Certified Information Security Manager (CISM) — Question 1144

An organization has remediated a security flaw in a system. Which of the following should be done NEXT?

Answer options

• A. Allocate budget for penetration testing.
• B. Update the system's documentation.
• C. Assess the residual risk.
• D. Share lessons learned with the organization.

Correct answer: C

Explanation

The correct answer is C because assessing residual risk is crucial to understand what vulnerabilities may still exist after remediation. Options A and B are important but are not the immediate next step after remediation. Option D is valuable but should follow the risk assessment.