Certified Information Security Manager (CISM) — Question 1057

An organization uses a security standard that has undergone a major revision by the certifying authority. The old version of the standard will no longer be used for organizations wishing to maintain their certifications. Which of the following should be the FIRST course of action?

Answer options

• A. Modify policies to ensure new requirements are covered.
• B. Review the new standard for applicability to the business.
• C. Evaluate the cost of maintaining the certification.
• D. Communicate the new standard to senior leadership.

Correct answer: B

Explanation

The first step should be to review the new standard for applicability to the business because understanding the updated requirements is crucial for compliance. Modifying policies and evaluating costs can only happen after confirming how the new standards apply. Communicating with senior leadership is important, but it should follow the review of the new standard to inform them accurately.