Certified Information Security Manager (CISM) — Question 665

When choosing the best controls to mitigate risk to acceptable levels, the information security manager s decision should be MAINLY driven by:

Answer options

• A. regulatory requirements.
• B. control framework.
• C. best practices.
• D. cost-benefit analysis.

Correct answer: D

Explanation

The correct answer is D, as a cost-benefit analysis allows the information security manager to weigh the effectiveness of controls against their costs, ensuring resources are allocated efficiently. While regulatory requirements, control frameworks, and best practices are important, they should not overshadow the pragmatic evaluation of risks versus costs.