An information security program should focus on:
A.
best practices also in place at peer companies.
B.
solutions codified in international standards.
C.
key controls identified in risk assessments.
D.
continued process improvement.
Explanation:
Risk assessment identifies the appropriate controls to mitigate identified business risks that the
program should implement to protect the business. Peer industry best practices, international
standards and continued process improvement can be used to support the program, but these
cannot be blindly implemented without the consideration of business risk.