CISM Question #521: Real Exam Question with Answer & Explanation

The correct answer is A: Isolate the affected system.. The first action after confirming a cybersecurity attack is to isolate the affected system. This helps prevent the spread of the attack to other systems, containing the incident and minimizing further damage. Once the system is isolated, other actions such as severity assessment,

Submitted by jakub_pl· Apr 18, 2026Information Security Incident Management

Question

Which of the following should be done FIRST once a cybersecurity attack has been confirmed?

Options

AIsolate the affected system.
BSeverity criteria
CRoot cause analysis
DRisk appetite

Explanation

The first action after confirming a cybersecurity attack is to isolate the affected system. This helps prevent the spread of the attack to other systems, containing the incident and minimizing further damage. Once the system is isolated, other actions such as severity assessment, root cause analysis, and addressing risk appetite can follow.

Topics

#Incident Response#Containment#First Responder Actions

Community Discussion

No community discussion yet for this question.

Full CISM Practice Browse All CISM Questions