An information security organization should PRIMARILY:

A.
support the business objectives of the company by providing security-related support services.

B.
be responsible for setting up and documenting the information security responsibilities of the information
security team members.

C.
ensure that the information security policies of the company are in line with global best practices and
standards.

D.
ensure that the information security expectations are conveyed to employees.

Explanation:

The information security organization is responsible for options B and D within an organization, but they are not its primary mission. Reviewing and adopting appropriate standards (option C) is a requirement. The primary objective of an information security organization is to ensure that security supports the overall business objectives of the company.