Certified Information Security Manager (CISM) — Question 471

Which of the following activities MUST be performed by an information security manager for change requests?

Answer options

• A. Assess impact on information security risk.
• B. Perform penetration testing on affected systems.
• C. Scan IT systems for operating system vulnerabilities.
• D. Review change in business requirements for information security.

Correct answer: A

Explanation

The correct answer is A because assessing the impact on information security risk is crucial to ensure that any changes do not introduce new vulnerabilities. While performing penetration testing, scanning for vulnerabilities, and reviewing business requirements are important, they are not mandatory for every change request evaluation.