Exam CISM topic 1 question 143 discussion

A. a consolidated event timeline. A consolidated event timeline is primarily used during a post-incident review to analyze the sequence and correlation of actions. This timeline combines data from various sources to provide a comprehensive overview of the incident from start to finish. It helps to understand the chronological order of events, how the incident unfolded, and how responses were made at each stage. By laying out the sequence of events in a linear timeline, it's easier to identify any delays, overlaps, or gaps in the response, which are crucial for improving future incident response strategies. While logs from systems involved (option B), interviews with personnel (option C), and documents created during the incident (option D) are valuable sources of information, they contribute to the creation of the consolidated event timeline rather than serve as primary analytical tools by themselves. These elements feed into the timeline, providing details and context that help to form a complete picture of the incident and the effectiveness of the response.

A - Key words - "Sequence"

B,C,D are all used to create A

The response depends on what you are considering in a "consolidated" timeline. If it includes the documents created during the incidents, response A is OK. Otherwise response D is obvious as it may also include the timeline.

D. documents created during the incident.

D. documents created during the incident.

WHY IS NOT B?

Event timeline for sure.

D was my guess. However, if the "event timeline" includes these documents and logs (Choice D & B), then I can understand A being the answer.

event timeline is most reliable.

D. documents created during the incident is more appropriate