Certified Information Security Manager (CISM) — Question 435

Which of the following is the MOST important consideration when establishing an organization's information security governance committee?

Answer options

• A. Members represent functions across the organization
• B. Members have knowledge of information security controls
• C. Members are rotated periodically
• D. Members are business risk owners

Correct answer: A

Explanation

The most crucial aspect when creating an information security governance committee is ensuring that members represent various functions across the organization (A), as this diversity fosters comprehensive oversight and accountability. While knowledge of security controls (B) is beneficial, it is not as vital as having diverse representation. Rotating members periodically (C) and focusing solely on business risk ownership (D) also do not address the essential need for varied functional representation.