Certified Information Security Manager (CISM) — Question 57

An information security manager was informed that a planned penetration test could potentially disrupt some services. Which of the following should be the FIRST course of action?

Answer options

• A. Estimate the impact and inform the business owner.
• B. Accept the risk and document it in the risk register.
• C. Ensure the service owner is available during the penetration test.
• D. Reschedule the activity during an approved maintenance window.

Correct answer: A

Explanation

The correct first step is to estimate the impact and inform the business owner, as this allows for an informed decision regarding the potential disruption. Accepting the risk without assessment is premature, while ensuring the service owner is present or rescheduling may not address the need for prior communication and risk evaluation.