Certified Information Security Manager (CISM) — Question 1182

Which of the following should be established FIRST when implementing an Information security governance framework?

Answer options

• A. Security incident management learn
• B. Security policies
• C. Security architecture
• D. Security awareness training program

Correct answer: B

Explanation

Establishing security policies is crucial as it lays the foundational guidelines for the entire security framework. The other options, while important, are secondary steps that should follow the creation of the policies to ensure all security efforts are aligned and effective.