CISM Certified Information Security Manager – Question0496 - CISM Certified Information Security Manager

Which of the following would be the FIRST step in establishing an information security program?

A. Develop the security policy.
B. Develop security operating procedures.
C. Develop the security plan.
D. Conduct a security controls study.

Correct Answer: C

Explanation:

Explanation:
A security plan must be developed to implement the security strategy. All of the other choices should follow the development of the security plan.