Certified Information Security Manager (CISM) — Question 103

Which of the following is an information security manager's BEST approach when selecting cost-effective controls needed to meet business objectives?

Answer options

• A. Conduct a gap analysis.
• B. Focus on preventive controls.
• C. Align with industry best practice.
• D. Align with the risk appetite.

Correct answer: D

Explanation

The correct answer, D, is appropriate because aligning controls with the organization's risk appetite ensures that security measures are tailored to the level of risk the business is willing to accept. Options A, B, and C, while important, do not directly address the need to align security efforts with the organization's overall risk threshold, which is crucial for effective cost management.