Answer is C: Risk assessment results. Because they offer a complete, context-driven foundation for defining security requirements that are relevant, justifiable, and aligned with organizational risk posture.
Baseline controls are valuable and necessary, but they are not enough on their own to define the most comprehensive security requirements. A risk assessment ensures controls are justified, appropriate, and aligned to business needs
Baseline controls are applied for a group of IT systems. Since the question is asking about the most comprehensive controls, I would go for C, since a risk assessment specifically addresses a systems risk.
A - Baseline controls represent the foundational security requirements that an organization establishes for its systems. These controls cover essential security aspects and serve as a starting point for securing the system. They include fundamental practices such as access controls, encryption, patch management, and configuration standards. C, is however, they focus on identifying and prioritizing risks rather than specifying detailed security requirements.
I would go with A stating baseline requirements for a newly developed information system as they don't require to be part of the system however analysis from the risk assessment results would be involved in the selection of baseline controls.
If risks are accepted without any need for additional controls, then the risk assessment itself doesn't result in new requirements.
Baseline controls are a set of standard security requirements that apply to all systems within an organization to provide a minimum level of security.
The most comprehensive set of security requirements for a newly developed information system would be defined by C. Risk assessment results. Risk assessment is a systematic process of identifying, analyzing, and evaluating potential risks to determine the effectiveness of existing security controls and identify any additional security requirements that may be necessary. By analyzing the results of a risk assessment, one can determine the specific security measures and controls needed to protect the information system effectively.
Baseline controls represent the most comprehensive set of security requirements for a newly developed information system. These controls provide a foundation of security measures that should be implemented regardless of the specific risks or vulnerabilities of the system. They cover a wide range of security aspects, including access control, data protection, network security, and application security.
This section is not available anymore. Please use the main Exam Page.CISM Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
SHERLOCKAWS
1 week, 4 days agohargit
1 month, 1 week agoJosef4CISM
2 months, 2 weeks agoBooict
8 months, 3 weeks ago1899f17
10 months, 2 weeks agoyottabyte
1 year ago3czz
1 year, 1 month agoFantasyDream
1 year, 2 months agoxcjxcj
1 year agoPOWNED
1 year, 2 months agoPOWNED
1 year, 2 months agokoala_lay
1 year, 3 months agoUncle_Lucifer
1 year, 4 months agoSoleandheel
1 year, 4 months agoCyberbug2021
1 year, 4 months agorichck102
1 year, 4 months ago