Certified Information Security Manager (CISM) — Question 946

An organization learns that a service provider experienced a breach last month and did not notify the organization. Which of the following should be the information security manager's FIRST course of action?

Answer options

• A. Terminate the provider contract.
• B. Conduct a business impact analysis (BIA).
• C. Inform senior management.
• D. Review the provider contract.

Correct answer: D

Explanation

The correct first step is to review the provider contract to understand the obligations regarding breach notifications. This will help determine if the provider violated any terms before deciding on further actions. Terminating the contract or conducting a BIA may be necessary later, but understanding the contractual terms is essential first.