Which of the following steps is the initial step in developing an information security strategy?

A.
Perform a technical vulnerabilities assessment.

B.
Assess the current levels of security awareness.

C.
Perform a business impact analysis.

D.
Analyze the current business strategy.

Explanation:
Prior to assessing technical vulnerabilities or levels of security awareness, an information security
manager needs to gain an understanding of the current business strategy and direction.
Answer options A and B are incorrect. These are the invalid answers because prior to assessing
technical vulnerabilities or levels of security awareness, an information security manager needs to
gain an understanding of the current business strategy and direction.
Answer option C is incorrect. A business impact analysis is performed prior to developing a business
continuity plan, but this would not be an appropriate first step in developing an information security
strategy.
CISM Review Manual 2010, Contents: “Information Security Governance”