Certified Information Security Manager (CISM) — Question 908

Which of the following should be done FIRST to ensure information security is integrated in system development projects?

Answer options

• A. Assign resources based on the business impact.
• B. Define security requirements.
• C. Review the security policy.
• D. Embed a security representative in each project team.

Correct answer: B

Explanation

Defining security requirements is crucial as it sets the foundation for security measures throughout the development process. If security requirements are not established first, other steps may not align with the necessary security protocols. The other options, while important, come after security requirements have been identified.