Certified Information Security Manager (CISM) — Question 256

An information security manager discovers that the organization's new information security policy is not being followed across all departments. Which of the following should be of GREATEST concern to the information security manager?

Answer options

• A. Business unit management has not emphasized the importance of the new policy.
• B. Different communication methods may be required for each business unit.
• C. The wording of the policy is not tailored to the audience.
• D. The corresponding controls are viewed as prohibitive to business operations.

Correct answer: D

Explanation

The correct answer is D because if the controls are perceived as hindering business operations, employees are less likely to comply with the policy. While options A, B, and C are important factors to consider, they do not have as immediate an impact on adherence as the perception of the controls themselves.