Exam CISM topic 1 question 482 discussion

Stakeholders should be informed and RFC "prior" to any changes of the information security strategy changes. Policies and standards are under security strategy. See Questions 470. Stakeholder requirements. Not after the changes. My thought is that once the updated policies or standards are rolled out, start the assessment then. (in fact, GAP analysis to check the differences of current and new---> what to be done to meet the updated policies or standards)

"Stakeholders" is a broad term and it may also encompass people not involved in the policy design and update, but are rather on the "receiving end". Meaning that changes in policies have to be made known to everybody that are affected by them. For example, I know that our CISO sends emails to entire company when policy changes that can affect employees on all levels of the company occur.

Simply publishing updates may not ensure that all stakeholders fully understand the changes or their implications.

Communicating to the stakeholders already happened, that was one of the steps to getting it approved, next you need to update the risk register.

C. Communicate the changes to stakeholders. After updating and publishing the information security policy and standards, the next immediate step should be to communicate these changes to the relevant stakeholders within the organization. Effective communication is critical to ensure that everyone is aware of the new policies and standards and understands their roles and responsibilities in adhering to them. This step helps in creating awareness and promoting compliance.

The organization has already been through the process of evaluating the changes and approved them. Only valid option is to dicument the changes in the risk register

D. Conduct a risk assessment makes more sense

If the policy is already published, why do you need to communicate?

C. Communicate the changes to stakeholders.