TLDR: The order of operations is why it's (B)
B. Assess the business objectives of the processes
A. Identify information security risk associated with the processes
D. Benchmark the processes with best practice to identify gaps
C. Evaluate the cost of information security integration
Long Version:
The correct answer is (B) B. Assess the business objectives of the processes. And the way to think about this is in terms of the order in which these steps occur.
Rationale:
As mentioned by Wladysk, you first have to know what's important to the business and how the business works to get the context necessary for alignment. Thus (B) is the first step.
Next, the organization needs to find the security risk for those processes based on what order of importance for enterprise as was determined in (B) and thus why (A) is the second answer.
With the process and risk now evaluated, countermeasures need to be determined and this is what (D) is for.
Finally, this has to be created into a business case for the business. So this is what C is for.
B. Assess the business objectives of the processes
When an organization seeks to integrate information security into its human resource management processes, the first step should be to assess the business objectives of these processes. Understanding what the organization aims to achieve through its HR processes lays the foundation for identifying how information security can support, enhance, and protect these objectives. This strategic alignment ensures that subsequent steps, such as identifying information security risks, evaluating integration costs, and benchmarking against best practices, are focused and driven by the organization's core goals and needs. By starting with a clear understanding of business objectives, the organization can ensure that information security integration effectively supports its mission, enhances process efficiency, and safeguards sensitive information throughout the HR lifecycle.
Tricky question , but I will go with B based on assumpton that you have to understand the business objectives before you can calculate the risks. IAW the ISACA book the eterprize must prioritize risk treatment according to its business objectives.
A. Identify information security risk associated with the processes.
It is important to first identify any potential information security risks associated with the human resource management processes before taking any further steps. This will help the organization understand the potential vulnerabilities and threats that need to be addressed, and will inform the development of an effective information security strategy for the processes. Once the risks have been identified, the organization can then move on to assessing business objectives, evaluating the cost of integration, and benchmarking with best practices to identify gaps.
upvoted 3 times
...
This section is not available anymore. Please use the main Exam Page.CISM Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
dark_3k03r
Highly Voted 1 year, 5 months agohelg420
Most Recent 5 months, 1 week agooluchecpoint
8 months, 3 weeks agooluchecpoint
1 year, 1 month agorichck102
1 year, 4 months agoWladysk
1 year, 8 months agocosmo4ng
1 year, 7 months agoHaniMAlsh
1 year, 9 months agoBroesweelies
1 year, 9 months ago