Certified Information Security Manager (CISM) — Question 933

An incident management team leader sends out a notification that the organization has successfully recovered from a cyberattack. Which of the following should be done NEXT?

Answer options

• A. Secure and preserve digital evidence for analysis.
• B. Gather feedback on business impact.
• C. Conduct a meeting to capture lessons learned.
• D. Prepare an executive summary for senior management.

Correct answer: C

Explanation

The correct action is to conduct a meeting to capture lessons learned, as this is essential for improving future responses to incidents. While securing evidence and gathering feedback are important, they come after the immediate need to analyze what happened and how to prevent it in the future. Preparing an executive summary is also significant but should follow the lessons learned meeting.