CISM Question #937: Real Exam Question with Answer & Explanation

Question

Which of the following is an information security manager's BEST course of action when monitoring emerging privacy laws for a global organization?

Options

• ADetermine potential financial impacts and request additional budget.
• BConduct an internal audit and identify possible countermeasures.
• CDevelop and implement a process to adhere to privacy laws.
• DDevelop a risk profile and report significant changes in risk.

Explanation

Option D is correct because monitoring emerging privacy laws is fundamentally a risk management activity - the security manager's primary responsibility at this stage is to assess how new laws change the organization's risk exposure and communicate those changes to leadership so informed decisions can be made.

Why the distractors are wrong:

• A jumps ahead to budgeting before a risk assessment has been completed; you can't justify financial requests without first establishing the risk profile.
• B confuses monitoring with auditing - internal audits are triggered after risks are identified and decisions are made, not as a first response to legal monitoring.
• C is premature; implementing compliance processes assumes leadership has already decided to act on the risk. The manager must first surface the risk before the organization can respond to it.

Memory tip: Use the sequence Monitor → Profile → Report → Act. When the question says "monitoring," you're still in the early stages - your job is to inform (risk profile + report), not to act (audit, implement, or budget). Only D stays in the "inform" lane.

No community discussion yet for this question.