Certified Information Security Manager (CISM) — Question 1039
When developing a business case for a new security initiative, an information security manager should FIRST:
Answer options
- A. conduct a feasibility study.
- B. calculate the total cost of ownership (TCO).
- C. perform a cost-benefit analysis.
- D. define the issues to be addressed.
Correct answer: D
Explanation
The first step in developing a business case is to clearly define the issues that need to be resolved, as this sets the foundation for the entire project. Without understanding the problems, conducting feasibility studies, calculating TCO, or performing cost-benefit analyses would not be effective or relevant. Defining the issues helps ensure that all subsequent steps are aligned with addressing the actual security needs.