CISSP Question #366: Real Exam Question with Answer & Explanation

The correct answer is A: Establish an information security policy.. The first step in establishing an information security program is to establish an information security policy. An information security policy is a document that defines the objectives, scope, principles, and responsibilities of the information security program. An information sec

Submitted by carlos_mx· Mar 5, 2026Security and Risk Management

Question

What Is the FIRST step in establishing an information security program?

Options

AEstablish an information security policy.
BIdentify factors affecting information security.
CEstablish baseline security controls.
DIdentify critical security infrastructure.

Explanation

The first step in establishing an information security program is to establish an information security policy. An information security policy is a document that defines the objectives, scope, principles, and responsibilities of the information security program. An information security policy provides the foundation and direction for the information security program, as well as the basis for the development and implementation of the information security standards, procedures, and guidelines. An information security policy should be approved and supported by the senior management, and communicated and enforced across the organization. Identifying factors affecting information security, establishing baseline security controls, and identifying critical security infrastructure are not the first steps in establishing an information security program, but they may be part of the subsequent steps, such as the risk assessment, risk mitigation, or risk

Topics

#Security program#Information security policy#Governance#Security management

Community Discussion

No community discussion yet for this question.

Full CISSP Practice Browse All CISSP Questions