Certified Information Security Manager (CISM) — Question 675

Which of the following is the BEST approach to identify new security issues associated with IT systems and applications in a timely manner?

Answer options

• A. Requiring periodic security audits of IT systems and applications
• B. Comparing current state to established industry benchmarks
• C. Performing a vulnerability assessment for each change to IT systems
• D. Integrating risk assessments into the change management process

Correct answer: D

Explanation

The correct answer, D, emphasizes the integration of risk assessments into the change management process, which ensures that security considerations are continuously evaluated with every change. This proactive approach helps in identifying new vulnerabilities as they arise. Options A, B, and C, while beneficial, are more reactive and do not provide the same level of ongoing security oversight as integrating risk assessments.