The correct answer is B because integrating information security governance into corporate governance ensures that security decisions are made as part of overall business direction, risk management, investment, and accountability. Security strategy should not operate separately from enterprise strategy. When information security governance is embedded in corporate governance, security objectives are aligned with business objectives, risk appetite, regulatory obligations, and stakeholder expectations. Establishing business KPIs may help measure business performance, but it does not directly align security strategy. Conformance to industry standards can improve maturity and consistency, but standards may not fully reflect the organization’s unique business priorities. Reporting security risk in metrics is useful, but reporting alone does not create strategic alignment. CISM emphasizes that information security must support enterprise objectives and be governed through appropriate structures, roles, and oversight. Therefore, integrating information security governance into corporate governance is the best way to align security and business strategies.
[Reference: CISM Information Security Governance; corporate governance integration, strategic alignment, enterprise risk, and accountability principles., , ]
Submit