The PRIMARY basis for selecting a security control is the ability to mitigate risk, because it is the measure of how well the control can prevent or reduce the occurrence or impact of the risk, and how effectively the control can achieve the desired level of security and protection for the system and the data. The ability to mitigate risk is the most important criterion for selecting a security control, as it directly relates to the purpose and value of the control. The other options are not the primary basis, because:

Option A: To achieve the desired level of maturity is a goal of selecting a security control, but not the primary basis. The desired level of maturity is the state or condition of the security control that reflects its quality, consistency, and reliability, and it should be aligned with the organization’s security objectives and standards. The desired level of maturity is a result of selecting a security control, not a reason for selecting it.

Option B: The materiality of the risk is a factor of selecting a security control, but not the primary basis. The materiality of the risk is the degree or extent of the risk that affects the organization’s performance, reputation, and value, and it should be considered when selecting a security control, but it is not the only or the most important factor. The materiality of the risk is an input to selecting a security control, not an output of selecting it.

Option D: The cost of the control is a constraint of selecting a security control, but not the primary basis. The cost of the control is the amount of resources and expenditure that are required to implement and maintain the control, and it should be balanced with the benefit and effectiveness ofthe control, but it is not the only or the most important constraint. The cost of the control is a limitation of selecting a security control, not a motivation for selecting it. References = Risk and Information Systems Control Study Manual, 7th Edition, ISACA, 2020, p. 211.