ISACA CISM Q, A, and Explanations questions with correct answers

Which of the following steps should be FIRST in developing an information security plan? A. Perform a technical vulnerabilities assessment. B. Analyze the current business strategy. C. Perform a business impact analysis. Assessthecurrentlevelsofsecurityawareness. CORRECT ANSWER B. An information security manager needs to gain an understanding of the current business strategy and direction to understand the organization's objectives and the impact of the other answers on achieving those objectives. Senior management commitment and support for information security can BEST be obtained through presentations that: A. use illustrative examples of successful attacks. B. explain the technical risk to the organization. C. evaluate the organization against good security practices. D. tie security risk to key business objectives. CORRECT ANSWER D. Senior management wants to understand the business justification for investing in security in relation to achieving key business objectives. The MOST appropriate role for senior management in supporting information security is the: A. evaluation of vendors offering security products. B. assessment of risk to the organization.