Exam CISM topic 1 question 622 discussion

The Correct Answer is (C) Organizational Risk Appetite as the focus is on an information security-focused project, while the others are not. (i.e. need to know what level of risk is important to know how to prioritize) Rationale: A. Return on investment (ROI) is a financial instrument that looks for the best possible return. While this is ideal for projects that make money, this isn't ideal for security cause security projects cost money. Using an ROI model will make everything just a race to the bottom. Instead, it should be focused on risk. B. Privacy compliance requirements: Compliance does not mean secure. D. Historical security incidents: Past performance does not mean that it is reflective of future occurrences. It is only a context of what has occurred in the past.

The best option that enables an organization to appropriately prioritize information security-focused projects is organizational risk appetite.

prioritize: determine the order for dealing with (a series of items or tasks) according to their relative importance. Risk apetite is not good for prioritizing as you will have only two buckets. Over and under the risk apetite. As information security-focused projects support the business goals, have positive impact on the bsuness, you can calculate the ROI, so you will impement those that have the biggest gains.

This question is just intentionally made complicated, but is essentially asking "what type stuff do you prioritize"? The logical answer is "the ones that carry the most risk" (i.e. are most impactful), therefore you look at business' risk appetite and determine what's outside of that and work on that first.

This reflects the amount and type of risk an organization is willing to pursue or retain. Understanding the organization's risk appetite can help in prioritizing security projects that address the most significant and unacceptable risks first.

A. Return on investment (ROI)

priority is decided on ROI.