Certified Information Security Manager (CISM) — Question 831
While responding to a high-profile security incident, an information security manager observed several deficiencies in the current incident response plan. When would be the BEST time to update the plan?
Answer options
- A. While responding to the incident
- B. During post-incident review
- C. During a tabletop exercise
- D. After a risk reassessment
Correct answer: B
Explanation
The best time to update the incident response plan is during the post-incident review, as this allows for a thorough analysis of what went wrong and what can be improved. Updating the plan while responding to the incident (A) may lead to rushed decisions, while doing so during tabletop exercises (C) or after a risk reassessment (D) does not take into account the specific learnings from the incident.