Certified Information Security Manager (CISM) — Question 1107

When considering a new security initiative, which of the following should be done prior to the development of a business case?

Answer options

• A. Conduct a risk assessment
• B. Conduct a benchmarking exercise
• C. Perform a cost-benefit analysis
• D. Identify resource requirements

Correct answer: A

Explanation

Conducting a risk assessment is essential before developing a business case as it helps identify potential threats and vulnerabilities that the security initiative aims to address. The other options, while important in the overall planning process, should follow the risk assessment to ensure that the business case accurately reflects the security needs based on identified risks.