Certified Information Security Manager (CISM) — Question 968

Which of the following control types should be considered FIRST for aligning employee behavior with an organization's information security objectives?

Answer options

• A. Administrative security controls
• B. Access security controls
• C. Technical security controls
• D. Physical security controls

Correct answer: A

Explanation

Administrative security controls are essential as they establish policies and procedures that govern employee behavior, making them the first step in aligning actions with security objectives. Access, technical, and physical security controls, while important, primarily focus on enforcing the rules and protecting systems rather than shaping employee behavior.