Certified Information Security Manager (CISM) — Question 205

Which of the following should an information security manager do FIRST when a mandatory security standard hinders the achievement of an identified business objective?

Answer options

• A. Recommend risk acceptance.
• B. Perform a cost-benefit analysis.
• C. Escalate to senior management.
• D. Revisit the business objective.

Correct answer: C

Explanation

The correct response is to escalate to senior management because they have the authority to make decisions regarding the business objectives and security standards. Other options like recommending risk acceptance or performing a cost-benefit analysis may be relevant later, but they do not address the immediate need for senior management's input on balancing security requirements with business goals.