Certified Information Security Manager (CISM) — Question 862

Which of the following should be an information security manager's MOST important consideration when determining the priority for implementing security controls?

Answer options

• A. Availability of security budget
• B. Alignment with industry benchmarks
• C. Results of business impact analyses (BIAs)
• D. Possibility of reputational loss due to incidents

Correct answer: C

Explanation

The correct answer is C, as results from business impact analyses (BIAs) provide critical insights into which assets are most vital to the organization, guiding the prioritization of security controls. Options A and B are important but do not address the immediate impact of security failures on business operations. Option D is also significant but is secondary to understanding the business impact itself.