The explanation given is: "A BIA is a process that identifies and evaluates the potential effects of natural and man-made events on business operations. It helps to understand how critical systems are interrelated and what their dependencies are. A BIA also helps to determine the RTOs for each system. The other options are not directly related to understanding the relationships between critical systems."

User access log files contain records of user activities and actions on the system, which can be used for auditing, monitoring, and investigating purposes. System administrators should not be able to modify or delete these files to ensure their integrity and availability. References = CISM Review Manual, 16th Edition, Chapter 3, Section 3.3.2.11

Senior leadership needs to understand how Zero Trust supports risk reduction and business needs.
Communicating the impact on risk reduction and user experience aligns security initiatives with business goals.
"Communicating how security initiatives support business objectives and risk reduction is critical for gaining senior management support."
- CISM Review Manual 15th Edition, Chapter 1: Information Security Governance, Section: Business Alignment*

= A new regulatory requirement affecting an organization's information security program is released. The information security manager's first course of action should be to notify the legal department, as they are responsible for ensuring compliance with the relevant laws and regulations. The legal department can advise the information security manager on how to interpret and implement the new requirement, as well as what are the potential implications and risks for the organization12.
References = 1: CISM Review Manual (Digital Version), page 271 2: CISM Review Manual (Print Version), page 271 Learn more:
1. isaca.org2. csoonline.com