Certified Information Security Manager (CISM) — Question 616

Internal audit has reported a number of information security issues that are not in compliance with regulatory requirements. What should the information security manager do FIRST?

Answer options

• A. Create a security exception
• B. Assess the risk to business operations
• C. Perform a vulnerability assessment
• D. Perform a gap analysis to determine needed resources

Correct answer: B

Explanation

The correct action is to assess the risk to business operations first, as it helps prioritize the issues based on their potential impact. Creating a security exception, performing a vulnerability assessment, or conducting a gap analysis are important steps, but they should follow after understanding the risks involved.