Exam CISM topic 1 question 719 discussion

I like A as well here. Why would you reach out to the process owner if you aren't 100% sure it's a security incident? Verifying that it is an incident would be part of the incident response plan. Also the incident could be minor OR nothing, so NOT D.

Question is about incident classification, so follow the incident response if not sure what classification to assign the incident.

A - IRP is crucial because it provides a structured approach to handle suspected security events. The IRP outlines the necessary steps for identifying, assessing, and responding to incidents. Option D is important too, but notifying the business process owner typically comes after the initial steps outlined in the IRP. The primary goal is to ensure that the incident is managed effectively from the outset, which is why following the IRP is prioritized. Notifying the business process owner is important, but it typically comes after the initial steps outlined in the IRP. The primary goal is to ensure that the incident is managed effectively.

D- based on the question, it is not an incident yet, therefore validation is required, and notifying the business owner would result in the validation as well as how to classify it.

The question has given the answer: "Before classifying the suspected event as a security incident it is MOST important for the security manager to", if it is a confirmed incident that you can follow the IRP, but notifying the business owner is important and discussion with the business process owner can validate if it is suspected or confirmed.

The ISM is in no way a SME when it comes to specific processes. The process owner needs to be contacted in order for them to classify if it is an incident.

business process owner will have input which will help classify the incident - it may not be a security incident so security incident response should not be initiated until it is classified as such

D. notify the business process owner .......You cannot A. Follow the Incident Response Plan when the event is not yet classified as an incident. The question clearly states that the event has not yet been classified as an incident. D. is the correct answer not A.

You cannot activate an incident response plan before declaring an event as an incident.

A. Follow the incident response plan: Incident response plans are specifically designed to guide organizations in responding to and managing security incidents. They outline the steps to take when an incident occurs, including how to assess the situation, contain the incident, mitigate its impact, and recover from it. By following the incident response plan, the security manager can ensure that the appropriate actions are taken promptly to address the suspected security event.

I agree that at this stage it is still not an incident. The closest answer to "verifying the incident" IE further digging is D

Dear all, please pay attention on the sentence "Before classifying the suspected event as a security incident", IRP should not be the correct answer, you should better to "Answer D".

Guys ,Given answer is correct , its still an event . IRP is initiated when its classified as an incident . Although D as an answer is not good .

A. follow the incident response plan

A. follow the incident response plan. Following the incident response plan is crucial in situations where a suspected security event is detected. The incident response plan provides guidelines and procedures for handling security incidents, including the steps to be taken when a suspected event is identified. By following the incident response plan, the security manager ensures that the appropriate actions are taken promptly and effectively, minimizing the potential impact of the incident.

Think it's A here. Notifying BO would also be a part of the incident response plan I would think.

Before classifying the suspected event as a security incident, it is most important for the security manager to follow the incident response plan.