Certified Information Security Manager (CISM) — Question 646

After an information security incident has been detected and its priority established, which of the following should be the NEXT course of action?

Answer options

• A. Gathering evidence
• B. Eradicating the incident
• C. Performing a risk assessment
• D. Containing the incident

Correct answer: D

Explanation

The next step after detecting and prioritizing an information security incident is to contain the incident, which helps prevent further damage or spread. Gathering evidence and eradicating the incident are important but should occur after containment. Performing a risk assessment is also necessary but typically follows immediate containment measures.