Certified Information Security Manager (CISM) — Question 735

A strict new regulation is being finalized to address global concerns regarding cybersecurity. Which of the following should the information security manager do FIRST?

Answer options

• A. Monitor industry response to the regulation.
• B. Seek legal counsel on the new regulation.
• C. Validate the applicability of the regulation.
• D. Escalate compliance risk to senior management

Correct answer: C

Explanation

The correct answer is C, as validating the applicability of the regulation is essential to understand how it impacts the organization. Monitoring industry response (A) and seeking legal counsel (B) are important steps, but they come after determining whether the regulation is relevant. Escalating compliance risk to senior management (D) is also a later step that depends on understanding the regulation's applicability.