Certified Information Security Manager (CISM) — Question 1149

Which of the following is MOST important to complete during the recovery phase of an incident response process before bringing affected systems back online?

Answer options

• A. Test and verify that compromised systems are clean.
• B. Document recovery steps for senior management reporting.
• C. Record and close security incident tickets.
• D. Capture and preserve forensic images of affected systems.

Correct answer: A

Explanation

The correct answer, A, emphasizes the necessity of ensuring that compromised systems are thoroughly cleaned before they are brought back online, preventing further security breaches. While documenting recovery steps, closing incident tickets, and preserving forensic images are important processes, they do not directly address the immediate risk of reinfection or compromise that could arise from reactivating unclean systems.