Certified Information Security Manager (CISM) — Question 680

A multinational organization is introducing a security governance framework. The information security manager's concern is that regional security practices differ.
Which of the following should be evaluated FIRST?

Answer options

• A. Training requirements of the framework
• B. Global framework standards
• C. Cross-border data mobility
• D. Local regulatory requirements

Correct answer: D

Explanation

The first step should be to evaluate local regulatory requirements, as they directly impact how security practices must be implemented in each region. Understanding these regulations ensures compliance and forms a foundation for harmonizing security practices. The other options, while important, are secondary to the necessity of adhering to local laws.