CISSP Exam QuestionsBrowse all questions from this exam

CISSP Exam - Question 38


Which of the following is MOST important to follow when developing information security controls for an organization?

Show Answer
Correct Answer: B

The most important aspect when developing information security controls for an organization is to exercise due diligence with regard to all risk management information to tailor appropriate controls. This involves thoroughly reviewing and understanding the organization's risk profile and risk management processes. By doing so, you ensure that the controls are designed to address the specific needs and risks of the organization, making them both effective and aligned with the organization's business objectives.

Discussion

29 comments
Sign in to comment
JAckThePip
Oct 3, 2022

Answer is D "To assess risk, you need to think about threats and vulnerabilities. Start by making a list of any potential threats to your organization’s assets, then score these threats based on their likelihood and impact. From there, think about what vulnerabilities exist within your organization, categorize and rank them based on potential impact. These vulnerabilities can consist of people (employees, clients, third parties), processes or lack thereof, and technologies in place. " https://www.barradvisory.com/roadmap-to-implementing-a-successful-information-security-program/

jackdryan
Apr 23, 2023

B is correct

Loveguitar
Sep 10, 2022

Performing risk assessment covers answer C, for example, if you need to be PCI DSS compliant, you first assess the risk in your environment and compare it with what the standard says, your ISA can help you do that before the external assessor (QSA) comes in and assesses your controls (again the PCI DSS standard) to see your gaps.

rooticOption: B
Oct 28, 2022

Think like a manager. Do Due diligence and choose controls BASED ON RISK MANAGEMENT.

JamatiOption: B
Nov 1, 2022

I'll go with B as it is the only one Management-level decision. The rest are lower level and more on the implementation side.

ikidreamz
Dec 29, 2022

i think D . i am thinking new CISO...arrives does GAP analysis, (swot) then risk assessment makes a report and proposes controls/updates to senior management ..they decide what to tailor and implement based on assessment

Staanlee
Dec 30, 2022

The correct answer is B, Exercise due diligence with regard to all risk management information to tailor appropriate controls. When developing information security controls for an organization, it is important to exercise due diligence with regard to all risk management information and tailor the controls to the specific needs and risks of the organization. This involves thoroughly reviewing and understanding the organization's risk profile and risk management processes and using that information to design controls that are appropriate and effective for the organization. By exercising due diligence and tailoring the controls to the organization's specific needs and risks, the organization can ensure that its security controls are effective and aligned with its business objectives.

FlimFlam
Mar 20, 2023

B is the best answer. Exercising due diligence will require you to perform a risk assessment and then you will take all risk information into account. B is the all encompassing answer making it the best answer.

franbarproOption: C
Sep 7, 2022

"C" Sounds good to me

franbarpro
Oct 30, 2022

Meant to say “B”

krasskoOption: D
Sep 29, 2022

Only D as only based on risk assessment and knowing what is worth to protect what isn't you can proceed with choosing standards, controls, reading best practices etc. Risk assessment is the most important and they ask about most important part.

EltoothOption: B
Oct 27, 2022

I’m going with B based on due diligence being a management trait that CISO should demonstrate. Not all local and international standards have to be implemented - mgmt can choose to avoid/accept certain risks.

Dee83
Jan 24, 2023

D. Perform a risk assessment and choose a standard that addresses existing gaps is the MOST important when developing information security controls for an organization. A risk assessment is a critical step in the process of identifying, evaluating, and prioritizing the risks associated with an organization's information systems, assets, and processes. By performing a risk assessment, the organization can identify vulnerabilities and threats, and determine the likelihood and impact of potential security incidents. Based on the results of the risk assessment, the organization can then implement appropriate controls to mitigate or prevent identified risks, such as choosing a standard that addresses existing gaps in the organization's security posture.

Bach1968Option: C
Jul 5, 2023

Considering legislation and legal requirements is an important aspect for a company to prioritize. Option C: Review all local and international standards and choose the most stringent based on location highlights the significance of being aware of and complying with relevant laws and regulations.

okseyOption: C
Aug 21, 2023

Choose the most stringent

VaneckOption: D
Mar 14, 2024

The most important option to follow when developing information security controls for an organization is D. Perform a risk assessment and choose a standard that addresses existing gaps. This ensures that security controls are specifically tailored to the organization's needs and vulnerabilities, providing more effective protection against identified threats.

AshStevensOption: D
Apr 2, 2024

D. You need to know what you are doing before you can implement A. Due dilligence means nothing if you picked the wrong thing and don't know what you are doing it for. C is partly covered by D and you may not even want the "most stringent" depending on your organisation. Think like a manager!

Fouad777Option: B
Dec 20, 2024

B. Exercise due diligence with regard to all risk management information to tailor appropriate controls. When developing information security controls, due diligence ensures that the chosen controls are appropriate and effective based on the specific risks and needs of the organization. By considering all risk management information—such as the organization's risk profile, potential threats, vulnerabilities, and the impact of a security breach—security controls can be tailored to address the unique risks the organization faces. This approach helps ensure that the controls are both effective and proportionate to the risks.

Nickname53796Option: B
Oct 15, 2022

You develop controls after you have assessed the risk/threats. How could it be D? A B are nearly the same. I vote B

Nickname53796
Oct 16, 2022

Never mind. Tailoring has its own implications. I choose A

KelvinYauOption: B
Jun 1, 2023

I think B

homeyslOption: D
Mar 15, 2024

You need to identify the risk to make an informed decision

Hardrvkllr
Apr 11, 2024

B: Always need to do your "Due Diligence, and Due Care." While a stringent policy and rules need to be in place, you need to remember, when implementing said controls, they need to be within reach in order to make it an effective control. Due diligence should cover the expectation of cover the local and international standards. It "SHOULD" be implied that it is being looked into, or has been looked into.

1ee7bdb
Apr 24, 2024

D is the answer

JohnBentassOption: B
Jun 17, 2024

B. Exercise due diligence with regard to all risk management information to tailor appropriate controls. This approach ensures that the security controls are specifically tailored to the unique risks and needs of the organization. By exercising due diligence, you can identify and assess the specific threats and vulnerabilities that the organization faces, and implement controls that are most effective in mitigating those risks. This method aligns with best practices in risk management and ensures that resources are allocated efficiently to address the most critical security concerns.

adc9365Option: D
Aug 27, 2024

Risk assessment is most important to event start to know which controls are needed then you determine the rules and regulations.

celomomoOption: D
Oct 2, 2024

Starting point is always review the existing plan and identify gaps. Also the same in ITIL v4. D

somsom
Oct 17, 2024

The answer is obviously D, risk assessment, gap analysis ( Full, partial and non-compliance with ISO Controls) the implementation of Security controls in compliance with ISO 27001

dra3mOption: B
Mar 26, 2025

B is more detail and specific, although D can be good , standard is not everything when developing controls. some standard are non prescriptive, some need to be tailored as no standard fits all.

RedMartianOption: B
Apr 4, 2025

Not C. Review all local and international standards and choose the most stringent based on location. Might lead to unnecessary complexity or cost without addressing specific organizational needs. Not D. Perform a risk assessment and choose a standard that addresses existing gaps. Valuable, but it emphasizes choosing a standard, not tailoring individual controls based on due diligence and comprehensive risk understanding.

AjitZavadeOption: B
Apr 4, 2025

This question is about developing information security controls, and the focus is on what’s most important — which means we’re looking for the most foundational and risk-based approach. ✅ "Exercise due diligence with regard to all risk management information to tailor appropriate controls" means: You use risk-based thinking You evaluate the organization’s specific threats, vulnerabilities, and requirements You customize controls accordingly, rather than blindly applying standards This aligns with both: CISSP best practices NIST, ISO, and risk-based frameworks like ISO 27005, NIST SP 800-30

fuzzyguzzyOption: B
Apr 7, 2025

While all the options have merit, the most critical factor is ensuring that security controls are risk-based and tailored to the organization's specific needs.