Certified Information Security Manager (CISM) — Question 1249

Which of the following is the MOST important reason to consider organizational culture when developing an information security program?

Answer options

• A. It helps expedite approval for the information security budget.
• B. It helps the organization meet compliance requirements.
• C. Everyone in the organization is responsible for information security.
• D. Security incidents have an adverse impact on the entire organization.

Correct answer: C

Explanation

The correct answer, C, emphasizes the collective responsibility of all employees in maintaining information security, which is crucial for fostering a security-focused culture. Options A and B, while relevant, focus on administrative aspects rather than the cultural implications. Option D highlights the consequences of security incidents but does not address the importance of shared responsibility among employees.