Certified Information Security Manager (CISM) — Question 823

Which of the following is the MOST important consideration when defining an information security framework?

Answer options

• A. Information security budget
• B. Industry standards
• C. Business strategy
• D. Organizational culture

Correct answer: C

Explanation

The correct answer is C, Business strategy, because aligning the information security framework with the business strategy ensures that security measures support the organization's goals and objectives. While budget, industry standards, and organizational culture are important, they should all serve to reinforce the overarching business strategy.