Certified Information Security Manager (CISM) — Question 429

Which of the following is MOST important for building a robust information security culture within an organization?

Answer options

• A. Mature information security awareness training across the organization
• B. Security controls embedded within the development and operation of the IT environment
• C. Senior management approval of information security policies
• D. Strict enforcement of employee compliance with organizational security policies

Correct answer: A

Explanation

The correct answer is A because comprehensive information security awareness training is essential for ensuring that all employees understand the importance of security and their role in maintaining it. While options B, C, and D are important, they do not foster an informed culture as effectively as widespread training does.