Isaca Updated CISM Exam Questions and Answers by zayan

The impact of noncompliance on the organization’s risk profile is the MOST important information for the information security manager to communicate to senior management, because it helps them understand the potential consequences of not adhering to the established controls and the need for corrective actions. Noncompliance may expose the organization to increased threats, vulnerabilities, and losses, as well as legal, regulatory, and contractual liabilities.

References =

CISM Review Manual, 16th Edition, ISACA, 2020, p. 84: “The information security manager should report on information security risk, including noncompliance and changes in information risk, to key stakeholders to facilitate the risk management decision-making process.”

CISM Review Manual, 16th Edition, ISACA, 2020, p. 85: “Noncompliance with information security policies, standards, and procedures may result in increased threats, vulnerabilities, and losses, as well as legal, regulatory, and contractual liabilities for the enterprise.”

Before outsourcing any application or service, an information security manager should first determine the required security controls for the new solution, based on the organization’s risk appetite, security policies and standards, and regulatory requirements. This will help to evaluate and select the most suitable provider, as well as to define the security roles and responsibilities, service level agreements (SLAs), and audit requirements. References: https://www.isaca.org/credentialing/cism https://www.wiley.com/en-us/CISM+Certified+Information+Security+Manager+Study+Guide-p-9781119801948

Risk assessment is the BEST input to a business case for a technical solution to address potential system vulnerabilities, because it helps to identify and prioritize the most critical risks that the solution should mitigate or reduce. Risk assessment also helps to evaluate the costs and benefits of the solution in terms of reducing the likelihood and impact of potential threats and incidents.

References =

CISM Review Manual, 16th Edition, ISACA, 2020, p. 47: “Risk assessment is the process of identifying and analyzing information security risks and determining their potential impact on the enterprise’s business objectives.”

CISM Review Manual, 16th Edition, ISACA, 2020, p. 48: “Risk assessment provides input to the business case for information security investments by identifying and prioritizing the most critical risks that need to be addressed and evaluating the costs and benefits of the proposed solutions.”