Certified Information Security Manager (CISM) — Question 237

Which of the following should be the PRIMARY basis for an information security strategy?

Answer options

• A. Audit and regulatory requirements
• B. Information security policies
• C. The organization's vision and mission
• D. Results of a comprehensive gap analysis

Correct answer: C

Explanation

The correct answer is C because an effective information security strategy should align with the organization's overall vision and mission to ensure support and relevance. Options A, B, and D are important but serve as supporting elements rather than the primary foundation of the strategy.