nerdexam
(ISC)2

CISSP · Question #1247

Which of the following is the FIRST step an organization's security professional performs when defining a cyber-security program based upon industry standards?

The correct answer is B. Define the organization's objectives regarding security and risk mitigation.. When building a cybersecurity program, defining organizational objectives and risk tolerance must come first before any framework mapping or practice selection can be meaningful.

Submitted by krish.m· Mar 5, 2026Security and Risk Management

Question

Which of the following is the FIRST step an organization's security professional performs when defining a cyber-security program based upon industry standards?

Options

  • AMap the organization's current security practices to industry standards and frameworks.
  • BDefine the organization's objectives regarding security and risk mitigation.
  • CSelect from a choice of security best practices.
  • DReview the past security assessments.

How the community answered

(24 responses)
  • A
    4% (1)
  • B
    75% (18)
  • C
    4% (1)
  • D
    17% (4)

Why each option

When building a cybersecurity program, defining organizational objectives and risk tolerance must come first before any framework mapping or practice selection can be meaningful.

AMap the organization's current security practices to industry standards and frameworks.

Mapping current security practices to frameworks is a gap analysis activity that can only be performed meaningfully after organizational objectives and scope have already been defined.

BDefine the organization's objectives regarding security and risk mitigation.Correct

Defining the organization's objectives regarding security and risk mitigation is the foundational first step because all subsequent decisions - such as which frameworks to adopt, which controls to implement, and how to prioritize resources - must align with the organization's specific goals and risk appetite. Without established objectives, there is no basis for evaluating which standards or practices are relevant or appropriate. This aligns with the NIST Cybersecurity Framework's 'Identify' function, which emphasizes understanding business context and risk management priorities before any other activity.

CSelect from a choice of security best practices.

Selecting security best practices is a later-stage activity that depends on having clear objectives and a gap analysis to guide which practices are most applicable to the organization.

DReview the past security assessments.

Reviewing past security assessments is a useful input but is not the first step; it is a secondary activity that supports gap analysis and is only relevant once objectives are established.

Concept tested: Cybersecurity program development lifecycle first steps

Source: https://www.nist.gov/cyberframework/getting-started

Topics

#cybersecurity program#risk management#security objectives#security strategy

Community Discussion

No community discussion yet for this question.

Full CISSP Practice