Comprehensive and Detailed Explanation From Exact Extract:
According to ISO/IEC 27035-1 and 27035-2, the incident management plan is activated upon the detection or reporting of a security event, particularly when a vulnerability, threat, or compromise has been identified. The plan ensures structured response and accountability from the very first signs of a potential incident.
Clause 6.4.2 in ISO/IEC 27035-2 explains that incident response activities—including logging, categorization, assessment, and escalation—should begin as soon as a security incident or vulnerability is reported. This proactive trigger allows early containment and mitigation.
Security audits and policy drafts (Options A and B) are part of preventive or governance mechanisms, not operational triggers for activating the plan.
Reference Extracts:
ISO/IEC 27035-2:2016, Clause 6.4.2: “The incident management plan should be activated once a security incident or significant vulnerability is identified and reported.”
Clause 5.1: “Detection and reporting are the initial steps in triggering the formal incident management lifecycle.”
Correct answer: C
