Certified Information Security Manager (CISM) — Question 679

When a critical system incident is reported, the FIRST step of the incident handler should be to:

Answer options

• A. power off the system.
• B. determine the scope of the incident.
• C. validate the incident.
• D. notify the appropriate parties.

Correct answer: C

Explanation

The correct first step is to validate the incident, as this ensures that the reported issue is genuine and requires attention. If the incident isn't validated, taking further actions like notifying parties or determining the scope may be unnecessary and could lead to wasted resources. Powering off the system or assessing scope can only be done meaningfully after the incident has been confirmed.