Certified Information Security Manager (CISM) — Question 513

Which of the following should an information security manager do FIRST upon learning of noncompliance with an impending information security regulatory change?

Answer options

• A. Conduct a business impact and vulnerability analysis.
• B. Report the noncompliance to senior management.
• C. Assess the risk and cost of noncompliance.
• D. Implement the correct measures to become compliant.

Correct answer: C

Explanation

The correct answer is C because assessing the risk and cost of noncompliance is crucial to understanding the potential impact on the organization before taking further actions. Options A, B, and D are important steps but should follow the initial risk assessment to prioritize response efforts effectively.