Certified Information Security Manager (CISM) — Question 710

Which of the following should be done FIRST when establishing an information security governance framework?

Answer options

• A. Gain an understanding of the business and cultural attributes.
• B. Contract a third party to conduct an independent review of the program.
• C. Conduct a cost-benefit analysis of the framework.
• D. Evaluate information security tools and skills relevant for the environment.

Correct answer: A

Explanation

The correct answer, A, emphasizes the importance of understanding the organization's unique business and cultural context, which is crucial before implementing any security framework. The other options, while important, should follow after establishing a foundational understanding of the organization's environment.