Exam CISM topic 1 question 15 discussion

C. Send the policies to stakeholders for review.

Aligning security policies with the most stringent global regulations helps ensure that the organization meets high standards for data security and compliance. This approach not only ensures adherence to local regulations but also provides a robust framework that can address various regulatory requirements across different jurisdictions. While obtaining annual sign-off from executive management (option A) and sending policies to stakeholders for review (option C) are valuable practices, aligning with the most stringent global regulations provides a comprehensive and proactive strategy for regulatory compliance. Outsourcing compliance activities (option D) can be a consideration, but it does not replace the need for a well-defined and internally aligned security policy framework.

C. ISACA thinks of stakeholders as experts in their field and know which policies to follow. The problem with B is that it's "Global", but there could be more stringent local policies that are not addressed globally.

B is the only relevant answer here. It would ensure that your policies cover EVERY requirement, regardless of jurisdiction. Think of a company that does HITRUST, they woul meet NIST, HIPAA and PCI requirements as well since they are a part of HITRUST. That ensures they follow a single framework but are covering all bases.

Honestly looking at this question can be tricky. They simply ask what is the best way. They did not ask how to assure standards are met. If you were to instruct a engineer on how to do the job you would tell them to align the policies to the most stringent global regulations. Remember they are simply asking what is the best way.

B makes sense.

B. Align the policies to the most stringent global regulations. Aligning policies to the most stringent global regulations can be a robust approach to ensuring compliance, as it helps to cover a wide range of regulatory requirements. This method ensures that the organization meets or exceeds the highest standards, which can provide a strong foundation for compliance across various jurisdictions

It says best. Most stringest is never best (given high cost). As such C.

To me the answer is C. B is incorrect because the most strict global regulations have a very high chance of conflicting with local regulations.

B is correct

Align the policies to the most stringent global regulations for sure your policies will be compliant, pretty logic...

C. Send the policies to stakeholders for review.

I would say it's D for a simple reason that the close second (B) is a waste of resources and is not cost-effective. The BEST and most objective view on the problem can be provided by external auditors. So this should be the best and most cost-effective way to do it.

I will shoot for B, since regulatory is mentioned

Aligning the policies to most stringent global policy would create conflict with local regional policies as each location policies might differ. Other hand business stakeholders are best positioned to take the call if they are impacted or not and choose appropriate risk treatment so engaging business people for review would be most appropriate for this case therefore option C would highly fill the blank here.

right answer is C. reason that B is wrong: applying the most stringent can not guarantee full compliance to local regulators which differs from a country to other country. Satisfying local regulations has a precedence over satisfying a global. C is right because it gives opportunity to communicate with stakeholders who will be considering the local regulations and has more awareness about it than the global.

"Security regulatory requirements" versus "global regulations" is where I am stuck. If I am in banking I care about banking requirements not global. I need to be an sme on banking regulations not global.