Certified Information Security Manager (CISM) — Question 945

Which of the following is MOST important to include in an information security framework?

Answer options

• A. Guidance for designing information security controls
• B. Information security organizational structure
• C. Industry benchmarks of information security metrics
• D. Information security risk assessment

Correct answer: D

Explanation

The correct answer is D because conducting an information security risk assessment is essential for identifying potential vulnerabilities and threats, which informs the overall security strategy. Options A, B, and C are important but serve as supportive elements rather than foundational components of an effective security framework.