Isaca CISM Exam - Topic 2 Question 107 Discussion

Actual exam question for Isaca's CISM exam

Question #: 107
Topic #: 2

[All CISM Questions]

An organization is planning to open a new office in another country. Sensitive data will be routinely sent between the two offices. What should be the information security manager's FIRST course of action?

CUpdate privacy policies to include the other country's laws and regulations

ADevelop customized security training for employees at the new office

DIdentify applicable regulatory requirements to establish security policies

BEncrypt the data for transfer to the head office based on security manager approval

Show Suggested Answer

Suggested Answer: D

The first course of action is to identify applicable regulatory requirements (D). CISM governance requires understanding legal and regulatory obligations before defining policies, controls, or technical measures. Encryption (B), training (A), and policy updates (C) must be based on regulatory requirements to ensure compliance and avoid legal exposure. Jurisdictional risk assessment is foundational when operating across borders.

by Teresita at Jan 23, 2026, 07:06 AM

Limited Time Offer

25%

Off

Get Premium CISM Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Christene

1 day ago

Hire a team of hackers to test the security of the new office's network.

upvoted 0 times

...

Dalene

6 days ago

Encrypt all data before transmission to ensure confidentiality.

upvoted 0 times

...

Casey

11 days ago

Conduct a risk assessment to identify potential threats and vulnerabilities.

upvoted 0 times

...

Cecily

17 days ago

Implement a secure VPN connection between the offices to protect the sensitive data.

upvoted 0 times

...

Sharika

22 days ago

I vaguely recall a practice question where we had to prioritize data encryption. Could that be the first action here too?

upvoted 0 times

...

Bo

27 days ago

Maybe the manager should focus on establishing a secure communication channel first? I feel like that’s a common practice in similar scenarios.

upvoted 0 times

...

France

2 months ago

I'm not entirely sure, but I remember something about conducting a risk assessment before implementing any data transfer protocols.

upvoted 0 times

...

Toi

2 months ago

I think the first step should be to assess the legal and regulatory requirements for data transfer between countries. That seems crucial.

upvoted 0 times

...

In

2 months ago

This is a tricky one. I'd need to consult with the legal and IT teams to make sure we cover all the compliance and technical bases.

upvoted 0 times

...

Sharika

2 months ago

I'd recommend looking into VPNs, secure file transfer protocols, and other technical solutions to protect the sensitive data in transit.

upvoted 0 times

...

Wynell

2 months ago

Establishing secure communication channels would be my top priority. Encryption, access controls, and monitoring should all be considered.

upvoted 0 times

...

Earleen

3 months ago

Hmm, this seems like it requires a comprehensive security plan. I'd want to evaluate the risks and vulnerabilities first before deciding on the best approach.

upvoted 0 times

...

Meghann

3 months ago

I'd start by assessing the data sensitivity and any regulatory requirements for secure data transfer. That should guide the initial security measures.

upvoted 0 times

...