Certified Information Security Manager (CISM) — Question 523

Which of the following is MOST important to have in place as a basis for developing an effective information security program that supports the organization's business goals?

Answer options

• A. An information security strategy
• B. A defined security organizational structure
• C. Information security policies
• D. Metrics to drive the information security program

Correct answer: A

Explanation

An information security strategy is essential as it outlines the direction and priorities for security efforts in alignment with business goals. Without this strategic framework, the other elements like structure, policies, and metrics may not effectively support the overall objectives. Each of the other options, while important, relies on having a well-defined strategy to guide their implementation.