Certified Information Security Manager (CISM) — Question 79

When management changes the enterprise business strategy, which of the following processes should be used to evaluate the existing information security controls as well as to select new information security controls?

Answer options

• A. Access control management
• B. Change management
• C. Configuration management
• D. Risk management

Correct answer: D

Explanation

The correct answer is D, Risk management, as it involves evaluating and addressing risks associated with information security controls when business strategies change. Options A, B, and C do not specifically focus on assessing and selecting security controls based on risk, making them less suitable in this context.