Certified Information Security Manager (CISM) — Question 1103

Which of the following is the PRIMARY reason for executive management to be involved in establishing an enterprise’s security management framework?

Answer options

• A. To determine the desired state of enterprise security
• B. To satisfy auditors’ recommendations for enterprise security
• C. To ensure industry best practices for enterprise security are followed
• D. To establish the minimum level of controls needed

Correct answer: A

Explanation

The correct answer is A because executive management needs to define the overall goals and vision for security within the enterprise. Option B focuses on compliance rather than strategic direction, option C pertains to adherence to standards rather than establishing a framework, and option D is about minimum requirements rather than determining the desired state.