CISSP · Question #1073
When MUST an organization's information security strategic plan be reviewed?
The correct answer is D. Whenever there are major changes to the business. An information security strategic plan must be reviewed whenever major changes occur to the business, ensuring security strategy remains aligned with evolving organizational objectives and risk landscape.
Question
Options
- AQuarterly, when the organization's strategic plan is updated
- BWhenever there are significant changes to a major application
- CEvery three years, when the organization's strategic plan is updated
- DWhenever there are major changes to the business
How the community answered
(51 responses)- A2% (1)
- B4% (2)
- C6% (3)
- D88% (45)
Why each option
An information security strategic plan must be reviewed whenever major changes occur to the business, ensuring security strategy remains aligned with evolving organizational objectives and risk landscape.
Quarterly reviews are not a standard requirement; tying reviews solely to a fixed quarterly schedule is arbitrary and may miss critical business changes occurring outside that cadence.
Changes to a major application are operational or tactical concerns addressed through change management and system-level security assessments, not triggers for revising the organization's overarching information security strategic plan.
A fixed three-year cycle is too rigid and may be used as a general guideline, but it is not the mandatory trigger-waiting three years regardless of business changes could leave the security strategy dangerously misaligned with current organizational realities.
An information security strategic plan is inherently tied to the overall business direction, risk environment, and organizational priorities. Whenever major business changes occur-such as mergers, new product lines, regulatory shifts, or significant operational changes-the security strategy must be reassessed to remain relevant and effective. This principle is consistent with industry standards like ISACA's CISM and NIST frameworks, which emphasize continuous alignment between security governance and business strategy.
Concept tested: Information security strategic plan review triggers
Source: https://www.isaca.org/resources/isaca-journal/past-issues/2013/developing-an-information-security-strategic-plan
Topics
Community Discussion
No community discussion yet for this question.