Certified Information Systems Security Professional (CISSP) — Question 83

Which of the following is the FIRST step an organization's professional performs when defining a cyber-security program based upon industry standards?

Answer options

• A. Review the past security assessments
• B. Define the organization's objectives regarding security and risk mitigation
• C. Map the organization's current security practices to industry standards and frameworks
• D. Select from a choice of security best practices

Correct answer: B

Explanation

The correct answer is B because defining the organization's objectives regarding security and risk mitigation sets the foundation for the entire cyber-security program. Without clear objectives, the subsequent steps like reviewing past assessments or mapping current practices would lack direction and purpose.