ExamTopics Logo
Mail Us[email protected]
Menu
Isaca Discussions
exam questions

Exam CISM All Questions

View all questions & answers for the CISM exam
Go to Exam

Exam CISM topic 1 question 117 discussion

Actual exam question from Isaca's CISM
Question #: 117
Topic #: 1
[All CISM Questions]

Which of the following should an information security manager perform FIRST when an organization's residual risk has increased?

  • A. Implement security measures to reduce the risk.
  • B. Assess the business impact.
  • C. Transfer the risk to third parties.
  • D. Communicate the information to senior management.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by richck102 at May 25, 2023, 6:26 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Jess20
Highly Voted 1 year, 5 months ago
Selected Answer: B
B. You can not go to senior management without information (Asses the business impact)
upvoted 5 times
...
841c750
Most Recent 5 months, 1 week ago
If the residual risk has already been calculated and confirmed to have increased, the business impact should have already been considered as part of that calculation. In this case, reassessing the business impact might not be necessary because it was already factored into the residual risk analysis.
upvoted 1 times
...
c041644
1 year ago
B must assess something before briefing leadership.
upvoted 1 times
...
Thavee
1 year ago
Selected Answer: D
CISM QA are not consistent. Some went to management first, but some action by ISM is taken first. What about the assessment comes with cost and time?? Why dont we just go to senior management first, telling them about the story. Later on, ask the Senior management for budget/time/OT/Resources to do the assessment. Assessments may not be done in just half an hour like patching the windows, but it may need all departments to get involved.
upvoted 3 times
...
AaronS1990
1 year, 8 months ago
Selected Answer: B
Assess the impact and then inform management. What could you really tell them if don't know the implications of the new level of risk?
upvoted 2 times
...
sphenixfire
1 year, 10 months ago
Selected Answer: D
Would say D. First inform and record the risk and get acceptance. If not, provide options for mitigation woth price tag.
upvoted 1 times
[Removed]
1 year, 10 months ago
you have to inform the management with the impact
upvoted 1 times
...
...
richck102
1 year, 11 months ago
Selected Answer: B
B. Assess the business impact.
upvoted 2 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago