Certified Information Security Manager (CISM) — Question 491

Which of the following should be an information security manager's FIRST course of action when developing an incident management and response plan?

Answer options

• A. Reassess management's risk appetite
• B. Conduct a gap analysis
• C. Update the current risk register
• D. Revise the business continuity plan (BCP)

Correct answer: B

Explanation

The correct answer is B, as conducting a gap analysis helps identify the differences between the current state of incident management and the desired state, which is essential for effective planning. The other options, while important, do not serve as the foundational step in establishing a robust incident management and response plan.