Certified Information Security Manager (CISM) — Question 30

An information security manager has identified a major security event with potential noncompliance implications. Who should be notified FIRST?

Answer options

• A. Internal audit
• B. Public relations team
• C. Senior management
• D. Regulatory authorities

Correct answer: C

Explanation

The correct answer is C, Senior management, as they need to be made aware of the incident to make informed decisions about compliance and risk management. Notifying the Internal audit (A) or Public relations team (B) is important but comes after senior management is informed. Regulatory authorities (D) would be involved later once the organization has assessed the situation and determined the need for external reporting.