An information security program should focus on:
A.
best practices also in place at peer companies.
B.
solutions codified in international standards.
C.
key controls identified in risk assessments.
D.
continued process improvement.
Explanation:
implement to protect the business. Peer industry best practices, international standards and continued process improvement can be used to support the program, but these cannot be blindly implemented without the consideration of business risk.