Certified Information Security Manager (CISM) — Question 439

When preventive controls to appropriately mitigate risk are not feasible, which of the following is the MOST important action for the information security manager?

Answer options

• A. Identifying unacceptable risk levels
• B. Assessing vulnerabilities
• C. Evaluating potential threats
• D. Managing the impact

Correct answer: D

Explanation

The correct answer is D, as managing the impact is essential when preventive controls cannot be established, ensuring that any potential damage is minimized. Options A, B, and C focus on identifying and assessing risks and vulnerabilities, which are important but secondary to directly addressing the consequences of the risks that have not been mitigated.