nerdexam
(ISC)2

CISSP · Question #1073

When MUST an organization's information security strategic plan be reviewed?

The correct answer is D. Whenever there are major changes to the business. An information security strategic plan must be reviewed whenever major changes occur to the business, ensuring security strategy remains aligned with evolving organizational objectives and risk landscape.

Submitted by ravi_2018· Mar 5, 2026Security and Risk Management

Question

When MUST an organization's information security strategic plan be reviewed?

Options

  • AQuarterly, when the organization's strategic plan is updated
  • BWhenever there are significant changes to a major application
  • CEvery three years, when the organization's strategic plan is updated
  • DWhenever there are major changes to the business

How the community answered

(51 responses)
  • A
    2% (1)
  • B
    4% (2)
  • C
    6% (3)
  • D
    88% (45)

Why each option

An information security strategic plan must be reviewed whenever major changes occur to the business, ensuring security strategy remains aligned with evolving organizational objectives and risk landscape.

AQuarterly, when the organization's strategic plan is updated

Quarterly reviews are not a standard requirement; tying reviews solely to a fixed quarterly schedule is arbitrary and may miss critical business changes occurring outside that cadence.

BWhenever there are significant changes to a major application

Changes to a major application are operational or tactical concerns addressed through change management and system-level security assessments, not triggers for revising the organization's overarching information security strategic plan.

CEvery three years, when the organization's strategic plan is updated

A fixed three-year cycle is too rigid and may be used as a general guideline, but it is not the mandatory trigger-waiting three years regardless of business changes could leave the security strategy dangerously misaligned with current organizational realities.

DWhenever there are major changes to the businessCorrect

An information security strategic plan is inherently tied to the overall business direction, risk environment, and organizational priorities. Whenever major business changes occur-such as mergers, new product lines, regulatory shifts, or significant operational changes-the security strategy must be reassessed to remain relevant and effective. This principle is consistent with industry standards like ISACA's CISM and NIST frameworks, which emphasize continuous alignment between security governance and business strategy.

Concept tested: Information security strategic plan review triggers

Source: https://www.isaca.org/resources/isaca-journal/past-issues/2013/developing-an-information-security-strategic-plan

Topics

#information security strategy#strategic planning#security governance#business changes

Community Discussion

No community discussion yet for this question.

Full CISSP Practice