Certified Information Security Manager (CISM) — Question 568

An organization's operations have been significantly impacted by a cyberattack resulting in data loss. Once the attack has been contained, what should the security team do NEXT?

Answer options

• A. Update the incident response plan.
• B. Perform a root cause analysis.
• C. Implement compensating controls.
• D. Conduct a lessons learned exercise.

Correct answer: B

Explanation

Performing a root cause analysis is crucial to understand how the cyberattack occurred and to prevent future incidents. Updating the incident response plan, implementing compensating controls, and conducting lessons learned exercises are important steps, but they should follow the root cause analysis to ensure informed decisions are made.