Certified Information Security Manager (CISM) — Question 34

Which of the following is MOST likely to trigger an update and revision of information security policies?

Answer options

• A. Engagement with a new service provider
• B. Replacement of the information security manager
• C. Attainment of business process maturity
• D. Changes in the organization's risk appetite

Correct answer: D

Explanation

The correct answer is D, as changes in the organization's risk appetite directly affect how policies are formulated to address new risks or adjust to different levels of acceptable risk. Options A, B, and C, while they could influence security policies, are less likely to necessitate a comprehensive update compared to shifts in risk appetite.