exam questions

Exam CISM All Questions

View all questions & answers for the CISM exam

Exam CISM topic 1 question 873 discussion

Actual exam question from Isaca's CISM
Question #: 873
Topic #: 1
[All CISM Questions]

A third-party audit of an organization's network security has identified several critical risks. Which of the following should the information security manager do NEXT?

  • A. Assign risk ownership.
  • B. Identify mitigating controls.
  • C. Report the findings to senior management.
  • D. Prioritize the risks.
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
neo_wong
2 months, 1 week ago
Selected Answer: D
As Marcelus1714 said
upvoted 1 times
...
Booict
4 months, 3 weeks ago
Selected Answer: C
Option C is the most appropriate next step because it ensures that the leadership is informed about the critical risks and can provide the necessary support and resources to address them.
upvoted 1 times
...
yottabyte
9 months ago
Selected Answer: C
all are critical risks, so report to management.
upvoted 2 times
...
oluchecpoint
9 months, 1 week ago
Selected Answer: C
Option C - get management notify
upvoted 1 times
...
xcjxcj
9 months, 1 week ago
Selected Answer: A
I would suggest to put risk owner then present to senior management. D. is not the choice since all are CRITICAL
upvoted 1 times
...
Marcelus1714
10 months, 1 week ago
Selected Answer: D
It says "next", I believe you prioritize first, and then you and tell to the management?
upvoted 2 times
...
AlexJacobson
10 months, 3 weeks ago
Selected Answer: C
I'm not sure D is the answer here... In the company where I work, when 3rd-party audit is done and we receive the report, this goes straight to senior management (through CSO), especially if there are critical risks. After that, we usually have meetings with CSO where we discuss remediation and deadlines (I'm in IT/cybersec, btw)
upvoted 1 times
AlexJacobson
10 months, 3 weeks ago
Although, the hint here is "network security", meaning technical stuff. So no business processes are in direct danger. So maybe it is D after all...dunno really :)
upvoted 1 times
...
...
Soleandheel
1 year ago
D. Prioritize the risks ....first before acting on anything else.
upvoted 1 times
...
richck102
1 year, 2 months ago
D. Prioritize the risks.
upvoted 1 times
...
wickhaarry
1 year, 2 months ago
A. Assign risk ownership. After risk identification , risk needs to be assigned an owner
upvoted 1 times
...
BennyMao
1 year, 3 months ago
Selected Answer: C
Usually external audit findings will go to senior management, especially for critical risks so they are aware and able to provide direction. Prioritizing risks should not be decided by Security Manager without consultation with business managers who are in better position to advise the impact.
upvoted 1 times
...
AaronS1990
1 year, 4 months ago
Selected Answer: D
D definitely
upvoted 3 times
...
Saisharan
1 year, 4 months ago
Option D
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago