Certified Information Security Manager (CISM) — Question 316

An employee clicked on a link in a phishing email, triggering a ransomware attack. Which of the following should be the information security manager's FIRST step?

Answer options

• A. Notify internal legal counsel.
• B. Isolate the impacted endpoints.
• C. Wipe the affected system.
• D. Notify senior management.

Correct answer: B

Explanation

The first action should be to isolate the impacted endpoints to prevent further spread of the ransomware. Notifying legal counsel, wiping the system, or alerting senior management can follow but are not immediate actions that stop the threat.