I do believe the right answer is option C.
Information security strategy is derived/based on the business strategy. Objectives are steps to fulfill a strategy so information security objectives will be primarily based on the information security strategy.
Below also from chatgpt, which make more sense than simply post the question
Yes, that's correct. Security objectives are typically derived from the organization's information security strategy. The security strategy outlines the overall goals and direction for security within the organization, and the security objectives are specific, measurable targets that support the strategy. These objectives help ensure that security efforts are aligned with the organization's overall goals and priorities.
It's C. ChatGPT addicts in the comments can go ahead and fail the exam since they obviously don't know even the basics, let alone advanced stuff.
The process goes like this: You look at the business strategy and based on that you create information security strategy. And then you define the objectives through which you realize the strategy. Then you create KGI, and so on..
A. Business strategy.
While regulatory requirements, information security strategy, and data classification are important considerations for information security, they should all align with and support the broader goals and objectives of the organization's business strategy. Information security should be seen as an enabler of the business strategy rather than a standalone goal. By aligning information security objectives with the business strategy, an organization can ensure that its security efforts are focused on protecting the most critical assets and achieving the overall goals of the business.
A. Business strategy should be the PRIMARY basis for determining information security objectives. Information security objectives should be aligned with the organization's overall business strategy and objectives in order to support the organization's mission and goals. This means that the information security program should be designed to meet the specific needs of the organization, and that it should be continuously reviewed and updated to ensure that it remains aligned with changing business needs. Determining information security objectives based on business strategy will help ensure that the organization's resources are allocated in a way that maximizes the protection of the organization's assets while supporting the organization's overall mission and objectives.
upvoted 4 times
...
This section is not available anymore. Please use the main Exam Page.CISM Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Dravidian
Highly Voted 1 year, 8 months agokaranvp
1 year, 6 months agoshervin2s
Most Recent 10 months agoxcjxcj
10 months, 4 weeks agoxcjxcj
10 months, 4 weeks agoAlexJacobson
11 months, 3 weeks agooluchecpoint
1 year, 4 months agoGoseu
1 year, 6 months agorichck102
1 year, 6 months agowello
1 year, 7 months agoCarlPTY07
1 year, 10 months agoSouvik124
1 year, 11 months agoBroesweelies
1 year, 11 months ago