Certified Information Security Manager (CISM) — Question 1050

Which of the following should be the PRIMARY objective when establishing a new information security program?

Answer options

• A. Facilitating operational security
• B. Optimizing resources
• C. Minimizing organizational risk
• D. Executing the security strategy

Correct answer: C

Explanation

The primary objective of an information security program is to minimize organizational risk, as this is crucial for protecting assets and ensuring business continuity. Facilitating operational security, optimizing resources, and executing the security strategy are important but secondary to the overarching goal of risk reduction.