The correct answer is B because a documented incident response plan provides the structured guidance needed for effective and timely response. The plan defines roles, responsibilities, escalation paths, communication procedures, severity classifications, containment strategies, evidence handling, notification requirements, and recovery coordination. Without a documented plan, response activities may be delayed, inconsistent, duplicated, or incomplete. Involving internal and external stakeholders is important, but stakeholder involvement must be organized through the incident response plan. Appointing a forensic specialist may be necessary for certain investigations, but not every incident requires forensic expertise. A SIEM solution is useful for monitoring and detection, but technology alone does not ensure that people know how to respond. CISM incident management principles emphasize preparation, documented procedures, communication, role clarity, and repeatable response processes. A documented plan enables responders to act quickly and consistently under pressure. Therefore, having a documented incident response plan in place best supports effective and timely incident response.
[Reference: CISM Information Security Incident Management; incident response planning, documentation, escalation, communication, and response readiness principles., , ]
Submit