Exam CISM topic 1 question 1203 discussion

Answer is A: Because it provides the evidence and context needed to build a solid, risk-aligned business case for any new security initiative. cost benefit analysis is in the business case.

1 step is a risk assessment; then on the business case, you need to do a risk cost analysis after you analyze the risks.

RA, The correct answer is: A. Conduct a risk assessment Explanation: Before developing a business case for a new security initiative, a risk assessment should be conducted to identify potential threats, vulnerabilities, and the impact on the organization. This helps in determining whether the initiative is necessary and aligns with the organization’s risk management strategy. • B. Conduct a benchmarking exercise – This can provide useful insights but is typically done after understanding the organization’s specific risks. • C. Perform a cost-benefit analysis – This is part of the business case development and comes after identifying risks and determining the need for the initiative. • D. Identify resource requirements – This is a later step after establishing the justification for the initiative. By conducting a risk assessment first, the organization ensures that the security initiative is driven by actual business and security needs rather than assumptions.

My take is: A security initiative is the result of a risk assessment. E.g., the security initiative could mean the implementation of a SIEM as a mitigating control. Therefore, a risk assessment is given already. To decide whether certain controls should be implemented, a cost-benefit analysis must be done. If costs outweigh benefits, there is no need to write a business case. If benefits outweigh costs, the cost-benefit analysis will be part of the business case later on.

A. Conduct a risk assessment