Certified Information Security Manager (CISM) — Question 570

Human resources (HR) is evaluating potential Software as a Service (SaaS) cloud services. Which of the following should the information security manager do
FIRST to support this effort?

Answer options

• A. Perform a cost-benefit analysis of using cloud services
• B. Conduct a security audit on the cloud service providers
• C. Review the cloud service providers' control reports
• D. Perform a risk assessment of adopting cloud services

Correct answer: D

Explanation

The correct answer is D because performing a risk assessment is essential to identify potential vulnerabilities and threats associated with adopting cloud services. This foundational step allows for informed decision-making before delving into cost analysis, security audits, or reviewing control reports, which are secondary actions based on the identified risks.