CISM Question #947: Real Exam Question with Answer & Explanation

The correct answer is D: Gap analysis. A gap analysis compares the organization's current security posture against its desired target state (based on policies, frameworks, or regulatory requirements), clearly identifying where shortfalls exist. This directly tells the information security manager where to focus strate

Submitted by ashley.k· Apr 18, 2026Information Security Program Development and Management

Question

When developing an information security strategy for an organization, which of the following is MOST helpful for understanding where to focus efforts?

Options

AVulnerability assessment
BProject plans
CBusiness impact analysis (BIA)
DGap analysis

Explanation

A gap analysis compares the organization's current security posture against its desired target state (based on policies, frameworks, or regulatory requirements), clearly identifying where shortfalls exist. This directly tells the information security manager where to focus strategic effort and resources to close the most significant gaps. A vulnerability assessment (A) identifies technical weaknesses but does not map them to strategic objectives or a target state. Project plans (B) are implementation tools, not strategy-development inputs. A business impact analysis (C) is valuable for understanding criticality of assets and processes but does not reveal the security gaps that need to be addressed strategically.

Topics

#Information security strategy#Gap analysis#Strategic planning#Security program development

Community Discussion

No community discussion yet for this question.

Full CISM Practice Browse All CISM Questions