Certified Information Security Manager (CISM) — Question 485

An external security audit has reported multiple instances of control noncompliance. Which of the following is MOST important for the information security manager to communicate to senior management?

Answer options

• A. The impact of noncompliance on the organization's risk profile
• B. An accountability report to initiate remediation activities
• C. Control owner responses based on a root cause analysis
• D. A plan for mitigating the risk due to noncompliance

Correct answer: A

Explanation

The most important aspect to communicate to senior management is how noncompliance affects the organization's overall risk profile, which can influence strategic decisions. While remediation activities and root cause analyses are important, they are secondary to understanding the broader implications of noncompliance. Mitigation plans are also essential, but they should be informed by the assessment of risk impact.