CISM · Question #968
CISM Question #968: Real Exam Question with Answer & Explanation
The correct answer is A: Review the acquired company's security strategy.. Reviewing the acquired company's security strategy (A) must come first because it provides the foundational context - understanding their goals, risk appetite, and direction - before any meaningful assessment can begin. Without this strategic view, any compliance review (B) or in
Question
Which of the following should be an information security manager's FIRST step when assessing the security posture of a newly acquired company?
Options
- AReview the acquired company's security strategy.
- BPerform a compliance review of the acquired company's security policy.
- CImplement current security policies.
- DReview past security incidents of the acquired company.
Explanation
Reviewing the acquired company's security strategy (A) must come first because it provides the foundational context - understanding their goals, risk appetite, and direction - before any meaningful assessment can begin. Without this strategic view, any compliance review (B) or incident analysis (D) lacks the framework needed to interpret findings accurately, and implementing current policies (C) before understanding the existing environment is premature and could introduce gaps or conflicts. A compliance review (B) is a tactical activity that belongs after you understand the strategy, while reviewing past incidents (D) is a useful detail-level step that also comes later in the assessment process. Implementing policies (C) is an action step, not an assessment step, making it the most clearly out-of-place option.
Memory tip: Think "top-down" - Strategy → Policy → Incidents → Implementation. On exam questions about first steps, always favor the option that builds the broadest picture before narrowing into specifics.
Topics
Community Discussion
No community discussion yet for this question.