CISM Question #628: Real Exam Question with Answer & Explanation

The correct answer is B: Approved information security strategy. An approved information security strategy (B) is the cornerstone of governance because it defines the direction, objectives, and priorities of the entire security program, aligned to business goals and formally endorsed by executive leadership. All other governance components der

Submitted by viktor_hu· Apr 18, 2026Information Security Governance

Question

Which of the following is the MOST important component of information security governance?

Options

AComprehensive information security awareness program
BApproved information security strategy
CDocumented information security policies
DExternal audit reporting

Explanation

An approved information security strategy (B) is the cornerstone of governance because it defines the direction, objectives, and priorities of the entire security program, aligned to business goals and formally endorsed by executive leadership. All other governance components derive from it: policies (C) are written to execute the strategy, awareness programs (A) communicate the strategy's requirements to staff, and audits (D) measure conformance against it. Without an approved strategy, security activities lack strategic alignment and executive mandate, making governance essentially ineffective regardless of how mature any individual component is.

Topics

#Information Security Governance#Security Strategy#Governance Components

Community Discussion

No community discussion yet for this question.

Full CISM Practice Browse All CISM Questions