Module 31: Incident Investigation and Evaluation

What the Exam Is Really Testing

The questions in this area test judgment, not recall:

Investigation must determine scope, impact, root cause, and regulatory exposure in a structured, defensible manner.

Investigation must answer:

• What happened?
• When did it begin?
• What systems were affected?
• What data was exposed?
• What is the business impact?
• Is regulatory reporting required?
• What controls failed?

Investigation informs escalation and remediation.

The Executive Mindset Shift

Firefighter mode:

Fix the issue quickly.

Commander mode:

Understand the full scope before concluding containment or recovery.

Security leaders must ensure:

• Evidence is preserved
• Scope is defined accurately
• Impact is evaluated against BIA
• Legal counsel is involved when required
• Documentation supports defensibility

Premature closure creates future risk.

Core Investigation Principles

1. Scope Determination

Identify:

• Affected systems
• Impacted business processes
• Data involved
• Third-party exposure
• Duration of compromise

Incomplete scoping leads to incomplete containment.

2. Evidence Preservation

Maintain:

• Chain of custody
• Forensic images
• Log retention
• Secure documentation

Improper handling may compromise legal defensibility.

3. Root Cause Analysis

Determine:

• Control failure
• Process breakdown
• Human error
• Configuration weakness
• Vendor involvement

Root cause drives program improvement.

4. Impact Assessment

Evaluate:

• Financial loss
• Regulatory exposure
• Operational disruption
• Reputational damage
• Contractual obligations

Severity classification may change after evaluation.

5. Documentation

Investigation should produce:

• Incident timeline
• Findings summary
• Evidence log
• Impact analysis
• Recommendations

Documentation supports governance reporting.

Governance Integration

Investigation results should:

• Update risk register
• Trigger control improvements
• Inform awareness updates
• Drive vendor review if necessary
• Support executive reporting

Investigation is a governance input — not just a technical task.

Pattern Recognition

When investigation appears in a scenario, ask:

1. Has full scope been determined?
2. Is evidence preserved?
3. Is impact assessed against business objectives?
4. Has root cause been analyzed?
5. Is documentation complete?

Correct answers often involve:

• Expanding scope before closure
• Involving legal when appropriate
• Conducting root cause analysis
• Updating controls post-incident
• Maintaining chain of custody

Not:

• Closing incident after immediate containment
• Destroying logs during cleanup
• Ignoring third-party involvement
• Skipping documentation

Trap Pattern

Common wrong instincts:

• “Contain and move on.”
• “We don’t need documentation if resolved.”
• “Legal can review later.”
• “Investigation ends when systems are restored.”

CISM emphasizes structured evaluation and defensibility.

Scenario Practice

Question 1

An organization restores affected systems before determining how the breach occurred.

What is the PRIMARY risk?

1. Incomplete root cause identification leading to recurrence
2. Encryption weakness
3. Vendor inefficiency
4. Reduced automation

Question 2

During investigation, logs are deleted to free storage space.

What is the MOST significant governance issue?

1. Reduced automation
2. Vendor inefficiency
3. Compromised evidentiary integrity
4. Monitoring delay

Question 3

An incident appears minor, so leadership is not informed. Later, scope expands significantly.

What was the PRIMARY failure?

1. Encryption gap
2. Monitoring delay
3. Vendor inefficiency
4. Premature evaluation without full scope determination

Question 4

Investigation reveals vendor misconfiguration caused exposure.

What should occur NEXT?

1. Ignore vendor responsibility
2. Update third-party risk governance and contractual oversight
3. Increase firewall rules
4. Close incident immediately

Question 5

A security team documents technical findings but does not assess business impact.

What is the PRIMARY gap?

1. Failure to align investigation with enterprise risk evaluation
2. Encryption deficiency
3. Vendor oversight
4. Monitoring delay

Key Takeaway

In CISM:

Containment stops damage. Investigation determines truth. Evaluation informs governance.

Effective incident investigation:

• Determines full scope.
• Preserves evidence.
• Identifies root cause.
• Assesses business impact.
• Documents findings.
• Drives control improvement.

That is the separation between a technician and a leader.