Certified Information Security Manager (CISM) — Question 196

Security program development is PRIMARILY driven by which of the following?

Answer options

• A. Regulatory requirements
• B. Business strategy
• C. Risk appetite
• D. Available resources

Correct answer: B

Explanation

The correct answer is B, as the development of a security program should align closely with the overarching business strategy to ensure it supports organizational goals. While regulatory requirements, risk appetite, and available resources are important considerations, they are secondary to ensuring that the security program is integrated with the business's strategic objectives.