Isaca Updated CISM Exam Questions and Answers by wyatt

According to the CISM Review Manual, engaging stakeholders is the most important step when developing an information security strategy, as it helps to ensure that the strategy is aligned with the business objectives, expectations, and requirements of the stakeholders. Engaging stakeholders also helps to gain their support and commitment for the implementation and maintenance of the strategy. Assigning data ownership, determining information types, and classifying information assets are possible subsequent steps, but not the most important one.

References = CISM Review Manual, 27th Edition, Chapter 2, Section 2.1.1, page 731.

The primary purpose for continuous monitoring of security controls is to ensure that the controls are effective in achieving the desired security objectives and mitigating the identified risks. Continuous monitoring provides ongoing assurance that the planned and implemented security controls are aligned with the organizational risk tolerance and can respond to changes in the threat environment, the system, or the business processes. Continuous monitoring also helps to identify and address any control weaknesses or gaps in a timely manner. (From CISM Review Manual 15th Edition and NIST Special Publication 800-1371)

References: CISM Review Manual 15th Edition, page 181, section 4.3.2.4; NIST Special Publication 800-1371, page 1, section 1.1.

Organizational units contribute to and agree on priorities is the best way to facilitate effective strategic alignment of security initiatives because it ensures that the security initiatives are aligned with the business goals and objectives, supported by relevant stakeholders, and prioritized based on risk and value. The business strategy is periodically updated is not sufficient to facilitate effective strategic alignment of security initiatives because it does not involve collaboration or communication between different organizational units. Procedures and standards are approved by department heads is not sufficient to facilitate effective strategic alignment of security initiatives because it does not reflect the strategic direction or vision of the organization. Periodic security audits are conducted by a third-party is not sufficient to facilitate effective strategic alignment of security initiatives because it does not address the planning or implementation of security initiatives. References: https://www .isaca.org/resources/isaca-journal/issues/2016/volume-2/how-to-align-security-initiatives-with-business-goals-and-objectives https://www.isaca.org/resources/isaca-journal/issues/2015/volume-1/how-to-measure-the-effectiveness-of-information-security-gover nance