Certified Information Security Manager (CISM) — Question 530

The PRIMARY purpose of establishing an information security governance framework should be to:

Answer options

• A. establish the business case for strategic integration of information security in organizational efforts.
• B. document and communicate how the information security program functions within the organization.
• C. align information security strategy and investments to support organizational activities.
• D. align corporate governance, activities, and investments to information security goals.

Correct answer: C

Explanation

The correct answer, C, emphasizes the necessity of aligning information security strategy and investments with the organization's goals, ensuring that security initiatives support overall activities. Options A and B deal with documentation and business justification rather than alignment. Option D, while addressing alignment, focuses on corporate governance rather than the specific role of information security strategy.