Certified Information Security Manager (CISM) — Question 95

When designing security controls, it is MOST important to:

Answer options

• A. focus on preventive controls.
• B. apply controls to confidential information.
• C. evaluate the costs associated with the controls.
• D. apply a risk-based approach.

Correct answer: D

Explanation

The correct answer is D, as applying a risk-based approach ensures that security controls are aligned with the specific threats and vulnerabilities faced by the organization. While preventive controls (A), controls for confidential information (B), and cost evaluations (C) are important, they should all be guided by the risks that are most pertinent to the organization.