Certified Information Security Manager (CISM) — Question 559

It is MOST important for an information security manager to ensure that security risk assessments are performed:

Answer options

• A. during a root cause analysis.
• B. as part of the security business case.
• C. consistently throughout the enterprise.
• D. in response to the threat landscape.

Correct answer: C

Explanation

The correct answer is C because security risk assessments need to be conducted regularly across the entire organization to effectively manage and mitigate risks. Options A, B, and D suggest that assessments are only done in specific situations or contexts, which does not provide the comprehensive oversight necessary for robust security management.