CISM Question #936: Real Exam Question with Answer & Explanation

The correct answer is C: Risk assessment. A risk assessment identifies the specific threats, vulnerabilities, and potential impacts relevant to the organization's environment, enabling policies to be tailored to actual risks. Industry best practices provide generic guidance not customized to the organization. A BIA focus

Submitted by renata2k· Apr 18, 2026Information Security Risk Management

Question

Which of the following is MOST helpful for determining which information security policies should be implemented by an organization?

Options

AVulnerability assessment
BBusiness impact analysis (BIA)
CRisk assessment
DIndustry best practices

Explanation

A risk assessment identifies the specific threats, vulnerabilities, and potential impacts relevant to the organization's environment, enabling policies to be tailored to actual risks. Industry best practices provide generic guidance not customized to the organization. A BIA focuses on recovery priorities rather than policy drivers. A vulnerability assessment identifies technical weaknesses but does not provide the business-context risk framing needed to justify and scope policies.

Topics

#Information Security Policies#Risk Assessment#Policy Development#Risk Management

Community Discussion

No community discussion yet for this question.

Full CISM Practice Browse All CISM Questions