Exam CISM topic 1 question 420 discussion

Senior management is typically accountable for ensuring that the impact of a new regulatory framework on a business system is assessed. They are responsible for overseeing the overall operations of the organization and making strategic decisions that align with the organization's goals and objectives. As such, they are in a position to ensure that the necessary resources and support are allocated to assess the impact of new regulations on the organization's systems and to develop and implement the appropriate compliance measures. Additionally, senior management is responsible for ensuring that the organization is in compliance with all relevant laws and regulations, and therefore should be aware of any new regulations that may affect the business.

A. Senior management = accountable B. Application owner = responsible C. Legal representative = consulted D. Information security manager = informed

B. Following the RACI framework..Responsible Accountable Consult Inform.. The application would be accountable

D - Information security Manager

"The information security manager is responsible for ensuring that the impact of changes in the external environment, such as new regulations, is assessed for their impact on the organization's information security."

Anyone who did not answer D needs to give up on taking this test.

D. Information security manager. Senior management is ultimately responsible to ensure that the organization is compliant with laws and regulations. However, when it comes to ensuring that the impact of a new regulatory framework on a business system is assessed, that is the responsibility of the Information Security Manager. Senior management will hold the information security Manager accountable for it.

The CISM (Certified Information Security Manager) Review Manual, 27th Edition, emphasizes this by stating: "The information security manager is responsible for ensuring that the impact of changes in the external environment, such as new regulations, is assessed for their impact on the organization's information security."

based on the keyword "accountable," the answer would be A. Senior management.

A. Senior management = accountable B. Application owner = responsible C. Legal representative = consulted D. Information security manager = informed

I think the keyword here is "ensuring the impact". I think business owner only can ensure the impact, not Sr. Management

Information Security Manager (option D). The Information Security Manager is responsible for overseeing and managing the organization's information security program. This includes assessing the impact of new regulations or regulatory frameworks on the organization's systems and processes. They work closely with various stakeholders, including senior management, legal representatives, and application owners, to ensure compliance with applicable regulations.

If the key word in the question is "accountable," then the correct answer would be A. Senior management. Senior management is ultimately accountable for ensuring that the impact of a new regulatory framework on a business system is assessed. While the information security manager may be responsible for conducting the assessment and providing recommendations, senior management has the overall accountability for ensuring that the assessment is carried out and appropriate actions are taken.

It's new regulation on a business system. Senior management cannot be aware of every new regulation that comes out there. It is the responsibility of the Business Owner aka Application Owner to stay on top of regulations that fall in their domain.

The way to think about this question is in form of a RACI. When you think about it this way, the correct answer is (A) Senior Management as they are most likely to be the ones that own the system. Rationale: (B.) Application owner(s) are only accountable for what occurs in the apps, but not the system. C. Legal representatives are consulted on legal manners, but the accountability can not be outsourced to them... it stays with the owner. (D) Information security manager may be consulted on technical manners, but the accountability can not be outsourced to them... it stays with the owner.

clearly, D. not application owner.