Certified Information Security Manager (CISM) — Question 469

What should be the information security manager’s FIRST step when updating an information security program?

Answer options

• A. Review costs and benchmark them against industry norms.
• B. Interview business unit managers and key stakeholders.
• C. Identify program components that do not align with business objectives.
• D. Re-evaluate the organization's business expectations and objectives.

Correct answer: D

Explanation

The first step in updating an information security program should be to re-evaluate the organization's business expectations and objectives, as this ensures that the security program aligns with the overall strategic goals. The other options, while important, should follow after understanding the core business objectives to ensure that the security updates are relevant and effective.