CISM Question #319: Real Exam Question with Answer & Explanation

The correct answer is B: apply to the organization's business model.. Information security frameworks (such as ISO 27001, NIST CSF, or CIS Controls) offer broad catalogs of controls, not all of which are relevant to every organization. The most important criterion when selecting controls is that they apply to the organization's specific business mo

Submitted by javi_es· Apr 18, 2026Information Security Governance

Question

When adopting an information security framework, it is MOST important to select controls that:

Options

Aeliminate all risk to the organization.
Bapply to the organization's business model.
Cmeet minimum regulatory requirements.
Dare aligned with industry standards.

Explanation

Information security frameworks (such as ISO 27001, NIST CSF, or CIS Controls) offer broad catalogs of controls, not all of which are relevant to every organization. The most important criterion when selecting controls is that they apply to the organization's specific business model, industry, size, and risk profile. Controls that are irrelevant to how the organization operates waste resources and may create compliance theater without reducing real risk. Option A (eliminate all risk) is impossible - residual risk always exists. Option C (meet minimum regulatory requirements) sets only a floor, not the appropriate level of protection. Option D (aligned with industry standards) is a useful guide but is secondary to organizational applicability. Relevance to the business context is paramount.

Topics

#Information Security Frameworks#Security Control Selection#Business Alignment#Information Security Governance

Community Discussion

No community discussion yet for this question.

Full CISM Practice Browse All CISM Questions