Certified Information Security Manager (CISM) — Question 941

Which of the following should be done FIRST when developing an information security strategy that is aligned with organizational goals?

Answer options

• A. Establish a security risk framework with key risk indicators (KRIs).
• B. Determine information security's impact on the achievement of organizational goals.
• C. Assess information security risk associated with the organizational goals
• D. Select information security projects related to the organizational goals.

Correct answer: B

Explanation

The correct answer is B because understanding how information security impacts organizational goals is crucial before any other actions can be taken. Establishing a risk framework, assessing risks, or selecting projects all depend on a clear understanding of these impacts.