Certified Information Security Manager (CISM) — Question 673

Which of the following should be the PRIMARY basis for a severity hierarchy for information security incident classification?

Answer options

• A. Legal and regulatory requirements
• B. Root cause analysis results
• C. Availability of resources
• D. Adverse effects on the business

Correct answer: D

Explanation

The correct answer is D because the primary concern in incident classification is the impact on the business, which informs prioritization and response strategies. While legal and regulatory requirements (A), root cause analysis results (B), and availability of resources (C) are important considerations, they are secondary to understanding how an incident affects business operations.