Well this is weird. According to CISM Exam Prep Guide (2nd ed.), page 453, both B and C are correct and B is considered first but it's not explicitly said.
CISM AIO on page 501 is more concrete:
"- Post-incident Review -
Shortly after the incident closes, incident responders and other personnel meet to discuss the incident: its cause, impact, and the organization’s response. Discussion can range from lessons learned to possible improvements in technologies and processes to improve defense and response further."
I thought so too however after some research, it appears there is also a strategic place for RCA in the PIR phase. Heres why:
During Eradication, the focus is on eliminating the threat from the affected systems and preventing its immediate spread. RCA at this stage is aimed at understanding how the threat entered and escalated within the system, to ensure complete removal. The urgency is on addressing the incident and securing the environment.
During PIR, the emphasis shifts to a broader analysis and reflection. Here, RCA is revisited or expanded upon with the benefit of hindsight, more data, and a less pressured environment compared to the active incident response. This review aims to refine the incident response process, improve security postures, and ensure better preparedness for future incidents.
The distinction here is not so much about when RCA is performed, as it is critical at multiple stages, but rather about the depth and breadth of analysis.
upvoted 1 times
...
...
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
AlexJacobson
7 months, 3 weeks agoAlexJacobson
7 months, 3 weeks agorichck102
10 months, 3 weeks agoiacini
1 year agodevilend
1 year agohelg420
4 months ago