Certified Information Security Manager (CISM) — Question 345

Which of the following is the FIRST step to establishing an effective information security program?

Answer options

• A. Assign accountability
• B. Perform a business impact analysis (BIA)
• C. Create a business case
• D. Conduct a compliance review

Correct answer: C

Explanation

The correct answer is C, as creating a business case lays the foundation for the information security program by justifying the need for security measures. Options A, B, and D are important subsequent steps but do not address the essential justification for the program's establishment.