Certified Information Security Manager (CISM) — Question 447

What should an information security manager do FIRST to establish a roadmap for security investments?

Answer options

• A. Perform cost-benefit analyses of the investments
• B. Gain a thorough understanding of the organization's operating processes
• C. Establish business cases for proposed security investments
• D. Ensure investments are strategically aligned with business objectives

Correct answer: B

Explanation

The correct answer is B because understanding the organization's operating processes is crucial for identifying the security needs that align with those processes. The other options, while important, should occur after gaining this foundational understanding to ensure that security investments are relevant and effective.