Certified Information Security Manager (CISM) — Question 134

During the due diligence phase of an acquisition, the MOST important course of action for an information security manager is to:

Answer options

• A. review the state of security awareness
• B. review information security policies
• C. perform a risk assessment
• D. perform a gap analysis

Correct answer: C

Explanation

Conducting a risk assessment is vital during the due diligence phase as it helps identify potential security vulnerabilities and threats associated with the acquisition. While reviewing security awareness, policies, and performing a gap analysis are important, they do not provide the comprehensive risk evaluation necessary to make informed decisions.