CISM Question #318: Real Exam Question with Answer & Explanation

The correct answer is B: Revisit the business objective.. When a security standard conflicts with a business objective, the first step is to revisit the business objective itself - not immediately modify the standard or accept risk. The security manager must first understand whether the business objective is correctly defined, whether i

Submitted by minji_kr· Apr 18, 2026Information Security Governance

Question

Which of the following should an information security manager do FIRST when a security standard hinders the achievement of an identified business objective?

Options

ARecommend risk acceptance.
BRevisit the business objective.
CConduct a business impact analysis (BIA).
DPerform a cost-benefit analysis.

Explanation

When a security standard conflicts with a business objective, the first step is to revisit the business objective itself - not immediately modify the standard or accept risk. The security manager must first understand whether the business objective is correctly defined, whether it has changed, or whether it can be achieved through an alternative means that does not conflict with the standard. Jumping directly to risk acceptance (A) skips due diligence. Conducting a BIA (C) or cost-benefit analysis (D) are analytical steps that come later once it is confirmed that the objective and the standard are genuinely incompatible. Revisiting the business objective first ensures that the conflict is real and not a misalignment in understanding.

Topics

#Security-business alignment#Business objectives#Security standards#Governance

Community Discussion

No community discussion yet for this question.

Full CISM Practice Browse All CISM Questions