Certified Information Security Manager (CISM) — Question 820

Which of the following should be done FIRST when implementing a security program?

Answer options

• A. Implement data encryption.
• B. Perform a risk analysis.
• C. Create an information asset inventory.
• D. Determine the value of information assets.

Correct answer: C

Explanation

Creating an information asset inventory is essential as it lays the groundwork for all subsequent security measures. Without knowing what assets you have, you cannot effectively perform risk analyses, determine their value, or implement data encryption. The other options are important but should follow the establishment of an inventory.