Which of the following should be the MOST important consideration when implementing an information security framework?

A. Compliance requirements
B. Audit findings
C. Technical capabilities
D. Risk appetite