Certified Information Security Manager (CISM) — Question 840
Which of the following BEST determines the data retention strategy and subsequent policy for an organization?
Answer options
- A. Business impact analysis (BIA)
- B. Risk appetite
- C. Business requirements
- D. Supplier requirements
Correct answer: C
Explanation
The correct answer is C, as business requirements directly inform how long data needs to be retained based on operational needs. While A, B, and D are important considerations, they are secondary to the specific needs outlined by the business requirements.