CISM Certified Information Security Manager – Question0303

After obtaining commitment from senior management, which of the following should be completed NEXT when establishing an information security program?

A.
Define security metrics
B. Conduct a risk assessment
C. Perform a gap analysis
D. Procure security tools

Correct Answer: B

Explanation:

Explanation:
When establishing an information security program, conducting a risk assessment is key to identifying the needs of the organization and developing a security strategy. Defining security metrics, performing a gap analysis and procuring security tools are all subsequent considerations.