An organization without any formal information security program that has decided to implement information
security best practices should FIRST:

A.
invite an external consultant to create the security strategy.

B.
allocate budget based on best practices.

C.
benchmark similar organizations.

D.
define high-level business security requirements.

Explanation:

All four options are valid steps in the process of implementing information security best practices; however,
defining high-level business security requirements should precede the others because the implementation should be based on those security requirements.