Certified Information Security Manager (CISM) — Question 940

An organization's information security strategy should be the PRIMARY input to which of the following?

Answer options

• A. Security governance framework design
• B. Enterprise risk scenario development
• C. Security program metrics
• D. Organizational risk appetite

Correct answer: A

Explanation

The organization's information security strategy serves as the foundational element for developing a security governance framework, ensuring alignment with security objectives. The other options, while important, are secondary considerations that derive from the overarching security strategy rather than primary inputs.