Exam CISM topic 1 question 632 discussion

I like C - Senior management approval of information security policies. This is stated over and over again in the CISM book, getting leadership buy in. My two cents.

Unclear question. What type of policies the senior management approved? FIrewall? Risk response plan? nooooo... It would be C, if the approval is for business objectives. The word culture (governance) is much broader than policies.

No Money, No awareness program, Senior Management Buy In comes first. so C comes before A. A is critical but C is the entry ticket to the game.

i went with C first, but then after a little thinking having policies enforced doesnt promote for a culture, it is training and awareness that does and changes the mindset

Option C

Whilst C certainly has its uses A will have more of an influence over the company culture

A. Mature information security awareness training across the organization

A. Mature information security awareness training across the organization Having senior management approve policies is not sufficient for building a culture.

Security culture is dependent on employee awareness and acceptance . Not all employee reads and understand policy even when enforced but through training and awareness understanding and abiding with policy becomes easier and practical

Leaning towards A on this one. The issue with C is that it references just the approval for the policies. For management buy in to be effective, it has to be total support of the entire security program, not just a stamp of approval on the policy documents. However, a robust training program fosters a security culture where everyone in the organization understands the importance of security and takes steps to protect the organization's data and systems.