Welcome to ExamTopics
ExamTopics Logo
- Expert Verified, Online, Free.

Unlimited Access

Get Unlimited Contributor Access to the all ExamTopics Exams!
Take advantage of PDF Files for 1000+ Exams along with community discussions and pass IT Certification Exams Easily.

Exam CISSP topic 1 question 38 discussion

Actual exam question from ISC's CISSP
Question #: 38
Topic #: 1
[All CISSP Questions]

Which of the following is MOST important to follow when developing information security controls for an organization?

  • A. Use industry standard best practices for security controls in the organization.
  • B. Exercise due diligence with regard to all risk management information to tailor appropriate controls.
  • C. Review all local and international standards and choose the most stringent based on location.
  • D. Perform a risk assessment and choose a standard that addresses existing gaps.
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
JAckThePip
Highly Voted 1 year, 5 months ago
Answer is D "To assess risk, you need to think about threats and vulnerabilities. Start by making a list of any potential threats to your organization’s assets, then score these threats based on their likelihood and impact. From there, think about what vulnerabilities exist within your organization, categorize and rank them based on potential impact. These vulnerabilities can consist of people (employees, clients, third parties), processes or lack thereof, and technologies in place. " https://www.barradvisory.com/roadmap-to-implementing-a-successful-information-security-program/
upvoted 7 times
jackdryan
11 months, 1 week ago
B is correct
upvoted 1 times
...
...
Loveguitar
Highly Voted 1 year, 6 months ago
Performing risk assessment covers answer C, for example, if you need to be PCI DSS compliant, you first assess the risk in your environment and compare it with what the standard says, your ISA can help you do that before the external assessor (QSA) comes in and assesses your controls (again the PCI DSS standard) to see your gaps.
upvoted 6 times
...
homeysl
Most Recent 2 weeks ago
Selected Answer: D
You need to identify the risk to make an informed decision
upvoted 1 times
...
Vaneck
2 weeks ago
Selected Answer: D
The most important option to follow when developing information security controls for an organization is D. Perform a risk assessment and choose a standard that addresses existing gaps. This ensures that security controls are specifically tailored to the organization's needs and vulnerabilities, providing more effective protection against identified threats.
upvoted 1 times
...
oksey
7 months, 1 week ago
Selected Answer: C
Choose the most stringent
upvoted 2 times
...
Bach1968
8 months, 4 weeks ago
Selected Answer: C
Considering legislation and legal requirements is an important aspect for a company to prioritize. Option C: Review all local and international standards and choose the most stringent based on location highlights the significance of being aware of and complying with relevant laws and regulations.
upvoted 2 times
...
KelvinYau
10 months ago
Selected Answer: B
I think B
upvoted 1 times
...
FlimFlam
1 year ago
B is the best answer. Exercising due diligence will require you to perform a risk assessment and then you will take all risk information into account. B is the all encompassing answer making it the best answer.
upvoted 2 times
...
Dee83
1 year, 2 months ago
D. Perform a risk assessment and choose a standard that addresses existing gaps is the MOST important when developing information security controls for an organization. A risk assessment is a critical step in the process of identifying, evaluating, and prioritizing the risks associated with an organization's information systems, assets, and processes. By performing a risk assessment, the organization can identify vulnerabilities and threats, and determine the likelihood and impact of potential security incidents. Based on the results of the risk assessment, the organization can then implement appropriate controls to mitigate or prevent identified risks, such as choosing a standard that addresses existing gaps in the organization's security posture.
upvoted 2 times
...
Staanlee
1 year, 3 months ago
The correct answer is B, Exercise due diligence with regard to all risk management information to tailor appropriate controls. When developing information security controls for an organization, it is important to exercise due diligence with regard to all risk management information and tailor the controls to the specific needs and risks of the organization. This involves thoroughly reviewing and understanding the organization's risk profile and risk management processes and using that information to design controls that are appropriate and effective for the organization. By exercising due diligence and tailoring the controls to the organization's specific needs and risks, the organization can ensure that its security controls are effective and aligned with its business objectives.
upvoted 3 times
...
ikidreamz
1 year, 3 months ago
i think D . i am thinking new CISO...arrives does GAP analysis, (swot) then risk assessment makes a report and proposes controls/updates to senior management ..they decide what to tailor and implement based on assessment
upvoted 3 times
...
Jamati
1 year, 4 months ago
Selected Answer: B
I'll go with B as it is the only one Management-level decision. The rest are lower level and more on the implementation side.
upvoted 3 times
...
rootic
1 year, 5 months ago
Selected Answer: B
Think like a manager. Do Due diligence and choose controls BASED ON RISK MANAGEMENT.
upvoted 4 times
...
Eltooth
1 year, 5 months ago
Selected Answer: B
I’m going with B based on due diligence being a management trait that CISO should demonstrate. Not all local and international standards have to be implemented - mgmt can choose to avoid/accept certain risks.
upvoted 2 times
...
Nickname53796
1 year, 5 months ago
Selected Answer: B
You develop controls after you have assessed the risk/threats. How could it be D? A B are nearly the same. I vote B
upvoted 1 times
Nickname53796
1 year, 5 months ago
Never mind. Tailoring has its own implications. I choose A
upvoted 1 times
...
...
krassko
1 year, 6 months ago
Selected Answer: D
Only D as only based on risk assessment and knowing what is worth to protect what isn't you can proceed with choosing standards, controls, reading best practices etc. Risk assessment is the most important and they ask about most important part.
upvoted 2 times
...
franbarpro
1 year, 6 months ago
Selected Answer: C
"C" Sounds good to me
upvoted 2 times
franbarpro
1 year, 5 months ago
Meant to say “B”
upvoted 1 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...