Examice

Exam CISM All QuestionsBrowse all questions from this exam

Go to Exam

Question 879

Which of the following would BEST guide the development and maintenance of an information security program?

A business impact assessment

The organization's risk appetite

A comprehensive risk register

An established risk assessment process

Correct Answer: D

An established risk assessment process would best guide the development and maintenance of an information security program. This process involves systematically identifying, evaluating, and prioritizing potential risks to the organization's information security. By understanding the likelihood and potential impact of each risk, the organization can develop appropriate strategies and controls to mitigate them. Regular risk assessments ensure the information security program remains relevant, effective, and up-to-date, which is crucial for maintaining robust security in the face of evolving threats.

Discussion

AlexJacobsonOption: D

IMO, risk assessment is needed for objective view of things. Risk appetite is too broad to guide development AND maintenance. It may serve as a starting point, but you need measurable, relevant and repeatable processes to be consistent. Also, infosec program also deals with security controls. How would you select the appropriate controls by just looking at risk appetite and no risk assessment?

killaincOption: B

To guide the development and maintenance of an information security program, it is important to have a comprehensive understanding of the organization’s risk appetite 1. This will help in identifying the level of risk that the organization is willing to accept and the level of security that is required to protect the organization’s assets.

koala_layOption: D

The best option would be D. An established risk assessment process. An established risk assessment process helps identify and prioritize potential risks to the organization's information security. It involves evaluating the likelihood and potential impact of each risk, and developing strategies and controls to mitigate them. This process should be conducted on a regular basis to ensure that the information security program remains effective and up to date.

03allenOption: B

the risks identified by D are still needed to be evaluated by B

shootnotOption: B

B- Risk appetite serves as a guiding principal whereas the established risk assessment process is a vehicle.

oluchecpointOption: D

D. An established risk assessment process

yottabyteOption: B

Organization's risk appetite will dictate the stringent approach of risk assessments. So B is important than D here.

FenixOidOption: B

agree with Soleandheel1

SoleandheelOption: B

B. The organization's risk appetite

Soleandheel

When you're still in the development stage of your information Security Program, the risk appetite is the driver. A well established risk assessment typically comes to play after the programm is already up. Risk appetite represents the organization's willingness to accept and tolerate risk, and it sets the overarching parameters for how the organization should approach information security. It helps determine the appropriate level of security controls, risk mitigation measures, and resource allocation needed to align with the organization's strategic goals and risk tolerance.

richck102Option: D

D. An established risk assessment process