Certified Information Security Manager (CISM) — Question 610

Which of the following should be an information security manager's FIRST course of action when a newly introduced privacy regulation affects the business?

Answer options

• A. Identify and assess the risk in the context of business objectives
• B. Consult with IT staff and assess the risk based on their recommendations
• C. Update the security policy based on the regulatory requirements
• D. Propose relevant controls to ensure the business complies with the regulation

Correct answer: A

Explanation

The correct answer is A because understanding and assessing risks in relation to business goals is essential before taking any further actions. Options B, C, and D are premature steps that should follow the initial risk assessment, as they rely on the information that comes from understanding the risks first.