Certified Information Security Manager (CISM) — Question 612

Which of the following is an information security manager's BEST course of action to gain approval for investment in a technical control?

Answer options

• A. Calculate the exposure factor
• B. Perform a cost-benefit analysis
• C. Conduct a risk assessment
• D. Conduct a business impact analysis (BIA)

Correct answer: B

Explanation

Performing a cost-benefit analysis is the best approach because it directly quantifies the financial impacts versus the benefits of the investment, making it easier to justify the funding. While conducting a risk assessment, calculating exposure factors, and performing a business impact analysis provide valuable insights, they do not directly address the financial justification required for approval.