Certified Information Security Manager (CISM) — Question 1094

Which of the following should an information security manager do FIRST when developing a security framework?

Answer options

• A. Document security procedures
• B. Conduct an asset inventory
• C. Update the security policy
• D. Perform a gap analysis

Correct answer: B

Explanation

The first step in developing a security framework is to conduct an asset inventory, as it helps identify what needs protection. Documenting procedures, updating policies, and performing gap analyses are important but should follow the inventory to ensure the framework is tailored to the organization's specific assets.