Certified Information Security Manager (CISM) — Question 836

A third-party audit of an organization's network security has identified several critical risks. Which of the following should the information security manager do NEXT?

Answer options

• A. Assign risk ownership.
• B. Identify mitigating controls.
• C. Report the findings to senior management.
• D. Prioritize the risks.

Correct answer: D

Explanation

The correct next step is to prioritize the risks, as it allows the information security manager to focus on the most critical issues first. Assigning risk ownership, identifying mitigating controls, and reporting findings are important but should follow after determining which risks need immediate attention.