Certified Information Security Manager (CISM) — Question 943

Which of the following should be done FIRST when developing an information security program?

Answer options

• A. Establish security policies.
• B. Define the security strategy.
• C. Approve security standards.
• D. Set security baselines.

Correct answer: B

Explanation

Defining the security strategy is crucial as it lays the groundwork for all subsequent actions in the security program. Without a clear strategy, establishing policies, standards, and baselines may lack direction and coherence, making options A, C, and D less effective.