Welcome to ExamTopics
ExamTopics Logo
- Expert Verified, Online, Free.
Mail Us[email protected]
Menu
Isaca Discussions
exam questions

Exam CISM All Questions

View all questions & answers for the CISM exam
Go to Exam

Exam CISM topic 1 question 117 discussion

Actual exam question from Isaca's CISM
Question #: 117
Topic #: 1
[All CISM Questions]

Which of the following should an information security manager perform FIRST when an organization's residual risk has increased?

  • A. Implement security measures to reduce the risk.
  • B. Assess the business impact.
  • C. Transfer the risk to third parties.
  • D. Communicate the information to senior management.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by richck102 at May 25, 2023, 6:26 a.m.

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
Submit Cancel
841c750
4 days, 11 hours ago
If the residual risk has already been calculated and confirmed to have increased, the business impact should have already been considered as part of that calculation. In this case, reassessing the business impact might not be necessary because it was already factored into the residual risk analysis.
upvoted 1 times
...
c041644
7 months, 1 week ago
B must assess something before briefing leadership.
upvoted 1 times
...
Thavee
7 months, 2 weeks ago
Selected Answer: D
CISM QA are not consistent. Some went to management first, but some action by ISM is taken first. What about the assessment comes with cost and time?? Why dont we just go to senior management first, telling them about the story. Later on, ask the Senior management for budget/time/OT/Resources to do the assessment. Assessments may not be done in just half an hour like patching the windows, but it may need all departments to get involved.
upvoted 3 times
...
Jess20
1 year ago
Selected Answer: B
B. You can not go to senior management without information (Asses the business impact)
upvoted 4 times
...
AaronS1990
1 year, 3 months ago
Selected Answer: B
Assess the impact and then inform management. What could you really tell them if don't know the implications of the new level of risk?
upvoted 2 times
...
sphenixfire
1 year, 5 months ago
Selected Answer: D
Would say D. First inform and record the risk and get acceptance. If not, provide options for mitigation woth price tag.
upvoted 1 times
[Removed]
1 year, 4 months ago
you have to inform the management with the impact
upvoted 1 times
...
...
richck102
1 year, 5 months ago
Selected Answer: B
B. Assess the business impact.
upvoted 2 times
...

Get IT Certification

Unlock free, top-quality video courses on ExamTopics with a simple registration. Elevate your learning journey with our expertly curated content. Register now to access a diverse range of educational resources designed for your success. Start learning today with ExamTopics!

Start Learning for free
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel