- (Topic 3)
An organization experienced a loss of revenue during a recent disaster. Which of the following would BEST prepare the organization to recover?

1. A. Business impact analysis (BIA)
2. B. Business continuity plan (BCP)
3. C. Incident response plan
4. D. Disaster recovery plan (DRP)

Correct Answer: B

- (Topic 2)
Reevaluation of risk is MOST critical when there is:

1. A. resistance to the implementation of mitigating controls.
2. B. a management request for updated security reports.
3. C. a change in security policy.
4. D. a change in the threat landscape.

Correct Answer: D
= Reevaluation of risk is a vital aspect of the risk management process that helps organizations to identify and analyze new or evolving threats, vulnerabilities, and impacts on their assets, and implement the necessary controls to mitigate them. Reevaluation of risk is most critical when there is a change in the threat landscape, which refers to the external and internal factors that influence the likelihood and severity of potential attacks on the organization’s information assets. A change in the threat landscape may be caused by various factors, such as technological innovations, geopolitical events, cybercrime trends, regulatory changes, or organizational changes. A change in the threat landscape may introduce new risks or alter the existing risk profile of the organization, requiring a reassessment of the risk appetite, tolerance, and strategy. Reevaluation of risk helps the organization to adapt to the changing threat landscape and ensure that the information security program remains effective, efficient, and aligned with the business objectives.
References =
✑ CISM Review Manual 15th Edition, page 1131
✑ CISM Domain 2: Information Risk Management (IRM) [2022 update]2
✑ Reevaluation of Risk | CISM Exam Question Answer | ISACA3

- (Topic 3)
Which of the following is the GREATEST concern resulting from the lack of severity criteria in incident classification?

1. A. Statistical reports will be incorrect.
2. B. The service desk will be staffed incorrectly.
3. C. Escalation procedures will be ineffective.
4. D. Timely detection of attacks will be impossible.

Correct Answer: C
The greatest concern resulting from the lack of severity criteria in incident classification is that escalation procedures will be ineffective because they rely on severity criteria to determine when and how to escalate an incident to higher levels of authority or responsibility, and what actions or resources are required for resolving an incident. Statistical reports will be incorrect is not a great concern because they do not affect the incident response process directly, but rather provide information or analysis for improvement or evaluation purposes. The service desk will be staffed incorrectly is not a great concern because it does not affect the incident response process directly, but rather affects the availability or efficiency of one of its components. Timely detection of attacks will be impossible is not a great concern because it does not depend on severity criteria, but rather on monitoring and alerting mechanisms. References: https://www.isaca.org/resources/isaca-journal/issues/2017/volume-5/incident-response- lessons-learned https://www.isaca.org/resources/isaca-journal/issues/2018/volume- 3/incident-response-lessons-learned

- (Topic 3)
An organization is about to purchase a rival organization. The PRIMARY reason for performing information security due diligence prior to making the purchase is to:

1. A. determine the security exposures.
2. B. assess the ability to integrate the security department operations.
3. C. ensure compliance with international standards.
4. D. evaluate the security policy and standards.

Correct Answer: A
Information security due diligence is the process of assessing the current state of information security in an organization, identifying any gaps, risks, or vulnerabilities, and estimating the costs and efforts required to remediate them. Performing information security due diligence prior to making the purchase is important to determine the security exposures that may affect the value, reputation, or liability of the organization, as well as the feasibility and compatibility of integrating the security systems and processes of the two organizations.
References = CISM Review Manual 2022, page 361; CISM Exam Content Outline, Domain 1, Task 1.22; Information Security Due Diligence Questionnair

- (Topic 3)
Which of the following is the MOST effective way to identify changes in an information security environment?

1. A. Business impact analysis (BIA)
2. B. Annual risk assessments
3. C. Regular penetration testing
4. D. Continuous monitoring

Correct Answer: D
Continuous monitoring is the most effective way to identify changes in an information security environment, as it provides ongoing awareness of the security status, vulnerabilities, and threats that may affect the organization’s information assets and risk posture. Continuous monitoring also helps to evaluate the performance and effectiveness of the security controls and processes, and to detect and respond to any deviations or incidents in a timely manner. (From CISM Review Manual 15th Edition and NIST Special Publication 800-1371)
References: CISM Review Manual 15th Edition, page 181, section 4.3.2.4; NIST Special Publication 800-1371, page 1, section 1.1.