Certified Information Security Manager (CISM) — Question 177
Which of the following is MOST helpful for determining which information security policies should be implemented by an organization?
Answer options
- A. Business impact analysis (BIA)
- B. Risk assessment
- C. Vulnerability assessment
- D. Industry best practices
Correct answer: B
Explanation
A risk assessment is essential for understanding the specific threats and vulnerabilities an organization faces, which informs the development of relevant security policies. While a Business Impact Analysis (BIA) and vulnerability assessments provide valuable insights, they do not directly prioritize the implementation of policies like a risk assessment does. Industry best practices serve as guidelines but may not address the unique risks of a particular organization.