CISM Question #959: Real Exam Question with Answer & Explanation

The correct answer is B: Industry-recognized security framework. Industry-recognized security frameworks (such as NIST CSF, ISO/IEC 27001, or COBIT) provide comprehensive, structured, and proven guidance covering governance, risk management, controls, and processes. They are designed specifically as blueprints for building security programs fr

Submitted by satoshi_tk· Apr 18, 2026Information Security Program Development and Management

Question

Which of the following would provide the BEST reference for the initial development of an information security program?

Options

AIncident response plan
BIndustry-recognized security framework
CDisaster recovery plan (DRP)
DRecent security audit findings

Explanation

Industry-recognized security frameworks (such as NIST CSF, ISO/IEC 27001, or COBIT) provide comprehensive, structured, and proven guidance covering governance, risk management, controls, and processes. They are designed specifically as blueprints for building security programs from the ground up. An incident response plan (A) and a disaster recovery plan (C) are components of a mature program, not starting references. Recent audit findings (D) are retrospective and organization-specific, lacking the breadth needed as a foundational reference. Frameworks offer the broadest and most authoritative starting point.

Topics

#Information security program development#Security frameworks#Program establishment#Best practices

Community Discussion

No community discussion yet for this question.

Full CISM Practice Browse All CISM Questions