Certified Information Security Manager (CISM) — Question 463

An organization performed a risk analysis and found a large number of assets with low-impact vulnerabilities. The NEXT action of the information security manager should be to:

Answer options

• A. transfer the risk to a third party.
• B. determine appropriate countermeasures.
• C. report to management.
• D. quantify the aggregated risk.

Correct answer: D

Explanation

The correct answer is D, as quantifying the aggregated risk helps in understanding the overall exposure of the organization and aids in prioritizing actions. The other options, such as transferring the risk or reporting to management, may be appropriate later but do not directly address the immediate need to assess the total risk presented by the identified vulnerabilities.