As a CISO, which of the following should you develop first?
A. Information security policies
B. Business continuity program
C. Information security strategy
D. Incident response capacity
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is C. Information security strategy.
The suggested sequence is C, A, B, and D.
- A strategy is an approach or overall plan that points out the direction and entails initiatives to achieve long-term goals.
- Policies play a crucial role in strategic execution. A policy stands for the “intentions and direction of an organization, as formally expressed by its top management.” (ISO 22301) It affects people’s behavior and directs an organization’s operations. Some policies are program policies used to create or charter programs.
- A strategy comprises a collection of initiatives, usually turned into projects and organized as programs and portfolios.
- Incident response capacity is developed after the business continuity program has been initiated. Business continuity plans set out how teams will respond to disruptions and resume activities.