Certified Information Security Manager (CISM) — Question 473

An executive's personal mobile device used for business purposes is reported lost. The information security manager should respond based on:

Answer options

• A. the acceptable use policy.
• B. asset management guidelines.
• C. the business impact analysis (BIA).
• D. incident classification.

Correct answer: D

Explanation

The information security manager should respond based on incident classification, as it helps determine the severity and necessary actions for the reported loss. The acceptable use policy and asset management guidelines provide general rules and management practices, but they are not tailored to immediate incident response. The business impact analysis (BIA) assesses potential impacts but does not dictate the response process for a lost device.