Certified Information Security Manager (CISM) — Question 638

Which of the following is the MOST important constraint to be considered when developing an information security strategy?

Answer options

• A. Established security policies and standards
• B. Information security architecture
• C. Compliance with an international security standard
• D. Legal and regulatory requirements

Correct answer: D

Explanation

Legal and regulatory requirements are critical because they impose mandatory obligations that organizations must fulfill to avoid penalties. While established security policies, architecture, and international standards are important, they often serve to support compliance rather than replace the necessity of adhering to legal frameworks.