Certified Information Security Manager (CISM) — Question 1014

What should be the PRIMARY objective of an information classification scheme?

Answer options

• A. To define data retention requirements
• B. To develop an asset inventory
• C. To meet legislative and regulatory requirements
• D. To implement controls proportionate to risk

Correct answer: D

Explanation

The primary goal of an information classification scheme is to implement controls that are proportionate to the identified risks, ensuring that sensitive information is protected adequately. While defining retention requirements, developing an asset inventory, and meeting legal obligations are important, they are secondary to the need to manage risk effectively.