WGU C727 - Cybersecurity Management I –
Strategic
EXAM ELABORATIONS QUESTIONS
AND VERIFIED ANSWERS 2026 UPDATE
100% SOLVED
Institution: Western Governors University (WGU) Course: C727 Cybersecurity Management I
– Strategic Document Type: Strategic Assessment & Comprehensive Study Guide Version:
2026 Academic Update Word Count: Approx. 15,000 Words
Table of Contents
1. Executive Overview: The Strategic CISO Perspective
2. Domain I: Information Security Governance (Questions 1–10)
○ Topics: Strategic Alignment, Steering Committees, CISO Roles, ISO 27001
Leadership, Governance Frameworks.
3. Domain II: Risk Management Strategy (Questions 11–20)
○ Topics: NIST RMF, Quantitative vs. Qualitative Analysis, Risk Appetite, Risk
Treatment Strategies.
4. Domain III: Legal, Regulatory, and Compliance Landscapes (Questions 21–30)
○ Topics: GDPR vs. US CLOUD Act, Due Diligence vs. Due Care, Intellectual
Property, Ethics.
5. Domain IV: Enterprise Security Architecture (Questions 31–40)
○ Topics: SABSA vs. TOGAF, Zero Trust Implementation, Cloud Shared
Responsibility Models.
6. Domain V: Incident Management & Business Continuity (Questions 41–50)
○ Topics: BIA, RTO/RPO Optimization, Ransomware Decision Matrices, Tabletop
Exercises.
7. Domain VI: Supply Chain Risk & Emerging Trends (Questions 51–55)
○ Topics: Vendor Risk Lifecycle, NIST CSF 2.0 Supply Chain Governance, CMMI
Maturity Models.
Executive Overview: The Strategic CISO
Perspective
The transition from tactical cybersecurity operations to strategic management requires a
fundamental shift in perspective. Where a security analyst focuses on the configuration of a
,firewall or the remediation of a specific vulnerability, the strategic manager—and ultimately the
Chief Information Security Officer (CISO)—must focus on the alignment of these technical
activities with the broader goals of the enterprise. The WGU C727 curriculum emphasizes this
"Tone at the Top," integrating frameworks like NIST, ISO, and COBIT to create a governance
structure that not only protects value but enables business innovation. This document provides
an exhaustive elaboration of 55 critical exam questions, designed not merely to test knowledge
but to deepen the candidate's understanding of strategic nuance, risk economics, and executive
communication.
Domain I: Information Security
Governance
Question 1
Scenario: A newly hired CISO discovers that the organization’s current security projects are
disconnected from the business’s long-term goals. The CISO intends to establish a governance
body to rectify this alignment issue. Question: Which of the following governance bodies is
most appropriate for ensuring that information security strategies align with business objectives
and for prioritizing security investments based on enterprise risk? A) The Change Advisory
Board (CAB) B) The Information Security Steering Committee C) The Security Operations
Center (SOC) Management Team D) The Audit and Compliance Committee
Correct Answer: B) The Information Security Steering Committee
Strategic Analysis & Elaboration: The establishment of an Information Security Steering
Committee is the preeminent mechanism for achieving strategic alignment between IT security
and the business. This committee is typically comprised of senior executives from various
functional areas—such as Legal, Human Resources, Finance, and Operations—alongside the
CISO and CIO. Its primary mandate is to review risk profiles, approve major security policies,
and prioritize initiatives to ensure they support the organization's mission.
From a strategic vantage point, the Steering Committee serves as a translation layer. It converts
the technical necessities articulated by the CISO into business imperatives understood by the
Board. Without this body, security decisions are often made in a vacuum, leading to
"misalignment"—a state where security either stifles business agility through excessive controls
or leaves the business exposed through negligence. The Steering Committee ensures that
security is viewed not as a technical hurdle but as a business enabler.
● Why Option A is incorrect: The Change Advisory Board (CAB) is a tactical body
focused on IT Service Management (ITSM). Its role is to assess the risk of specific
changes to the IT environment (e.g., patching a server, updating a firewall rule) to prevent
outages. It does not set long-term strategy or align security with corporate goals.
● Why Option C is incorrect: The SOC Management Team is purely operational, focused
on the daily detection and containment of threats.
● Why Option D is incorrect: While the Audit Committee (a subset of the Board) provides
oversight, they do not manage the active prioritization or strategic direction of security
projects; they simply verify that risks are being managed.
, Question 2
Scenario: The Board of Directors has tasked the CISO with developing metrics to demonstrate
the value of the information security program. The Board is uninterested in technical data.
Question: Which type of metric is most effective for communicating the strategic state of
security to the Board of Directors? A) Key Performance Indicators (KPIs) focused on operational
uptime. B) Key Risk Indicators (KRIs) mapped to the organization's Risk Appetite. C) Raw
counts of vulnerabilities patched per month. D) The number of phishing emails blocked by the
email gateway.
Correct Answer: B) Key Risk Indicators (KRIs) mapped to the organization's Risk
Appetite.
Strategic Analysis & Elaboration: Executive communication requires mapping security
outcomes to business survivability and profitability. Key Risk Indicators (KRIs) are metrics used
to provide an early warning of increasing risk exposures in key areas. When a CISO presents to
the Board, the dialogue must center on whether the organization is operating within its defined
"Risk Appetite"—the amount of risk the organization is willing to accept in pursuit of value.
For example, a KRI might track "Percentage of Critical Business Processes without Disaster
Recovery Testing in the last 12 months." If this number rises, it directly indicates a threat to
business continuity, a concept board members instinctively understand. In contrast, operational
metrics fail to answer the "So What?" question. A metric showing "1 million blocked firewall
packets" is meaningless to a board member; it does not indicate whether the company is safer
or if a breach is imminent. It is merely a "vanity metric" that proves the security tools are turned
on, but not that the strategy is working.
● Strategic Nuance: The NIST CSF 2.0 explicitly adds the "Govern" function to emphasize
this type of communication. The CISO must contextualize data: "We blocked 10,000
attacks" becomes "Our defense-in-depth strategy prevented $2M in potential downtime
loss, keeping us within our operational risk appetite".
Question 3
Scenario: An organization is adopting the ISO/IEC 27001 standard for its Information Security
Management System (ISMS). Question: According to ISO 27001 Clause 5, what is the specific
responsibility of Top Management regarding the ISMS? A) To personally configure the root
access controls for critical servers. B) To demonstrate leadership and commitment by ensuring
the information security policy and objectives are established and compatible with the strategic
direction. C) To outsource all liability for data breaches to a third-party insurance provider. D) To
conduct the daily log reviews for the SIEM platform.
Correct Answer: B) To demonstrate leadership and commitment by ensuring the
information security policy and objectives are established and compatible with the
strategic direction.
Strategic Analysis & Elaboration: Clause 5 of ISO 27001 ("Leadership") acts as the
foundation for the entire standard. It mandates that information security is not an IT back-office
function but a top-down organizational imperative. The standard explicitly states that Top
Management (the C-Suite) must provide the resources (budget, personnel) and the authority
required for the ISMS to function.
This requirement combats the common strategic failure where executives "support" security in
speech but deny it in budget. By requiring alignment with "strategic direction," ISO 27001
Strategic
EXAM ELABORATIONS QUESTIONS
AND VERIFIED ANSWERS 2026 UPDATE
100% SOLVED
Institution: Western Governors University (WGU) Course: C727 Cybersecurity Management I
– Strategic Document Type: Strategic Assessment & Comprehensive Study Guide Version:
2026 Academic Update Word Count: Approx. 15,000 Words
Table of Contents
1. Executive Overview: The Strategic CISO Perspective
2. Domain I: Information Security Governance (Questions 1–10)
○ Topics: Strategic Alignment, Steering Committees, CISO Roles, ISO 27001
Leadership, Governance Frameworks.
3. Domain II: Risk Management Strategy (Questions 11–20)
○ Topics: NIST RMF, Quantitative vs. Qualitative Analysis, Risk Appetite, Risk
Treatment Strategies.
4. Domain III: Legal, Regulatory, and Compliance Landscapes (Questions 21–30)
○ Topics: GDPR vs. US CLOUD Act, Due Diligence vs. Due Care, Intellectual
Property, Ethics.
5. Domain IV: Enterprise Security Architecture (Questions 31–40)
○ Topics: SABSA vs. TOGAF, Zero Trust Implementation, Cloud Shared
Responsibility Models.
6. Domain V: Incident Management & Business Continuity (Questions 41–50)
○ Topics: BIA, RTO/RPO Optimization, Ransomware Decision Matrices, Tabletop
Exercises.
7. Domain VI: Supply Chain Risk & Emerging Trends (Questions 51–55)
○ Topics: Vendor Risk Lifecycle, NIST CSF 2.0 Supply Chain Governance, CMMI
Maturity Models.
Executive Overview: The Strategic CISO
Perspective
The transition from tactical cybersecurity operations to strategic management requires a
fundamental shift in perspective. Where a security analyst focuses on the configuration of a
,firewall or the remediation of a specific vulnerability, the strategic manager—and ultimately the
Chief Information Security Officer (CISO)—must focus on the alignment of these technical
activities with the broader goals of the enterprise. The WGU C727 curriculum emphasizes this
"Tone at the Top," integrating frameworks like NIST, ISO, and COBIT to create a governance
structure that not only protects value but enables business innovation. This document provides
an exhaustive elaboration of 55 critical exam questions, designed not merely to test knowledge
but to deepen the candidate's understanding of strategic nuance, risk economics, and executive
communication.
Domain I: Information Security
Governance
Question 1
Scenario: A newly hired CISO discovers that the organization’s current security projects are
disconnected from the business’s long-term goals. The CISO intends to establish a governance
body to rectify this alignment issue. Question: Which of the following governance bodies is
most appropriate for ensuring that information security strategies align with business objectives
and for prioritizing security investments based on enterprise risk? A) The Change Advisory
Board (CAB) B) The Information Security Steering Committee C) The Security Operations
Center (SOC) Management Team D) The Audit and Compliance Committee
Correct Answer: B) The Information Security Steering Committee
Strategic Analysis & Elaboration: The establishment of an Information Security Steering
Committee is the preeminent mechanism for achieving strategic alignment between IT security
and the business. This committee is typically comprised of senior executives from various
functional areas—such as Legal, Human Resources, Finance, and Operations—alongside the
CISO and CIO. Its primary mandate is to review risk profiles, approve major security policies,
and prioritize initiatives to ensure they support the organization's mission.
From a strategic vantage point, the Steering Committee serves as a translation layer. It converts
the technical necessities articulated by the CISO into business imperatives understood by the
Board. Without this body, security decisions are often made in a vacuum, leading to
"misalignment"—a state where security either stifles business agility through excessive controls
or leaves the business exposed through negligence. The Steering Committee ensures that
security is viewed not as a technical hurdle but as a business enabler.
● Why Option A is incorrect: The Change Advisory Board (CAB) is a tactical body
focused on IT Service Management (ITSM). Its role is to assess the risk of specific
changes to the IT environment (e.g., patching a server, updating a firewall rule) to prevent
outages. It does not set long-term strategy or align security with corporate goals.
● Why Option C is incorrect: The SOC Management Team is purely operational, focused
on the daily detection and containment of threats.
● Why Option D is incorrect: While the Audit Committee (a subset of the Board) provides
oversight, they do not manage the active prioritization or strategic direction of security
projects; they simply verify that risks are being managed.
, Question 2
Scenario: The Board of Directors has tasked the CISO with developing metrics to demonstrate
the value of the information security program. The Board is uninterested in technical data.
Question: Which type of metric is most effective for communicating the strategic state of
security to the Board of Directors? A) Key Performance Indicators (KPIs) focused on operational
uptime. B) Key Risk Indicators (KRIs) mapped to the organization's Risk Appetite. C) Raw
counts of vulnerabilities patched per month. D) The number of phishing emails blocked by the
email gateway.
Correct Answer: B) Key Risk Indicators (KRIs) mapped to the organization's Risk
Appetite.
Strategic Analysis & Elaboration: Executive communication requires mapping security
outcomes to business survivability and profitability. Key Risk Indicators (KRIs) are metrics used
to provide an early warning of increasing risk exposures in key areas. When a CISO presents to
the Board, the dialogue must center on whether the organization is operating within its defined
"Risk Appetite"—the amount of risk the organization is willing to accept in pursuit of value.
For example, a KRI might track "Percentage of Critical Business Processes without Disaster
Recovery Testing in the last 12 months." If this number rises, it directly indicates a threat to
business continuity, a concept board members instinctively understand. In contrast, operational
metrics fail to answer the "So What?" question. A metric showing "1 million blocked firewall
packets" is meaningless to a board member; it does not indicate whether the company is safer
or if a breach is imminent. It is merely a "vanity metric" that proves the security tools are turned
on, but not that the strategy is working.
● Strategic Nuance: The NIST CSF 2.0 explicitly adds the "Govern" function to emphasize
this type of communication. The CISO must contextualize data: "We blocked 10,000
attacks" becomes "Our defense-in-depth strategy prevented $2M in potential downtime
loss, keeping us within our operational risk appetite".
Question 3
Scenario: An organization is adopting the ISO/IEC 27001 standard for its Information Security
Management System (ISMS). Question: According to ISO 27001 Clause 5, what is the specific
responsibility of Top Management regarding the ISMS? A) To personally configure the root
access controls for critical servers. B) To demonstrate leadership and commitment by ensuring
the information security policy and objectives are established and compatible with the strategic
direction. C) To outsource all liability for data breaches to a third-party insurance provider. D) To
conduct the daily log reviews for the SIEM platform.
Correct Answer: B) To demonstrate leadership and commitment by ensuring the
information security policy and objectives are established and compatible with the
strategic direction.
Strategic Analysis & Elaboration: Clause 5 of ISO 27001 ("Leadership") acts as the
foundation for the entire standard. It mandates that information security is not an IT back-office
function but a top-down organizational imperative. The standard explicitly states that Top
Management (the C-Suite) must provide the resources (budget, personnel) and the authority
required for the ISMS to function.
This requirement combats the common strategic failure where executives "support" security in
speech but deny it in budget. By requiring alignment with "strategic direction," ISO 27001
