Question

The use of a business case to obtain funding for an information security investment is MOST effective when the business case:

A. relates information security policies and standards into business requirements
B. relates the investment to the organization's strategic plan.
C. realigns information security objectives to organizational strategy.
D. articulates management's intent and information security directives in clear language.

Correct Answer: B????? or C????? or others (of course...)

______________________

Note

■ Some good websites claim that the correct answer is B ("relates the investment to the organization's strategic plan").

■ Others good websites claim that the correct answer is C ("realigns information security objectives to organizational strategy").

■ Why B and not C? Why C and not B?

Many thanks!

Answer 1

The use of a business case to obtain funding for an information security investment is MOST effective when the business case:
Answer: B. relates the investment to the organization's strategic plan.

The question is asking about obtaining funds for an information security investment, it needs the business case to be "attractive enough" to secure funding and it requires the investment to adhere to the organisation's strategic plan, hence opetion B is correct. Option A and D are wrong, as they just talk about articulating management's intent and information security directives in clear language or relating information security policies and standards into business requirements.

According to ISACA/CISM's principles the information security shouldn't be compromised and hence Option C is incorrect as the organisation might not be following the appropriate information security principles and it shouldn't be compromised/realigned.

If you need any further help please comment, I will be happy to help, thanks.