distinguishing service operation from service strategy. Check sections on ITIL service operation or business relationship management.
NEW QUESTION # 18
Controls to manage risk have been implemented and evaluated successfully. Risks are now at the level which the organization is willing to accept. What is the name of this risk?
- A. Residual risk
- B. Reduced risk
- C. Lowered risk
- D. Modified risk
Answer: A
Explanation:
Inrisk management, after controls are implemented to mitigate risks, the remaining risk that the organization is willing to accept is calledresidual risk(C). According to frameworks likeISO/IEC 27001andCOBIT, residual risk represents the level of risk that persists after applying controls, deemed acceptable based on the organization's risk appetite. For example, if a control reduces the likelihood or impact of a threat (e.g., data breach), the remaining exposure is the residual risk, which the organization monitors but does not further mitigate unless necessary.
* Reduced risk (A):Not a standard term; implies a general decrease but lacks specificity.
* Lowered risk (B):Similar to reduced risk, not a recognized term in risk management frameworks.
* Modified risk (D):Implies risk alteration but is not a standard term for post-control risk levels.
Residual risk is a critical concept in risk management, ensuring organizations understand and accept the remaining exposure after mitigation efforts.
Reference:EPI CITM study guide, under Risk Management, likely references ISO/IEC 27001 or COBIT, emphasizing residual risk in risk assessment and treatment processes. Check sections on risk management frameworks or risk evaluation.
NEW QUESTION # 19
Before the marketing department will decide on a new advertising campaign, it wants to be able to gain more insights into the customer, being able to predict the products customers will purchase in the near future. What is a 'must-have' criterion in terms of the technology the marketing department is interested in?
- A. Business Intelligence (BI)
- B. Advanced analytics
- C. Ad hoc analysis
- D. Records Management System (RMS)
Answer: B
Explanation:
To predict future customer purchases, the marketing department requiresadvanced analytics(B), which involves sophisticated data analysis techniques, such as predictive modeling, machine learning, and data mining. These technologies enable the department to analyze customer behavior, identify patterns, and forecast purchasing trends, supporting targeted advertising campaigns.
* Records Management System (RMS) (A):Focuses on managing and storing records, not predictive analysis.
* Ad hoc analysis (C):Allows for on-demand, one-off queries but lacks the predictive capabilities of advanced analytics.
* Business Intelligence (BI) (D):Provides reporting and historical data analysis but is less focused on predictive modeling compared to advanced analytics.
Advanced analytics aligns withIT strategygoals of leveraging data for competitive advantage, as it supports predictive insights critical for marketing decisions.
Reference:EPI CITM study guide, under IT Strategy, likely discusses data-driven technologies like advanced analytics for business decision-making. Refer to sections on emerging technologies or data analytics.
NEW QUESTION # 20
What is the correct sequence of activities for a risk assessment?
- A. Identify - analyse - evaluate - treatment - monitor and review
- B. Communication - establish context - analyse - treatment - monitor and review
- C. Establish context - identify - analyse - evaluate - treatment
- D. Monitor and review - establish context - identify - evaluate - treatment
Answer: C
Explanation:
The correct sequence for arisk assessment, as perISO 31000andISO/IEC 27001, is:Establish context - identify - analyse - evaluate - treatment(C).
* Establish context:Define the scope, objectives, and criteria for the risk assessment (e.g., organizational goals, assets, and risk appetite).
* Identify:Identify potential risks (e.g., threats and vulnerabilities) that could impact objectives.
* Analyse:Assess the likelihood and impact of identified risks to determine their severity.
* Evaluate:Compare risks against risk criteria to prioritize them for treatment.
* Treatment:Implement controls or strategies to mitigate, avoid, transfer, or accept risks.
* Option A:Incorrect, as "monitor and review" is a post-treatment step, not the starting point.
* Option B:Incorrect, as "communication" is not a distinct step in risk assessment; it's embedded throughout.
* Option D:Incorrect, as it skips "establish context," which is essential for defining the assessment's scope.
This sequence ensures a structured, systematic approach to risk assessment, aligning with organizational objectives.
Reference:EPI CITM study guide, under Risk Management, likely references ISO 31000 or ISO/IEC 27001 for risk assessment processes. Check sections on risk assessment methodologies or risk management lifecycle.
NEW QUESTION # 21
Due to technical and operational constraints, the preferred control to lower the risks identified is to outsource part of IT operations to an external vendor. What type of risk treatment is applied here?
- A. Modification
- B. Sharing
- C. Retention
- D. Transferred
Answer: D
Explanation:
Outsourcing IT operations to an external vendor is a form ofrisk transfer(C), where the responsibility for managing certain risks (e.g., operational or technical risks) is shifted to the vendor. According toISO 31000, risk treatment strategies include transferring risk to a third party, often through contracts or outsourcing agreements, where the vendor assumes responsibility for mitigating specific risks.
* Sharing (A):Involves distributing risk among multiple parties, not fully transferring it to one.
* Retention (B):Means accepting the risk without mitigation, not applicable here.
* Modification (D):Refers to changing processes or controls to reduce risk, not outsourcing.
Reference:EPI CITM study guide, under Risk Management, likely references ISO 31000's risk treatment strategies, including risk transfer. Check sections on risk treatment or outsourcing.
NEW QUESTION # 22
As part of feedback collection techniques, it is suggested to include anonymous feedback. What would be the most likely reason for this?
- A. Promotion of honest feedback while avoiding fear for backfiring on the participant
- B. Avoidance of non-compliance to regulations
- C. Easier processing of data collected
- D. Reduced time spent for feedback participant
Answer: A
Explanation:
The primary reason for includinganonymous feedbackin feedback collection is topromote honest feedback while avoiding fear for backfiring on the participant(B). Anonymity encourages participants to provide candid, truthful responses without worrying about repercussions, such as criticism or retaliation, which is critical inservice managementfor gathering accurate insights into service quality or issues. According toITIL' s continual service improvement (CSI), honest feedback is essential for identifying areas for improvement.
* Avoidance of non-compliance (A):Anonymity is unrelated to regulatory compliance in this context.
* Easier processing of data (C):Anonymity may complicate data processing by removing identifiers, not simplifying it.
* Reduced time (D):Anonymity doesn't inherently reduce the time required for feedback.
Reference:EPI CITM study guide, under Service Management, likely discusses feedback collection in ITIL's CSI framework, emphasizing anonymity for honest input. Check sections on customer feedback or service improvement.
NEW QUESTION # 23
The team responsible for network security has proposed a firewall as the preferred control for the network perimeter. How is this type of control categorized?
- A. Technical preventive control
- B. Administrative deterrent control
- C. Physical corrective control
- D. Physical detective control
Answer: A
Explanation:
Afirewallis categorized as atechnical preventive control(A) ininformation security management.
According toISO/IEC 27001, preventive controls aim to stop security incidents before they occur, and technical controls involve technology-based solutions. A firewall prevents unauthorized access to the network perimeter by filtering traffic, making it a technical preventive control.
* Physical detective control (B):Involves physical measures (e.g., cameras) to detect incidents, not applicable to firewalls.
* Administrative deterrent control (C):Involves policies or procedures to discourage violations, not technology-based.
* Physical corrective control (D):Addresses physical issues post-incident, not relevant to firewalls.
Reference:EPI CITM study guide, under Information Security Management, likely references ISO/IEC
27001's control categories, emphasizing technical preventive controls. Check sections on security controls or network security.
NEW QUESTION # 24
When selecting a new vendor, continuity needs to be guaranteed as much as possible. At a minimum, which criteria are considered?
- A. Scope, maintenance, and price
- B. Price, training, and support
- C. Terms and conditions, maintenance, and terms of engagement
- D. Head count, support, and financial stability
Answer: D
Explanation:
To ensurecontinuityin vendor selection, the key criteria includehead count(vendor's staffing capacity to deliver services),support(availability of ongoing technical and operational support), andfinancial stability (ensuring the vendor remains viable to provide services long-term). These factors directly impact the vendor's ability to maintain service delivery without interruptions, which is critical for business continuity.
* Scope, maintenance, and price (A):Scope and price are important but don't directly ensure continuity; maintenance is a subset of support.
* Terms and conditions, maintenance, and terms of engagement (B):These are contractual elements, but they don't fully address operational continuity like staffing or financial stability.
* Price, training, and support (C):Training is less critical for continuity compared to staffing capacity or financial health.
According tovendor management frameworks, continuity is ensured by evaluating the vendor's operational capacity and long-term reliability, making head count, support, and financial stability the minimum criteria.
Reference:EPI CITM study guide, under Vendor Selection/Management, likely covers vendor evaluation criteria, emphasizing continuity factors. Check sections on vendor due diligence or service continuity.
NEW QUESTION # 25
Whilst creating the IT service catalog, a needs analysis is conducted. One of the items discussed is the data points required for the IT services. What is the objective of these data points?
- A. To identify the data being used by the customer
- B. To measure the performance of IT services delivered
- C. To determine the life expectancy of IT services
- D. To establish the operating hours of the IT services
Answer: B
Explanation:
InITIL's service catalog management, data points required for IT services are used tomeasure the performance of IT services delivered(A). These data points (e.g., uptime, response times, incident resolution rates) enable the IT provider to monitor and report on service quality, ensuring alignment with service level agreements (SLAs) and customer expectations. A needs analysis identifies key performance indicators (KPIs) to track service effectiveness.
* Identify data used by the customer (B):Focuses on customer data usage, not service performance.
* Determine life expectancy (C):Relates to service lifecycle planning, not data points.
* Establish operating hours (D):Operating hours are a service attribute, not the primary purpose of data points.
Reference:EPI CITM study guide, under Service Management, likely references ITIL's service catalog management, emphasizing KPIs for performance measurement. Check sections on service catalog or performance metrics.
NEW QUESTION # 26
Lately, the support desk is receiving several requests for password resets from individuals who appear to be unknown to the organization. Possible criminal activities are suspected, and the organization wishes to address this issue in their information security awareness program. What is the area that requires awareness?
- A. Internet usage
- B. Social engineering
- C. E-mail usage
- D. Instant (mobile) messaging
Answer: B
Explanation:
Requests for password resets from unknown individuals suggestsocial engineeringattacks, such as phishing or impersonation, where attackers manipulate users to gain unauthorized access. An information security awareness program should focus on educating staff about social engineering tactics to recognize and prevent such incidents.
E-mail usage (A), instant messaging (B), and internet usage (C) may be vectors for attacks, but the core issue is social engineering, which encompasses tactics used across these channels.
Reference:EPI CITM study guide, under Information Security Management, likely emphasizes social engineering in security awareness training. Refer to sections on security awareness or threat management.
NEW QUESTION # 27
To further reduce fraud cases in the transfer of land titles, the government introduces a new system which, in the back-end, makes use of blockchain technology. Key functionality of the system is speed of transmission and privacy. Which type of blockchain is most preferred for this type of application?
- A. Private blockchain
- B. Community blockchain
- C. Consortium blockchain
- D. Public blockchain
Answer: A
Explanation:
For a government system handling land title transfers, the key requirements arespeed of transmissionand privacy. Aprivate blockchainis most suitable because it restricts access to authorized participants, ensuring privacy and confidentiality of sensitive data such as land ownership records. Private blockchains are controlled by a single organization or a limited group, allowing faster transaction processing compared to public blockchains, which require consensus from a large, decentralized network. This aligns with the need for quick and secure transactions in a controlled environment.
Public blockchains (B) are open to anyone, which compromises privacy for sensitive government data.
Community blockchain (A) is not a standard term in blockchain technology, and consortium blockchains (D), while involving multiple organizations, are less suitable for a single government entity needing full control.
Reference:EPI CITM study guide likely covers blockchain applications under IT Strategy, emphasizing private blockchains for secure, controlled environments like government systems. Refer to sections on emerging technologies or IT strategy frameworks for detailed blockchain categorizations.
NEW QUESTION # 28
The new social media platform is multi-media supported and will generate a large volume of raw data. The marketing department has a need for advanced analysis of this data. Which data management technology applies best?
- A. Big Data Analysis
- B. Master Data Management (MDM)
- C. Digital Asset Management (DAM)
- D. Online Analytical Processing (OLAP)
Answer: A
Explanation:
The scenario describes a social media platform generating alarge volume of raw data(e.g., user interactions, multimedia content) and a need foradvanced analysisby the marketing department.Big Data Analysis(D) is the best technology, as it handles large, unstructured datasets and uses advanced techniques (e.g., machine learning, predictive analytics) to derive insights, such as user behavior or campaign effectiveness.
* Master Data Management (MDM) (A):Focuses on managing core business data (e.g., customer records) for consistency, not analyzing large raw datasets.
* Digital Asset Management (DAM) (B):Manages multimedia assets (e.g., images, videos) for storage and retrieval, not advanced analysis.
* Online Analytical Processing (OLAP) (C):Supports multidimensional analysis of structured data but is less suited for unstructured, large-scale social media data compared to big data tools.
Big Data Analysis aligns withIT strategyfor leveraging large datasets to drive business value, as per modern data management frameworks.
Reference:EPI CITM study guide, under IT Strategy, likely discusses data management technologies, emphasizing big data for advanced analytics. Refer to sections on data analytics or emerging technologies.
NEW QUESTION # 29
Users (customers) are complaining about the quality of how problems are being solved. What is the most likely cause?
- A. Errors in priority
- B. Wrong allocation of problems
- C. Lack of budget to manage problems
- D. Poor registration of problems
Answer: D
Explanation:
InITIL's problem management process,poor registration of problems(A) is the most likely cause of low- quality problem resolution. Effective problem management requires accurate logging of incidents and problems, including detailed descriptions, to enable proper root cause analysis and resolution. If problems are poorly registered (e.g., incomplete or inaccurate data), it hinders diagnosis and resolution, leading to customer dissatisfaction.
* Wrong allocation of problems (B):Incorrect assignment to teams can delay resolution but is less fundamental than poor registration, which affects the entire process.
* Errors in priority (C):Incorrect prioritization may delay urgent issues, but poor registration impacts resolution quality more directly.
* Lack of budget (D):May limit resources, but the scenario points to process quality, not resource constraints.
Reference:EPI CITM study guide, under Service Management, likely references ITIL's problem management, emphasizing accurate problem logging. Check sections on ITIL problem management or service operation.
NEW QUESTION # 30
A technical team investigating possible controls concludes that the most preferred control cannot be implemented as a result of too many constraints and decides to propose the second-best control. How is this control being referred to?
- A. Compensating control
- B. Corrective control
- C. Deterrent
- D. Detective control
Answer: A
Explanation:
Acompensating controlis an alternative control implemented when the preferred control cannot be applied due to constraints (e.g., technical, financial, or operational). According to frameworks likeCOBITorISO/IEC
27001, compensating controls provide equivalent or partial risk mitigation when the primary control is infeasible.
Deterrent controls (A) discourage violations, detective controls (C) identify incidents, and corrective controls (D) address issues after they occur. Only compensating control (B) fits the scenario of a second-best alternative due to constraints.
Reference:EPI CITM study guide, under Information Security Management, likely discusses control types, referencing compensating controls in risk management frameworks. Refer to sections on security controls or risk mitigation.
NEW QUESTION # 31
The new system (application) is ready for adoption (implementation). The customer is concerned that an instant change-over from the current system to the new system will create a large impact on the user base.
You are requested to propose an approach for adoption. Which of the items listed below is recommended?
- A. Parallel
- B. Phased
- C. Big bang
- D. Coordinated
Answer: A
Explanation:
When implementing a new system, the customer's concern about a large impact on the user base suggests the need for a low-risk, controlled adoption strategy. Inapplication management, theparalleladoption approach (B) involves running both the old and new systems simultaneously for a period, allowing users to transition gradually while ensuring the new system functions correctly. This minimizes disruption, as the old system remains operational as a fallback if issues arise with the new system.
* Big bang (A):This approach involves switching entirely to the new system at once, which is high-risk and likely to cause significant disruption, especially for a concerned user base. It's unsuitable here due to the potential for widespread impact.
* Coordinated (C):This is not a standard term in application deployment strategies. It may imply a managed transition but lacks the specificity of parallel or phased approaches.
* Phased (D):This involves rolling out the new system incrementally (e.g., by department or module), which reduces risk but doesn't provide the same level of safety as parallel, where both systems run concurrently to ensure continuity.
Theparallelapproach is ideal for mitigating risks during a critical system transition, as it allows validation of the new system's performance while maintaining business continuity. According toITILorSDLCframeworks, parallel adoption is often recommended for mission-critical systems to ensure stability and user acceptance.
Reference:EPI CITM study guide, under Application Management, likely discusses system implementation strategies within the Software Development Life Cycle (SDLC) or ITIL's service asset and configuration management. Refer to sections on application deployment, transition planning, or change management for details on parallel adoption.
NEW QUESTION # 32
In system (application) development, a use case (user story) is a list of steps defining interactions between a role and a system to achieve a goal. What type of requirement is mentioned here?
- A. Behavioral requirement
- B. Security requirement
- C. Non-functional requirement
- D. Functional requirement
Answer: D
Explanation:
Ause caseoruser storydescribes interactions between a user (role) and the system to achieve a specific goal, defining what the system must do. This corresponds to afunctional requirement(A), which specifies the system's features or capabilities (e.g., "the system shall allow users to submit a return request"). According to SDLCand requirements engineering, functional requirements focus on specific functionalities, as captured in use cases.
* Behavioral requirement (B):Not a standard term; it may refer to system behavior but is less specific than functional requirements.
* Non-functional requirement (C):Covers performance, scalability, or usability (e.g., response time), not specific user interactions.
* Security requirement (D):A subset of non-functional requirements focused on security, not general use case interactions.
Reference:EPI CITM study guide, under Application Management, likely discusses requirements engineering in the SDLC, emphasizing functional requirements in use cases. Check sections on system design or requirements analysis.
NEW QUESTION # 33
Activities in a project are discussed in a Work Breakdown Structure (WBS) session during the planning phase. Team members inform the project manager that whilst estimating the duration for activities, a lot of data exist about the effort required for each of them. Which estimation technique is best considered?
- A. Comparative
- B. Three-point
- C. Top-down
- D. Bottom-up
Answer: D
Explanation:
When a lot of data exist about the effort required for project activities, thebottom-upestimation technique (D) is most appropriate. This method involves estimating the effort for each task in theWork Breakdown Structure (WBS)individually, then aggregating them to derive the total project duration or cost. It leverages detailed data for accuracy, as perPMBOK's estimation techniques.
* Top-down (A):Uses high-level estimates based on historical data or expert judgment, less accurate with detailed task data available.
* Three-point (B):Uses optimistic, pessimistic, and most likely estimates for uncertainty, but is less focused on leveraging detailed effort data.
* Comparative (C):Likely refers to analogous estimation, which relies on comparisons to past projects, not detailed task data.
Bottom-up estimation is ideal when detailed effort data is available, ensuring precision in project planning.
Reference:EPI CITM study guide, under Project Management, likely covers PMBOK's estimation techniques, emphasizing bottom-up for detailed data scenarios. Refer to sections on project planning or cost
/duration estimation.
NEW QUESTION # 34
......
Get instant access of 100% real exam questions with verified answers: https://exams4sure.pdftorrent.com/CITM-latest-dumps.html