Certified Information Security Manager (CISM) — Question 1048

Who should be included in INITIAL discussions regarding a failed security control?

Answer options

• A. Penetration testers
• B. The service provider
• C. Senior management
• D. The process owner

Correct answer: D

Explanation

The process owner is essential in initial discussions about a failed security control because they are directly responsible for the management and integrity of that control. While penetration testers, service providers, and senior management may have valuable insights, the process owner has the most relevant knowledge regarding the specific control's intended function and operation.