Exam CISM topic 1 question 510 discussion

For this type of activities, you go with the business case, and one of the elements of the business case is the results of the Risk Assessment. But the risk assessment without the business case, probably won't be very beneficial for the management to take the decision.

C. Risk assessment is the most important input to assist the information security steering committee in making a decision on whether to approve the implementation of a key control. This is because a risk assessment will provide the committee with a clear understanding of the potential risks and impacts that the key control is intended to address, as well as the potential costs and benefits of the proposed solution. This information is critical in determining whether the key control is a necessary and appropriate measure to address the identified risks, and whether the costs of implementation outweigh the benefits.

D, as business case includes A, B, C

Below from chatgpt Q: Business case is the most important input to assist the information security steering committee in making a decision on whether to approve the implementation of a key control A: The business case is indeed a critical input for the Information Security Steering Committee when deciding whether to approve the implementation of a key control. It helps the committee understand the rationale behind the proposed control, including its potential benefits, costs, and impact on the organization. The business case should clearly outline the problem or risk the control aims to address, the proposed solution, the expected outcomes, and how the control aligns with the organization's overall business objectives and risk management strategy. This information is essential for the committee to make an informed decision that balances security needs with business priorities.

Option D

Steering committee is more interested in the business' direction than it is Risk assessments. D

Steering committee does not care about RAs , they want Business cases . They want to know current status and future one . They want to know about the plan and the success criteria . IMO D.

D. Business case

D. Business case Steering committee comprises of Business leaders and a business case would definitely help in gaining support

By presenting a well-structured and compelling business case, the information security team can effectively communicate the need for the control and demonstrate its alignment with the organization's strategic objectives. This allows the committee to assess the business case alongside other factors, such as risk assessment, IT strategy, and security architecture, in order to make an informed decision. So I think Option D

D business case is most important. There are costs associated with implementing key controls, and management must approve them. Therefore, the business case submitted by the information security team is critical information to explain the balance of cost, return, and risk, and to convince management of its importance. However, the security architecture and risk assessment are also important information and must be provided along with the business case. While the C risk assessment is undoubtedly important information for implementing key controls, it is not necessarily the most important information for the Information Security Steering Committee to decide upon. In fact, the information the committee needs to make decisions depends on the purpose, authority, and scope for which the committee was established.

C. Risk Assessment see bro comment.