Isaca Certified Information Security Manager CISM Question # 79 Topic 8 Discussion

CISM Exam Topic 8 Question 79 Discussion:

Question #: 79

Topic #: 8

Which of the following is the sole responsibility of the client organization when adopting a Software as a Service (SaaS) model?

Host patching

Penetration testing

Infrastructure hardening

Data classification

Get Premium CISM Questions

Explanation

Data classification is the sole responsibility of the client organization when adopting a Software as a Service (SaaS) model. Data classification is the process of categorizing data based on its sensitivity, value and criticality to the organization. Data classification helps to determine the appropriate level of protection, access control and retention for different types of data. Data classification is an essential part of data governance and risk management, as it enables the organization to comply with legal and regulatory requirements, protect its intellectual property and reputation, and optimize its data storage and usage costs.

In a SaaS model, the client organization has the least control and responsibility over the cloud infrastructure, platform and application, as these are fully managed by the cloud service provider (CSP). The client organization only has control and responsibility over its own data and users. Therefore, the client organization is responsible for defining and implementing data classification policies and procedures, and ensuring that its data is properly labeled and handled according to its classification level. The client organization is also responsible for educating its users about the importance of data classification and the best practices for data security and privacy.

The other options are not the sole responsibility of the client organization in a SaaS model, as they are either shared with or delegated to the CSP. Host patching, penetration testing and infrastructure hardening are all related to the security and maintenance of the cloud infrastructure and platform, which are the responsibility of the CSP in a SaaS model. The CSP is expected to provide regular updates, patches and fixes to the host operating system, network and application components, and to conduct periodic security assessments and audits to identify and remediate any vulnerabilities or weaknesses in the cloud environment. The client organization may have some responsibility to monitor and verify the CSP’s performance and compliance with the service level agreement (SLA) and the cloud security standards and regulations, but it does not have direct control or access to the cloud infrastructure and platform. References =

Understanding the Shared Responsibilities Model in Cloud Services - ISACA, Figure 1

CISM Review Manual, Chapter 3, page 121

Actual exam question for Isaca CISM exam by Kai8113 at Jan 19, 2026, 12:18:43 PM

Contribute your Thoughts:

Chosen Answer: A B C D
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.

Pre-Winter Sale Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: pass65

Isaca Certified Information Security Manager CISM Question # 79 Topic 8 Discussion

Isaca Certified Information Security Manager CISM Question # 79 Topic 8 Discussion

Correct Answer:

Options Selected by Other Users:

Contribute your Thoughts:

Pre-Winter Sale Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: pass65

Isaca Certified Information Security Manager CISM Question # 79 Topic 8 Discussion

Isaca Certified Information Security Manager CISM Question # 79 Topic 8 Discussion

Correct Answer:

Options Selected by Other Users:

Contribute your Thoughts:

Awaiting moderator approval