Certified Information Security Manager (CISM) — Question 208

An organization is going through a digital transformation process, which places the IT organization in an unfamiliar risk landscape. The information security manager has been tasked with leading the IT risk management process. Which of the following should be given the HIGHEST priority?

Answer options

• A. Identification of risk
• B. Selection of risk treatment options
• C. Analysis of control gaps
• D. Design of key risk indicators (KRIs)

Correct answer: A

Explanation

The identification of risk is crucial as it lays the foundation for all subsequent risk management activities. Without understanding what risks exist, the organization cannot effectively select treatment options, analyze control gaps, or design KRIs. The other options depend on having a clear understanding of the risks first.