Certified Information Security Manager (CISM) — Question 884

Who is accountable for approving an information security governance framework?

Answer options

• A. The board of directors
• B. The chief information security officer (CISO)
• C. The enterprise risk committee
• D. The chief information officer (CIO)

Correct answer: A

Explanation

The board of directors is ultimately responsible for approving the information security governance framework as they oversee the organization's overall risk management and compliance strategies. While the CISO and CIO play critical roles in implementing security measures, they do not have the final authority to approve the framework. The enterprise risk committee may advise on risks, but it is not the approving body.