Exam CISM topic 1 question 340 discussion

B is correct according to CISM RM 16th 3.1.5 - Stategic alignment is one of the Outcomes of Information Security Program

outcome should be reduction of threat.

Its B, because information security needs to support business objectives. Therefore, information security and business must be strategically aligned. Its NOT A, because the amount of threats is something that cannot be influenced by information security. A threat is something that inherently exists, regardless of the security posture of your organization (e.g., ransomware). Its NOT C, because risks will most likely not be completely eliminated. Instead, risks must be reduced and managed to a appropriate level. Its NOT D, because cost is not the major concern of information security (although its an important concern).

B. Strategic alignment While all the options listed are important aspects of an information security program, strategic alignment is the primary outcome because it ensures that the security program is closely aligned with the overall goals and objectives of the organization. Information security should not be seen as a standalone function but rather as an integral part of an organization's strategic plan. It should support and enable the organization to achieve its mission and goals while managing risks effectively. Threat reduction, risk elimination, and cost reduction are all important, but they are means to achieve the broader goal of strategic alignment.

Outcome should be strategic alignment. it's the job or risk management process to produce a threat reduction, not the job of information program

A and C may not be a correct answer as Thread can't be reduced and Risk can't be eliminated

B. Strategic alignment

Strategic Alignment

Option A would make more sense if it said Risk reduction but it says threat reduction. B - Strategic Alignment is the most suited for the question.