Certified Information Security Manager (CISM) — Question 176

Information security controls should be designed PRIMARILY based on:

Answer options

• A. regulatory requirements.
• B. a vulnerability assessment.
• C. business risk scenarios.
• D. a business impact analysis (BIA).

Correct answer: D

Explanation

The correct choice, D, highlights that a business impact analysis (BIA) provides a thorough understanding of how disruptions affect business operations, making it essential for designing effective security controls. While regulatory requirements, vulnerability assessments, and business risk scenarios are important, they do not offer the same level of insight into the potential impacts of security incidents on the organization.