Which of the following is an initial consideration when developing an information security management system?
A. Identify the contractual security obligations that apply to the organizations
B
. Understand the value of the information assets
C. Identify the level of residual risk that is tolerable to management
D. Identify relevant legislative and regulatory compliance requirements