The FIRST step in developing an information security management program is to:
A.
identify business risks that affect the organization.
B.
clarify organizational purpose for creating the program.
C.
assign responsibility for the program.
D.
assess adequacy of controls to mitigate business risks.
Explanation:
In developing an information security management program, the first step is to clarify the
organization’s purpose for creating the program. This is a business decision based more on
judgment than on any specific quantitative measures. After clarifying the purpose, the other
choices are assigned and acted upon.