CISM Certified Information Security Manager – Question1113 - CISM Certified Information Security Manager

An information security program should focus on:

A. best practices also in place at peer companies.
B. solutions codified in international standards.
C. key controls identified in risk assessments.
D. continued process improvement.

Correct Answer: C

Explanation:

Explanation:
Risk assessment identifies the appropriate controls to mitigate identified business risks that the program should implement to protect the business. Peer industry best practices, international standards and continued process improvement can be used to support the program, but these cannot be blindly implemented without the consideration of business risk.