Certified Information Systems Security Professional (CISSP) — Question 447

Which of the following is MOST important to follow when developing information security controls for an organization?

Answer options

• A. Use industry standard best practices for security controls in the organization.
• B. Exercise due diligence with regard to all risk management information to tailor appropriate controls.
• C. Review all local and international standards and choose the most stringent based on location.
• D. Perform a risk assessment and choose a standard that addresses existing gaps.

Correct answer: B

Explanation

The correct answer, B, emphasizes the necessity of due diligence in managing risks to create tailored security controls that fit the organization's specific needs. Options A, C, and D, while important, do not prioritize the adaptation of controls based on the unique risk profile and circumstances of the organization as effectively as option B does.