Exam CISM topic 1 question 655 discussion

at first, perform ROI.

C first

Escalate to senior management.

C. Escalate to senior management.

Before approaching the SM, the infosec manager should do his homework (cost of non-compliance vs benefits of compliance)

Escalate based on the scenario - mandatory control, and the bottle kneck to objectives. You would have done the cost benefit-analysis prior to selecting the mandatory requirements. C

C. Escalate to senior management. Escalating the issue to senior management allows for a higher-level decision-making process. Senior management can evaluate the situation, consider the potential risks, and make an informed decision regarding whether to adjust the business objective, allocate additional resources, seek exceptions or waivers from the security standard, or take other appropriate actions. After senior management is aware of the issue and involved in the decision-making process, they may then decide to perform a cost-benefit analysis, revisit the business objective, or recommend risk acceptance if necessary.

Why would he bother with B when the hindrance is being caused by a mandated control? The question implies that the control must remain in place so how or why would you need to weigh it up?

B. Perform a cost-benefit analysis.

C. Escalate to senior management.

When a mandatory security standard hinders the achievement of an identified business objective, the information security manager should first perform a cost-benefit analysis to determine the impact of the security standard on the business objective.

Very much B in this case