Certified Information Security Manager (CISM) — Question 229

Which of the following should be an information security manager's MOST important criterion for determining when to review the incident response plan?

Answer options

• A. When recovery time objectives (RTOs) are not met
• B. When missing information impacts recovery from an incident
• C. Before an internal audit of the incident response process
• D. At intervals indicated by industry best practice

Correct answer: B

Explanation

The correct answer is B because missing information can significantly hinder recovery efforts during an incident, making it crucial to review the incident response plan. Options A, C, and D, while relevant, do not directly address the immediate need to adapt the plan based on the information available during recovery, which is vital for effective incident management.