CISM · Question #922
CISM Question #922: Real Exam Question with Answer & Explanation
The correct answer is A: Risk appetite. Risk appetite is the foundational input for setting a security baseline because the baseline represents the minimum acceptable security posture - and "acceptable" is defined by how much risk the organization is willing to tolerate. Without knowing the organization's risk appetite
Question
Which of the following is MOST helpful for an information security manager to consider when setting the information security baseline?
Options
- ARisk appetite
- BControl objectives
- CGap analysis
- DSecurity metrics
Explanation
Risk appetite is the foundational input for setting a security baseline because the baseline represents the minimum acceptable security posture - and "acceptable" is defined by how much risk the organization is willing to tolerate. Without knowing the organization's risk appetite, the manager cannot determine how high or low to set that floor.
Why the distractors fall short:
- B. Control objectives describe what controls should achieve, but they are derived from the baseline, not used to define it - they come after.
- C. Gap analysis compares current state to a desired state and is performed after the baseline exists, to identify what needs improvement to reach it.
- D. Security metrics measure performance against an established baseline - they're a monitoring tool, not an input for creating one.
Memory tip: Think "appetite before you set the table." You need to know how risk-hungry the organization is before you decide what minimum security meal to serve. Risk appetite sets the baseline; everything else (gap analysis, metrics, control objectives) follows from it.
Topics
Community Discussion
No community discussion yet for this question.