Certified Information Security Manager (CISM) — Question 162

A critical vulnerability is found on a server hosting multiple applications owned by different business units. One of the business units finds its hosted application will not function with the patch applied and chooses to accept the risk. Which of the following should be the information security manager s NEXT course of action?

Answer options

• A. Update the risk register
• B. Develop a business case for compensating controls
• C. Update the information security policy
• D. Consult the incident management process

Correct answer: A

Explanation

The correct answer is A because the information security manager needs to document the acceptance of risk in the risk register for future reference and accountability. Option B is incorrect as developing compensating controls would imply that the risk is not being accepted. Option C is not appropriate since the policy does not need to be updated if the risk is accepted. Option D does not apply as there is no incident to manage at this stage.