Certified Information Security Manager (CISM) — Question 713

A software vendor has announced a zero-day vulnerability that exposes an organization’s critical business systems. The vendor has released an emergency patch. Which of the following should be the information security manager’s PRIMARY concern?

Answer options

• A. Ability to test the patch prior to deployment
• B. Adequacy of the incident response plan
• C. Availability of resources to implement controls
• D. Documentation of patching procedures

Correct answer: A

Explanation

The primary concern for the information security manager should be the ability to test the patch prior to deployment, as this ensures that the patch does not introduce new issues. While the other options are important, they do not address the immediate risk associated with deploying an untested patch, which could potentially lead to further vulnerabilities.