Certified Information Security Manager (CISM) — Question 197

Which of the following BEST enables an organization to appropriately prioritize information security-focused projects?

Answer options

• A. Return on investment (ROI)
• B. Privacy compliance requirements
• C. Organizational risk appetite
• D. Historical security incidents

Correct answer: C

Explanation

The correct answer is C, as understanding the organizational risk appetite allows a company to align its security initiatives with its overall risk management strategy. While ROI, privacy compliance, and historical incidents are important, they do not provide a comprehensive framework for prioritizing projects based on the organization's specific risk tolerance and goals.