CISSP · Question #1247
Which of the following is the FIRST step an organization's security professional performs when defining a cyber-security program based upon industry standards?
The correct answer is B. Define the organization's objectives regarding security and risk mitigation.. When building a cybersecurity program, defining organizational objectives and risk tolerance must come first before any framework mapping or practice selection can be meaningful.
Question
Options
- AMap the organization's current security practices to industry standards and frameworks.
- BDefine the organization's objectives regarding security and risk mitigation.
- CSelect from a choice of security best practices.
- DReview the past security assessments.
How the community answered
(24 responses)- A4% (1)
- B75% (18)
- C4% (1)
- D17% (4)
Why each option
When building a cybersecurity program, defining organizational objectives and risk tolerance must come first before any framework mapping or practice selection can be meaningful.
Mapping current security practices to frameworks is a gap analysis activity that can only be performed meaningfully after organizational objectives and scope have already been defined.
Defining the organization's objectives regarding security and risk mitigation is the foundational first step because all subsequent decisions - such as which frameworks to adopt, which controls to implement, and how to prioritize resources - must align with the organization's specific goals and risk appetite. Without established objectives, there is no basis for evaluating which standards or practices are relevant or appropriate. This aligns with the NIST Cybersecurity Framework's 'Identify' function, which emphasizes understanding business context and risk management priorities before any other activity.
Selecting security best practices is a later-stage activity that depends on having clear objectives and a gap analysis to guide which practices are most applicable to the organization.
Reviewing past security assessments is a useful input but is not the first step; it is a secondary activity that supports gap analysis and is only relevant once objectives are established.
Concept tested: Cybersecurity program development lifecycle first steps
Source: https://www.nist.gov/cyberframework/getting-started
Topics
Community Discussion
No community discussion yet for this question.