Certified Information Security Manager (CISM) — Question 592

After the occurrence of a major information security incident, which of the following will BEST help an information security manager determine corrective actions?

Answer options

• A. Preserving the evidence
• B. Performing an impact analysis
• C. Calculating cost of the incident
• D. Conducting a postmortem assessment

Correct answer: D

Explanation

Conducting a postmortem assessment allows the information security manager to analyze what went wrong and why, leading to actionable insights for future prevention. Preserving evidence, performing impact analysis, and calculating costs are important, but they do not provide the same level of comprehensive understanding of the incident as a postmortem assessment does.