Certified Information Security Manager (CISM) — Question 782

A PRIMARY purpose of creating security policies is to:

Answer options

• A. implement management's security governance strategy.
• B. establish the way security tasks should be executed.
• C. communicate management's security expectations.
• D. define allowable security boundaries.

Correct answer: C

Explanation

The correct answer is C because security policies are primarily designed to communicate the expectations that management has regarding security. Options A, B, and D, while important aspects of security management, do not capture the primary purpose of conveying management's expectations as effectively as option C.