Certified Information Security Manager (CISM) — Question 589

Which of the following is the BEST justification for making a revision to a password policy?

Answer options

• A. A risk assessment
• B. Industry best practice
• C. Audit recommendation
• D. Vendor recommendation

Correct answer: A

Explanation

A risk assessment provides a thorough analysis of potential security threats and vulnerabilities, making it the strongest basis for revising a password policy. While industry best practices, audit recommendations, and vendor suggestions are important, they do not consider the specific risks faced by an organization, which is why they are less compelling justifications.