Exam CISM topic 1 question 802 discussion

D. Business cases.

The correct answer is (D) Business cases because this is the only one that lists the problem, solution and how much is required to get it done. Thus why it's the only one that supports investment. (A) Business impact analysis (BIA) is incorrect cause it is a decomposition of business processes with the output being RTO, RPO and other such related items. (B) Risk assessment results is incorrect cause this is insufficient cause it doesn't contain the things that would convenience management that a business case has: - goals - list of benefits - costs - risk with the initiatives - implementation plan - evaluation plan The risk assessment only explains risk without the business context. (C) Gap analysis results is incorrect cause this is the difference between the present and future state... but it doesn't say why the business should care which is what you are going to need to get that investment.

D - Business case itself is what ultimately convinces management to invest in the program.

B. Risk assessment results Investments in an information security program should be driven by an understanding of the risks that an organization faces. Risk assessment results provide crucial information about the specific threats, vulnerabilities, and potential impacts that an organization may encounter. This information allows decision-makers to prioritize investments in security measures that are most aligned with the organization's risk profile and potential consequences.

D. Business cases. Risk accessment results without a business case wont be effective

D. Business cases

I am going with B because I am interpreting this questions - Best supports investment as what is most going to help management side with a decision to invest and nothing does that more than fear of impact and since BIA is a part of risk assessment. I am going with B. You can have all the components in the business case but if they don't see the risk report then they are not investing a penny.

Many organizations require the development of a business case prior to approving expenditures on significant security initiatives. A business case is a written statement that describes the initiative and describes its business benefits. Gregory, Peter H.; Gregory, Peter H.. CISM Certified Information Security Manager Bundle (p. 146). McGraw Hill LLC. Kindle Edition.

Out of the options provided, the BEST approach to support investments in an information security program would be option D, "Business cases."

The answer should be B. B is the basis for D. Business cases you need when you want to present your control requirement to the management. The risk assessment will be the basis for D.