Isaca Updated CISM Exam Questions and Answers by zayan

A business impact analysis (BIA) is a process that helps identify and evaluate the potential effects of disruptions or incidents on the organization’s mission, objectives, and operations. A BIA should be periodically executed to verify the effectiveness of the controls that are implemented to prevent, mitigate, or recover from such disruptions or incidents12.

According to the CISM Manual, a BIA should be performed at least annually for critical systems and processes, and more frequently for non-critical ones3. A BIA should also be updated whenever there are significant changes in the organization’s environment, such as new regulations, technologies, business models, or stakeholder expectations3. A BIA should not be used to validate vulnerabilities on environmental changes (A), analyze the importance of assets (B), or check compliance with regulations ©, as these are not the primary purposes of a BIA.

The main reason to involve stakeholders from various business units is to gain their acceptance and buy-in for the information security policy. The CISM Review Manual underlines that policies are more effective and enforceable when stakeholders understand and agree with them, which also aids in smooth policy implementation across the organization.

Risk transfer involves shifting the impact or financial consequences of a risk to a third party. Purchasing cybersecurity insurance is the most common example, where the organization pays a premium to a provider who assumes certain financial responsibilities in the event of a security incident.

Other options listed do not transfer risk:

A. Using third-party applications may introduce new risks, not transfer existing ones.

C. Moving ownership within the organization is reassignment, not transfer.

D. Off-site backups are a form of risk mitigation, not transfer.

“Risk transfer shifts the financial consequences of a risk to another entity, typically through insurance or contractual arrangements.”

— CISM Review Manual 15th Edition, Chapter 2: Risk Management, Section: Risk Treatment Options*

Example: “An organization may transfer the financial impact of a potential data breach through the purchase of cyber insurance.”