Certified Information Security Manager (CISM) — Question 157

A newly appointed information security manager has been asked to update all security-related policies and procedures that have been static for five years or more. What is the BEST next step?

Answer options

• A. To gain an understanding of the current business direction
• B. To update in accordance with the best business practices
• C. To perform a risk assessment of the current IT environment
• D. To assess corporate culture

Correct answer: A

Explanation

The correct answer is A because understanding the current business direction is crucial for ensuring that updated policies align with the organization's goals. Options B and C may be relevant steps but should follow after understanding the business context. Option D, while important, does not directly inform the immediate policy update process.