Certified Information Systems Security Professional (CISSP) — Question 467

An organization is setting a security assessment scope with the goal of developing a Security Management Program (SMP). The next step is to select an approach for conducting the risk assessment. Which of the following approaches is MOST effective for the SMP?

Answer options

• A. Security controls driven assessment that focuses on controls management
• B. Business processes based risk assessment with a focus on business goals
• C. Asset driven risk assessment with a focus on the assets
• D. Data driven risk assessment with a focus on data

Correct answer: B

Explanation

The correct answer is B because a business processes based risk assessment aligns the security management program with the organization's goals, making it more effective. Options A, C, and D, while relevant, do not prioritize the overarching business objectives, which are crucial for an effective Security Management Program.