Certified Information Security Manager (CISM) — Question 517

Which of the following should an information security manager perform FIRST when an organization's residual risk has increased?

Answer options

• A. Implement security measures to reduce the risk.
• B. Assess the business impact.
• C. Transfer the risk to third parties.
• D. Communicate the information to senior management.

Correct answer: B

Explanation

The correct answer is B because assessing the business impact allows the information security manager to understand the implications of the increased residual risk before taking any further actions. Implementing security measures, transferring the risk, or communicating with management are important steps, but they should come after understanding the full scope of the impact.