nerdexam
PeopleCert

ITIL · Question #310

Which of the following defines the level of protection in Information Security Management?

The correct answer is C. The Business. In Information Security Management, the business defines the required level of protection based on its risk appetite and operational needs, not IT or standards bodies.

Processes

Question

Which of the following defines the level of protection in Information Security Management?

Options

  • AThe IT Executive
  • BThe ISO27001 Standard
  • CThe Business
  • DThe Service Level Manager

How the community answered

(59 responses)
  • A
    2% (1)
  • B
    3% (2)
  • C
    93% (55)
  • D
    2% (1)

Why each option

In Information Security Management, the business defines the required level of protection based on its risk appetite and operational needs, not IT or standards bodies.

AThe IT Executive

The IT Executive oversees IT operations and governance but does not define the level of protection - that authority rests with business stakeholders who understand and own business risk.

BThe ISO27001 Standard

ISO27001 is a framework that guides how to implement information security management, but it does not define the specific level of protection required by any individual organization.

CThe BusinessCorrect

The business owns the information assets and determines what level of protection is appropriate based on business risk, regulatory obligations, and operational requirements. IT Security implements the controls to meet those business-defined requirements. ISO27001 and IT executives provide frameworks and governance, but the ultimate authority on acceptable risk lies with the business.

DThe Service Level Manager

The Service Level Manager negotiates and manages service level agreements but has no authority or remit to define information security protection levels.

Concept tested: Business-driven information security protection levels

Topics

#Information Security Management#security protection level#business requirements

Community Discussion

No community discussion yet for this question.

Full ITIL Practice