Certified Information Security Manager (CISM) — Question 611

Which of the following should be done FIRST once a cybersecurity attack has been confirmed?

Answer options

• A. Isolate the affected system
• B. Power down the system
• C. Notify senior management
• D. Contact legal authorities

Correct answer: A

Explanation

The first step in responding to a confirmed cybersecurity attack is to isolate the affected system to prevent further damage and contain the breach. Powering down the system may not be appropriate as it could lead to loss of valuable evidence. Notifying senior management and contacting legal authorities are important but should occur after the immediate threat is contained.