Certified Information Security Manager (CISM) — Question 291

Which of the following would provide the MOST useful information when prioritizing controls to be added to a system?

Answer options

• A. The risk register
• B. Balanced scorecard
• C. Compliance requirements
• D. Baseline to industry standards

Correct answer: A

Explanation

The risk register is crucial because it identifies, assesses, and prioritizes risks, allowing for informed decision-making on which controls to implement first. The other options, while useful, do not provide the same level of risk-focused insight necessary for prioritization.