Which of the following analyses will BEST identify the external influences to an organization's information security?
Correct Answer: C
A threat analysis will best identify the external influences to an organization's information security because it involves identifying and evaluating the sources and likelihood of potential adverse events that could affect the organization's assets, operations, or reputation. External influences include factors such as emerging technologies, social media, business environment, risk tolerance, regulatory requirements, third-party considerations, and threat landscape1. A threat analysis can help the organization to align its information security strategy with its business objectives and risk appetite, and to prioritize and mitigate the most relevant and impactful threats. A business impact analysis (BIA) is a process of assessing the potential consequences of a disruption to the organization's critical business functions or processes. A BIA does not directly identify the external influences to the organization's information security, but rather the impact of those influences on the organization's continuity and recovery. A gap analysis is a process of comparing the current state of the organization's information security with a desired or expected state, based on best practices, standards, or frameworks. A gap analysis does not directly identify the external influences to the organization's information security, but rather the areas of improvement or compliance. A vulnerability analysis is a process of identifying and evaluating the weaknesses or flaws in the organization's information systems or processes that could be exploited by threats. A vulnerability analysis does not directly identify the external influences to the organization's information security, but rather the exposure or susceptibility of the organization to those influences. References = CISM Review Manual, 15th Edition, pages 22-232; CISM Exam Content Outline, Domain 1, Knowledge Statement 1.113 Threat analysis is a process that is used to identify and assess the external influences or threats that could potentially affect an organization's information security. It is used to identify potential risks and develop strategies to mitigate or reduce those risks. Threat analysis involves analyzing the environment, identifying potential threats and their potential impacts, and then evaluating the organization's current security measures and developing strategies to address any deficiencies.
Question 22
Which of the following is MOST appropriate to add to a dashboard for the purpose of illustrating an organization's risk level to senior management?
Correct Answer: C
Question 23
Which of the following is a key area of the ISO 27001 framework?
Correct Answer: D
Explanation/Reference: Explanation: Operational risk assessment, financial crime metrics and capacity management can complement the information security framework, but only business continuity management is a key component.
Question 24
Which of the following is the BEST way for an information security manager to promote the integration of information security considerations into key business processes?
Correct Answer: D
Question 25
An information security team is investigating an alleged breach of an organization's network. Which of the following would be the BEST single source of evidence to review?
