Certified Chief Information Security Officer (CCISO) — Question 161

Scenario: An organization has made a decision to address Information Security formally and consistently by adopting established best practices and industry standards. The organization is a small retail merchant, but it is expected to grow to a global customer base of many millions of customers in just a few years.
Which of the following would be the FIRST step when addressing Information Security formally and consistently in this organization?

Answer options

• A. Define formal roles and responsibilities for Information Security
• B. Define formal roles and responsibilities for Internal audit functions
• C. Create an executive security steering committee
• D. Contract a third party to perform a security risk assessment

Correct answer: A

Explanation

The correct answer is A, as defining formal roles and responsibilities for Information Security establishes a foundational framework for security governance. Without clear roles, other initiatives like forming committees or contracting third parties may lack direction and accountability, leading to ineffective security measures.