Certified Information Security Manager (CISM) — Question 635

An organization has acquired a company in a foreign country to gain an advantage in a new market. Which of the following is the FIRST step the information security manager should take?

Answer options

• A. Evaluate the information security laws that apply to the acquired company
• B. Apply the existing information security program to the acquired company
• C. Merge the two existing information security programs
• D. Determine which country's information security regulations will be used

Correct answer: A

Explanation

The correct answer is A because understanding the information security laws that govern the acquired company is essential for compliance and risk management. Options B and C are premature actions that should only be considered after evaluating the legal landscape, while option D is too broad and does not focus specifically on the acquired company's regulations.