The primary role of the information security program is to provide guidance in managing organizational security risk (B). In CISM, the security program translates governance direction, policies, and risk appetite into coordinated activities, controls, and practices that enable the organization to manage risk consistently and effectively. Performing risk assessments and BIAs (A) are important activities but are not the program’s primary purpose. Approving security requirements (C) is typically a management or governance responsibility, while education and awareness (D) are supporting components of the program. CISM emphasizes that the security program acts as the mechanism for operationalizing risk management, ensuring alignment with business objectives and continuous improvement of the security posture.
[References: ISACA CISM Review Manual (Program development and management—program purpose and scope); CISM Exam Content Outline (Domain 3)., , , ]
Submit