Isaca Updated CISM Exam Questions and Answers by anika

Elapsed time between detection, reporting, and response is the most appropriate metric for evaluating the incident notification process because it measures how quickly and effectively the organization identifies, communicates, and responds to security incidents. The incident notification process is a critical part of the incident response plan that defines the roles and responsibilities, procedures, and channels for reporting and escalating security incidents to the relevant stakeholders. Elapsed time between detection, reporting, and response helps to assess the performance and efficiency of the incident notification process, as well as to identify any bottlenecks or delays that may affect the incident resolution and recovery. Therefore, elapsed time between detection, reporting, and response is the correct answer.

Proactive monitoring (e.g., threat hunting, real-time log analysis, anomaly detection) is the most effective defense against Advanced Persistent Threats (APTs), which are stealthy, well-resourced, and long-term attacks.

APT actors:

Use zero-day exploits

Maintain long-term unauthorized access

Avoid detection

Traditional controls often fail. Proactive monitoring detects anomalies early, allowing for faster mitigation.

“Ongoing monitoring and detection programs are essential for identifying and responding to persistent and evolving threats.”

— CISM Review Manual 15th Edition, Chapter 4: Threat Management, Section: APT Detection Techniques*

When operating in a highly regulated market, compliance requirements become paramount, as failure to comply can lead to severe legal penalties, financial losses, and reputational harm. According to the CISM Review Manual, 16th Edition, Domain 2: Information Risk Management, Task 2, understanding and addressing legal, regulatory, and contractual requirements is critical in risk management, especially in regulated environments. This ensures that the risk management strategy is aligned with mandatory regulations and industry standards. Other factors (such as outsourcing and business culture) are important, but compliance is the primary driver in highly regulated markets.