CISM · Question #929
CISM Question #929: Real Exam Question with Answer & Explanation
The correct answer is D: Incident categorization. Incident categorization (D) is correct because it is the first action taken after detection - before any meaningful response can proceed, responders must classify the incident by type, severity, and priority to know which playbook to follow, who to notify, and how urgently to act
Question
Which of the following MOST directly influences the efficiency of incident response immediately after an incident has been detected?
Options
- AIncident containment and mitigation
- BRoot cause analysis
- CLessons learned
- DIncident categorization
Explanation
Incident categorization (D) is correct because it is the first action taken after detection - before any meaningful response can proceed, responders must classify the incident by type, severity, and priority to know which playbook to follow, who to notify, and how urgently to act. Without categorization, response efforts are unfocused and inefficient.
Why the others are wrong:
- A (Containment/Mitigation) happens after categorization - you can't contain an incident effectively until you know what kind it is and how severe.
- B (Root cause analysis) occurs late in the lifecycle, typically after the incident is resolved; it has no bearing on immediate response efficiency.
- C (Lessons learned) is the final retrospective phase, performed well after the incident is closed.
Memory tip: Use the acronym D-C-C-E-R-L (Detect → Categorize → Contain → Eradicate → Recover → Lessons learned). Categorization sits at position 2 - it's the gateway action that unlocks every downstream step, making it the single biggest lever on immediate response efficiency.
Topics
Community Discussion
No community discussion yet for this question.