Certified Information Systems Security Professional (CISSP) — Question 96

When MUST an organization's information security strategic plan be reviewed?

Answer options

• A. Whenever there are major changes to the business
• B. Quarterly, when the organization's strategic plan is updated
• C. Every three years, when the organization's strategic plan is updated
• D. Whenever there are significant changes to a major application

Correct answer: A

Explanation

The correct answer is A because the information security strategic plan should be adapted in response to major business changes to ensure it remains relevant and effective. Options B and C suggest fixed timelines for reviews, which may not align with the dynamic nature of business operations. Option D is too specific and overlooks broader organizational changes that could impact security needs.