Isaca CISM Exam - Topic 2 Question 107 Discussion

Actual exam question for Isaca's CISM exam

Question #: 107
Topic #: 2

[All CISM Questions]

An organization is planning to open a new office in another country. Sensitive data will be routinely sent between the two offices. What should be the information security manager's FIRST course of action?

CUpdate privacy policies to include the other country's laws and regulations

ADevelop customized security training for employees at the new office

DIdentify applicable regulatory requirements to establish security policies

BEncrypt the data for transfer to the head office based on security manager approval

Show Suggested Answer

Suggested Answer: D

The first course of action is to identify applicable regulatory requirements (D). CISM governance requires understanding legal and regulatory obligations before defining policies, controls, or technical measures. Encryption (B), training (A), and policy updates (C) must be based on regulatory requirements to ensure compliance and avoid legal exposure. Jurisdictional risk assessment is foundational when operating across borders.

by Teresita at Jan 23, 2026, 07:06 AM

Limited Time Offer

25%

Off

Get Premium CISM Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

France

5 days ago

I'm not entirely sure, but I remember something about conducting a risk assessment before implementing any data transfer protocols.

upvoted 0 times

...

Toi

10 days ago

I think the first step should be to assess the legal and regulatory requirements for data transfer between countries. That seems crucial.

upvoted 0 times

...

In

15 days ago

This is a tricky one. I'd need to consult with the legal and IT teams to make sure we cover all the compliance and technical bases.

upvoted 0 times

...

Sharika

20 days ago

I'd recommend looking into VPNs, secure file transfer protocols, and other technical solutions to protect the sensitive data in transit.

upvoted 0 times

...

Wynell

25 days ago

Establishing secure communication channels would be my top priority. Encryption, access controls, and monitoring should all be considered.

upvoted 0 times

...

Earleen

1 month ago

Hmm, this seems like it requires a comprehensive security plan. I'd want to evaluate the risks and vulnerabilities first before deciding on the best approach.

upvoted 0 times

...

Meghann

1 month ago

I'd start by assessing the data sensitivity and any regulatory requirements for secure data transfer. That should guide the initial security measures.

upvoted 0 times

...