Certified Information Security Manager (CISM) — Question 804

Which of the following should an information security manager do FIRST when noncompliance with security standards is identified?

Answer options

• A. Validate the noncompliance
• B. Include the noncompliance in the risk register
• C. Report the noncompliance to senior management
• D. Implement compensating controls to mitigate the noncompliance

Correct answer: A

Explanation

The first step in addressing noncompliance is to validate it to ensure that the issue is legitimate and accurately identified. Without this validation, actions such as reporting to management or implementing controls may be premature and based on incorrect information. Therefore, confirming the noncompliance is essential before taking further steps.