Certified Information Security Manager (CISM) — Question 239

During the eradication phase of an incident response, it is MOST important to:

Answer options

• A. identify the root cause
• B. restore from the most recent backup
• C. notify affected users
• D. wipe the affected system

Correct answer: A

Explanation

Identifying the root cause is essential to ensure that the same incident does not occur again in the future. Restoring from a backup, notifying users, and wiping the system are important but secondary actions that depend on understanding the initial cause of the incident.