CISM Question #729: Real Exam Question with Answer & Explanation

The correct answer is D: Assess the control state.. When a control is reported as no longer effective, the information security manager's first step must be to assess the control's current state - understanding why it failed, the scope of the gap, and what options exist for remediation. Acting immediately by replacing the control

Submitted by minji_kr· Apr 18, 2026Information Security Program Development and Management

Question

A department has reported that a security control is no longer effective. Which of the following is the information security manager's BEST course of action?

Options

AReplace the control.
BReport the failure to management.
CCheck for defense in depth.
DAssess the control state.

Explanation

When a control is reported as no longer effective, the information security manager's first step must be to assess the control's current state - understanding why it failed, the scope of the gap, and what options exist for remediation. Acting immediately by replacing the control (A) is premature without full understanding. Reporting to management (B) is appropriate but should follow an assessment so the report is informed. Checking for defense in depth (C) addresses compensating controls but doesn't fix the root issue. A thorough assessment must precede any corrective action.

Topics

#Security control assessment#Control effectiveness#Information security management#Control failure response

Community Discussion

No community discussion yet for this question.

Full CISM Practice Browse All CISM Questions