Certified Information Security Manager (CISM) — Question 459

An information security manager has identified the organization is not in compliance with new legislation that will soon be in effect. Which of the following is MOST important to consider when determining additional controls to be implemented?

Answer options

• A. The information security strategy
• B. The organization's risk appetite
• C. The cost of noncompliance
• D. The information security policy

Correct answer: B

Explanation

The organization's risk appetite is crucial because it defines the level of risk the organization is willing to accept, which directly influences the selection of controls. While the information security strategy, cost of noncompliance, and information security policy are important, they do not provide the foundational understanding of how much risk the organization can tolerate, making option B the most relevant factor in this scenario.