CISM Certified Information Security Manager – Question0007

Investments in information security technologies should be based on:

A.
vulnerability assessments.
B. value analysis.
C. business climate.
D. audit recommendations.

Correct Answer: B

Explanation:

Explanation:
Investments in security technologies should be based on a value analysis and a sound business case. Demonstrated value takes precedence over the current business climate because it is ever changing. Basing decisions on audit recommendations would be reactive in nature and might not address the key business needs comprehensively. Vulnerability assessments are useful, but they do not determine whether the cost is justified.