Certified Information Security Manager (CISM) — Question 850

Which of the following would BEST guide the development and maintenance of an information security program?

Answer options

• A. A business impact assessment
• B. The organization's risk appetite
• C. A comprehensive risk register
• D. An established risk assessment process

Correct answer: B

Explanation

The organization's risk appetite defines the level of risk that is acceptable, which is crucial for informing and guiding the security program's objectives and strategies. While a business impact assessment, risk register, and risk assessment process are important, they do not directly reflect the organization's willingness to accept risk, which is fundamental for program development.