Certified Information Security Manager (CISM) — Question 1176

Which of the following is the MOST useful input for an information security manager when updating the organization’s security policy?

Answer options

• A. Security team capabilities
• B. Risk appetite
• C. Vulnerability scan
• D. Industry best practices

Correct answer: B

Explanation

The risk appetite defines the level of risk the organization is willing to accept, which is crucial for shaping the security policy. While security team capabilities, vulnerability scans, and industry best practices are important, they do not directly inform the level of risk the organization is prepared to take, making them less critical in this context.