Certified Information Security Manager (CISM) — Question 125

What should be an information security manager's MOST important consideration when reviewing a proposed upgrade to a business unit's production database?

Answer options

• A. Ensuring the application inventory is updated
• B. Ensuring residual risk is within appetite
• C. Ensuring a cost-benefit analysis is completed
• D. Ensuring senior management is aware of associated risk

Correct answer: B

Explanation

The correct answer is B because it is crucial for an information security manager to ensure that the residual risks of the upgrade are acceptable and within the organization's risk appetite. While updating the application inventory, completing a cost-benefit analysis, and informing senior management are important considerations, they do not address the core concern of risk management which is paramount in information security.