Certified Information Security Manager (CISM) — Question 923

During an internal compliance review, the review team discovers that a critical legacy application is unable to meet the organization's mandatory security requirements. Which of the following should be done FIRST?

Answer options

• A. Update the risk register.
• B. Recommend taking the application out of service.
• C. Implement compensating controls.
• D. Monitor the application until it can be replaced.

Correct answer: A

Explanation

Updating the risk register is crucial as it documents the identified risks associated with the application, which is the first step in addressing compliance issues. The other options, while potentially valid strategies, should only be considered after the risks have been formally recorded and assessed.