Exam CISM topic 1 question 436 discussion

Without management approval, option D will not be possible.

The wording is unclear for option A. Asset valuation is typically determined by the asset owner or custodian, and this wording could be confusing. If the intention here might be that management's understanding and prioritization of asset value influence how resources are allocated and security measures are implemented, then A would be the proper answer. Else, I would choose D. Mapping security processes is critical factor for ensuring consistency, compliance, and alignment with best practices. By mapping security processes to established standards, the organization ensures that security controls are systematically applied and maintained, which is fundamental for a successful security program.

tough choice between A and D. Its very clear that you need to understand the asset value first before defining any kind of processes and standards (option A). What is a bit off with option A is that usually the asset value is derived by business process owners / middle line managers, since they have in depth knowledge of the business itself. The asset value is seldom defined by higher board management as option A reads.

D for sure

CRM 16, page 141: Primary program activities include design, development and implementation of controlsrelated to inf.security

I'd say it's A, because before you implement information security program in any shape or form, you need to have clear understanding of what you're trying to protect. How would you perform a risk assessment and prioritize risks or implement cost-effective controls if management didn't tell you the value of the assets you have to protect?

If A simply said management approval I would go with it, but since it specifically mentions asset value I am going to have to pick D as the best answer here.

While management's decision on asset value (A) is important for risk management and prioritization, it does not, by itself, ensure the success of a security program. The program's effectiveness relies more on how security processes are implemented and managed, which is why mapping these processes to baseline standards is critical.

D. Mapping security processes to baseline security standards makes more sense

A. Management decision on asset value This is because understanding the value of your assets (data, systems, infrastructure, etc.) helps in prioritizing security efforts and allocating resources effectively. Without a clear understanding of the asset's value, it's challenging to make informed decisions about where to invest in security measures, which security controls to implement, and how much to budget for security initiatives.

Without management approval, option D will not be possibl

The CISM (Certified Information Security Manager) Review Manual, 27th Edition, supports this viewpoint by stating: "A successful security program requires a systematic and structured approach to managing security risks. This begins with establishing baseline security standards and then mapping the organization's security processes to these standards. This helps ensure that all security activities are aligned with recognized best practices and the organization's risk management objectives."

A. Management decision on asset value

From the ISACA perspective for the CISM examination, the MOST important requirement for a successful security program is: D. Mapping security processes to baseline security standards Mapping security processes to baseline security standards ensures that the organization's security program aligns with established best practices and industry standards. It helps in identifying the necessary security controls, procedures, and guidelines that need to be implemented to protect the organization's assets and mitigate risks effectively.