EXIN Information Security Management Professional — Question 1

When should information security controls be considered?

Answer options

• A. After the risk assessment
• B. As part of the scoping meeting
• C. At the kick-off meeting
• D. During the risk assessment work

Correct answer: D

Explanation

The correct answer is D because information security controls should be integrated into the risk assessment work to ensure that all potential risks are identified and mitigated from the outset. Options A, B, and C suggest considering security controls after or outside the risk assessment, which may lead to vulnerabilities being overlooked.