CISA Certified Information Systems Auditor – Question0626

Which of the following processes is the FIRST step in establishing an information security policy?

A.
Security controls evaluation
B. Business risk assessment
C. Review of current global standards
D. Information security audit

Correct Answer: B