Certified Information Security Manager (CISM) — Question 683

An organization recently updated and published its information security policy and standards. What should the information security manager do NEXT?

Answer options

• A. Update the organization's risk register.
• B. Develop a policy exception process.
• C. Communicate the changes to stakeholders.
• D. Conduct a risk assessment.

Correct answer: C

Explanation

The correct answer is C, as communicating changes to stakeholders ensures that everyone is aware of the updated policies and can comply accordingly. Options A, B, and D are important tasks but should follow the communication of the changes to ensure that all parties are informed before any further actions are taken.