Exam CISM topic 1 question 515 discussion

B. Reducing organizational security risk should be the primary goal of an information security manager when designing information security policies. This is because the primary purpose of information security policies is to protect the organization and its assets from potential threats and risks. By reducing organizational security risk, the organization is better protected and less likely to experience security incidents that can cause damage to the organization, its reputation and its customers. While minimizing cost and improving protection of information are important considerations, they should not take precedence over reducing risk as it is the ultimate goal of the information security policies. Achieving organizational objectives should be considered as well as it will help to align the security policies with the overall goals of the organization.

I'd say it's D for two reasons: 1) ISACA tends to emphasize that the whole point of security is to support the business and business goals and objectives. 2) Security risk is actually reduced through security controls, not policies. Policies are high-level stuff that provide a general idea what management wants to achieve.

B for me.

D. Achieving organizational objectives . B is part of D.

Organization can decide to accept risks to achieving its organizational objectives. Then, ISM's PRIMARY gol is not minimize organizational (option B) or information (option C) risks.

B encompasses C and D

Going to have to go with D on this one. ISACA heavily leans on aligning security goals with business objectives. And anyone using chatgpt to help them through these questions should just take your $600 for the certification cost and throw it in the trash.

D. Achieving organizational objectives

D. Achieving organizational objectives

B. Reducing organizational security risk The PRIMARY goal of an information security manager when designing information security policies should be to reduce organizational security risk. Information security policies are put in place to protect an organization's sensitive data, systems, and assets from various threats and vulnerabilities. By focusing on reducing security risks, an organization can better protect itself from potential breaches, data leaks, and other security incidents.

D. Achieving organizational objectives

the PRIMARY goal of an information security manager when designing information security policies is C. Improving the protection of information. This is because the primary goal of an information security policy is to protect the confidentiality, integrity and availability of information.

Reducing risk is the purpose of the entire exercise. However, it would've been justified in the initial steps and objectives will be set based on that. Leading into the reason for the security policies, which has to align with the objectives that have been already set. The fact that they will help reduce risk is given.

The PRIMARY goal of an information security manager when designing information security policies should be to improve the protection of information. While minimizing the cost of security controls, reducing organizational security risk, and achieving organizational objectives are important considerations, the ultimate goal of information security policies is to protect the confidentiality, integrity, and availability of organizational information. By improving information protection, an organization can reduce the risk of security incidents and minimize the impact of any incidents that do occur.