Certified Information Security Manager (CISM) — Question 1053

Which of the following should an information security manager do FIRST when a vulnerability has been disclosed?

Answer options

• A. Perform a patch update.
• B. Conduct a risk assessment.
• C. Conduct an impact assessment.
• D. Perform a penetration test.

Correct answer: B

Explanation

The correct answer is B, as conducting a risk assessment is crucial to understand the potential impact and likelihood of the vulnerability being exploited. Performing a patch update (A) or conducting an impact assessment (C) may come after assessing the risk, while a penetration test (D) is not a priority at this stage.