According to Isaca review manual, domain 1, emphasizes that risk assessments are the foundation for developing an effective security strategy. NIST also confirms.
input, here it says INPUT, gap analysis asses two states current und desirable, and the consequnces of this analysis is the best INPUT for IS Strategy.
How can a gap analysis be performed for a security strategy that does not yet exist? The question poses the question as the initial (hence the term developing) security strategy. If you have no starting point, you cannot perform a gap analysis.
c: The CISM All-0in-One Exam Guide Writes:
Gap Assessment
To implement a security strategy and accomplish objectives, security professionals often
spend too much time focusing on the end goal and not enough time on the starting
point. Without sufficient knowledge of the starting point, accomplishing objectives will
be more difficult, and achieving success will be less certain.
and it also writes:
Risk Assessments
A strategist should choose to have a risk assessment performed to reveal risks present in
the organization. The results of a risk assessment give the strategist
valuable information on the types of resources required to bring risks down to acceptable
levels. This is vital for developing and validating strategic objectives.
The Gap Assessment is valuable to implement the strategy. The Risk assessment validates your strategic objectives.
The results of an information security gap analysis provide a comprehensive understanding of the existing state of information security within an organization, identifying areas where security controls may be lacking or not meeting desired levels. This analysis helps in determining the current state of security and defining the desired future state, which is critical for developing an effective information security strategy.
While measurement of security performance against IT goals (option B), results of a technology risk assessment (option C), and the availability of capable information security resources (option D) are important considerations, the information security gap analysis is a foundational step that informs the strategic direction and priorities for the development of the overall information security strategy.
For sure it is A. Completing a risk assessment is good but that next step is the gap analysis...how far are you from where you want to be? Brilliant.
upvoted 2 times
...
...
This section is not available anymore. Please use the main Exam Page.CISM Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
hello_world_20250311
1 month agoPichon
1 month, 3 weeks agoVovik373
1 month, 1 week agogreeklover84
4 months, 3 weeks agoRio42
5 months agoVovik373
1 month, 1 week ago2c24cf3
8 months, 1 week agoGrantolio
1 year, 1 month agoViperhunter
1 year, 5 months agorichck102
1 year, 11 months agoAntonivs
2 years, 3 months agoCarlLimps
2 years, 2 months ago