CISM Question #832: Real Exam Question with Answer & Explanation

The correct answer is B: Confirm the system's recovery time objective (RTO).. Taking a critical business system offline is a business-impact decision, not just a technical one. Before containment actions that cause downtime, the information security manager must ensure the action aligns with approved RTOs. This ensures that business impact is understood an

Submitted by omar99· Apr 18, 2026Information Security Incident Management

Question

An information security manager is handling a breach. For containment purposes, the incident responders must take a critical business system offline. Which of the following is the MOST important course of action?

Options

APreserve forensic evidence.
BConfirm the system's recovery time objective (RTO).
CInitiate the disaster recovery plan (DRP).
DVerify backups of the data.

Explanation

Taking a critical business system offline is a business-impact decision, not just a technical one. Before containment actions that cause downtime, the information security manager must ensure the action aligns with approved RTOs. This ensures that business impact is understood and authorized, and incident response actions align with business continuity expectations.

Topics

#Incident Response#Containment#Recovery Time Objective (RTO)#Business Impact

Community Discussion

No community discussion yet for this question.

Full CISM Practice Browse All CISM Questions