Certified Information Security Manager (CISM) — Question 828

Which of the following should be done FIRST when developing an information security strategy?

Answer options

• A. Establish information security steering committee.
• B. Determine the desired state of information security.
• C. Develop security policies and standards.
• D. Identity owners of information assets.

Correct answer: B

Explanation

Determining the desired state of information security is crucial as it establishes the goals and objectives for the entire strategy, guiding subsequent actions. Without this clear vision, efforts such as forming committees or developing policies may lack direction. The other options, while important, should follow after defining the desired state.