As a CISO, which of the following should you consider first?
A. Develop information security policies
B. Conduct business continuous planning
C. Formulate information security strategy
D. Implement information security programs

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is C. Formulate information security strategy.

Top management fulfills the organizational mission and vision by formulating strategic plans or strategies and directs the implementation of strategies through policies. A strategy typically comprises a collection of portfolios, programs, and projects. There are many types of policies, e.g., program policy, issue-specific policy, system-specific policy, etc. A program policy directs the execution of a program.

My book, The Effective CISSP: Security and Risk Management, has details about strategic management.

Policy

• A policy refers to “intentions and direction of an organization as formally expressed by its top management.” (ISO 21401:2018)
• A policy is a “set of rules related to a particular purpose,” (ISO 19101-2:2018) reflecting the management intents.
• A policy is “a statement of objectives, rules, practices or regulations governing the activities of people within a certain context.” (NISTIR 4734)

Reference

A BLUEPRINT FOR YOUR SUCCESS IN CISSP

My book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.

• It is available on Amazon.
• Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.

作為CISO，您應該首先考慮以下哪一項？
A. 制定信息安全政策(policy)
B. 進行業務持續計劃(plan)
C. 制定信息安全戰略(strategy)
D. 實施信息安全計晝(program)