DumpsBox
Home/isaca/Free ISACA CISM Actual Exam Questions/Question 3
← Back to Exam

Free ISACA CISM Actual Exam Questions - Question 3 Discussion

Question No. 3
Which of the following should have the MOST influence on the development of information security
policies?
Select one option, then reveal solution.
US
BF
Brian F.
2026-02-22

It’s B for me. Real threats highlight the actual risks the company faces, so policies need to address those first to be effective and responsive, not just follow high-level strategies or standards.

0
JU
James U.
2026-02-20

It’s A for me. Business strategy sets the overall direction and priorities for the company, so security policies have to support that. If policies don’t align with what the business is trying to achieve, they could end up protecting things that don’t matter or missing what’s critical. Threats and frameworks are important, but they’re more about how to implement security rather than deciding what to focus on first. Industry standards help too, but they’re usually minimum requirements, not the main driver behind policy development.

0
YO
Yasir O.
2026-02-13

Maybe B makes the most sense since real-world threats show what needs to be protected right now, making policies practical and relevant instead of just theoretical or aligned with broad business goals.

0
OC
Omar C.
2026-01-21

Option C makes sense too since an IT security framework provides a structured approach to creating policies. It ensures they follow best practices and cover all necessary areas. Without a solid framework, policies might be inconsistent or miss critical aspects, even if they align with business strategy or threats. So frameworks often guide the actual policy development process.

0
ML
Mason L.
2026-01-20

It’s A for me. The reason is that security policies need to align with what the business is actually trying to achieve. If the policies don’t support the business strategy, they might protect things that aren’t a priority or miss critical areas. While threats and frameworks matter, they should fit into the bigger picture set by the business goals.

0
CJ
Carlos J.
2026-01-18

I get why A seems right, but I think B could be even more critical. If you don’t consider current and past threats, your policies might not address the real risks your company faces. Business strategy is important, sure, but if you ignore what’s actually attacking your systems, you're missing the point. Can a policy really be effective if it’s not threat-informed?

0
CJ
Carlos J.
2026-01-16

A, since security policies should support the business goals first.

0