Certified Information Security Manager (CISM) — Question 649

An information security manager learns of a new standard related to an emerging technology the organization wants to implement. Which of the following should the information security manager recommend be done FIRST?

Answer options

• A. Perform a risk assessment on the new technology.
• B. Obtain legal counsel’s opinion on the standard's applicability to regulations.
• C. Determine whether the organization can benefit from adopting the new standard.
• D. Review industry specialists’ analyses of the new standard.

Correct answer: A

Explanation

The correct answer is A, as performing a risk assessment is essential to identify potential vulnerabilities and impacts associated with the new technology before any further steps. Options B, C, and D are important but should follow the risk assessment, as understanding risks is fundamental to making informed decisions about legal, operational, and strategic considerations.