Certified Information Security Manager (CISM) — Question 771

Due to changes in an organization’s environment, security controls may no longer be adequate. What is the information security manager’s BEST course of action?

Answer options

• A. Perform a new risk assessment.
• B. Review the previous risk assessment and countermeasures.
• C. Transfer the new risk to a third party.
• D. Evaluate countermeasures to mitigate new risks.

Correct answer: A

Explanation

The best action is to perform a new risk assessment, as it provides a current evaluation of the risks after changes in the environment. Reviewing the previous assessment is useful, but it may not capture all new vulnerabilities. Transferring the risk or merely evaluating countermeasures does not address the root of the problem effectively.