Certified Information Security Manager (CISM) — Question 784

An information security manager learns that IT personnel are not adhering to the information security policy because it creates process inefficiencies. What should the information security manager do FIRST?

Answer options

• A. Propose that IT update information security policies and procedures.
• B. Request that internal audit conduct a review of the policy development process.
• C. Conduct user awareness training within the IT function.
• D. Determine the risk related to noncompliance with the policy.

Correct answer: D

Explanation

The correct answer is D because determining the risk of noncompliance is essential for understanding the potential impact on the organization and prioritizing further actions. Proposing policy updates (A) or requesting an audit (B) may be relevant later but are not immediate actions. Conducting training (C) does not address the root issue of compliance with the existing policy.