ITIL · Question #310
Which of the following defines the level of protection in Information Security Management?
The correct answer is C. The Business. In Information Security Management, the business defines the required level of protection based on its risk appetite and operational needs, not IT or standards bodies.
Question
Which of the following defines the level of protection in Information Security Management?
Options
- AThe IT Executive
- BThe ISO27001 Standard
- CThe Business
- DThe Service Level Manager
How the community answered
(59 responses)- A2% (1)
- B3% (2)
- C93% (55)
- D2% (1)
Why each option
In Information Security Management, the business defines the required level of protection based on its risk appetite and operational needs, not IT or standards bodies.
The IT Executive oversees IT operations and governance but does not define the level of protection - that authority rests with business stakeholders who understand and own business risk.
ISO27001 is a framework that guides how to implement information security management, but it does not define the specific level of protection required by any individual organization.
The business owns the information assets and determines what level of protection is appropriate based on business risk, regulatory obligations, and operational requirements. IT Security implements the controls to meet those business-defined requirements. ISO27001 and IT executives provide frameworks and governance, but the ultimate authority on acceptable risk lies with the business.
The Service Level Manager negotiates and manages service level agreements but has no authority or remit to define information security protection levels.
Concept tested: Business-driven information security protection levels
Topics
Community Discussion
No community discussion yet for this question.