Isaca CISM Exam - Topic 2 Question 103 Discussion

Actual exam question for Isaca's CISM exam

Question #: 103
Topic #: 2

[All CISM Questions]

Which of the following should an information security manager do NEXT after creating a roadmap to execute the strategy for an information security program?

AObtain consensus on the strategy from the executive board.

BReview alignment with business goals.

CDefine organizational risk tolerance.

DDevelop a project plan to implement the strategy.

Show Suggested Answer

Suggested Answer: D

The next thing that an information security manager should do after creating a roadmap to execute the strategy for an information security program is D. Develop a project plan to implement the strategy. This is because a project plan is a detailed document that outlines the scope, objectives, deliverables, milestones, tasks, resources, roles, responsibilities, risks, and dependencies of the implementation process. A project plan can help the information security manager to organize, coordinate, monitor, and control the activities and resources required to execute the strategy and achieve the desired outcomes. A project plan can also facilitate communication, collaboration, and reporting among the project team, stakeholders, and sponsors.

A project plan is a detailed document that outlines the scope, objectives, deliverables, milestones, tasks, resources, roles, responsibilities, risks, and dependencies of the implementation process. (From CISM Manual or related resources)

Reference = CISM Review Manual 15th Edition, Chapter 3, Section 3.1.2, page 1281; CISM Review Questions, Answers & Explanations Manual 9th Edition, Question 74, page 19

by Nickole at Nov 20, 2025, 02:39 PM

Limited Time Offer

25%

Off

Get Premium CISM Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Omega

1 day ago

D seems like the next logical step. A project plan is essential for execution.

upvoted 0 times

...

Francoise

6 days ago

C is important. Knowing risk tolerance helps shape the strategy.

upvoted 0 times

...

Valentin

11 days ago

B makes sense too. The strategy should align with business goals.

upvoted 0 times

...

Vincenza

17 days ago

I’m not sure A) is the best first step...

upvoted 0 times

...

Sol

22 days ago

D) totally agree, project plans are key!

upvoted 0 times

...

Jettie

27 days ago

B) makes sense, gotta align with the biz.

upvoted 0 times

...

Corrie

2 months ago

A) is crucial for buy-in!

upvoted 0 times

...

Gail

2 months ago

D) all the way! Screw the executives, let's just get this security program implemented already.

upvoted 0 times

...

Mitsue

2 months ago

C) Define organizational risk tolerance. Gotta know how much risk the company is willing to take on.

upvoted 0 times

...

Antonio

2 months ago

Haha, the correct answer is obviously D. Who needs executive approval when you can just do your own thing?

upvoted 0 times

...

Stefan

2 months ago

B) Review alignment with business goals. Gotta make sure the security strategy supports the overall business objectives.

upvoted 0 times

...

Stevie

2 months ago

D) Develop a project plan to implement the strategy. That's the logical next step to get the ball rolling.

upvoted 0 times

...

Moira

3 months ago

I thought defining organizational risk tolerance was crucial, but I also see the value in getting executive buy-in. It’s tough to choose!

upvoted 0 times

...

Tamera

3 months ago

I feel like developing a project plan is important, but I can't recall if that should be done right after the roadmap or if we need to check risk tolerance first.

upvoted 0 times

...

Serita

3 months ago

I remember a practice question where aligning with business goals was emphasized as a critical next step. It makes sense to ensure everything is in sync.

upvoted 0 times

...

Dahlia

3 months ago

D for sure. Once you've got the roadmap, the next logical step is to develop a detailed project plan to actually implement the strategy.

upvoted 0 times

...

Gail

3 months ago

I feel like reviewing alignment with business goals (option B) is the way to go. Gotta make sure the security strategy supports the overall business objectives.

upvoted 0 times

...

Karan

3 months ago

Obtaining consensus from the executive board is crucial, so I'd definitely start with option A. Can't move forward without that buy-in.

upvoted 0 times

...

Rosita

4 months ago

I think A is crucial. Getting the board on board is key.

upvoted 0 times

...

Francesco

4 months ago

I think the next step should be to get consensus from the executive board, but I'm not entirely sure if that comes before or after defining risk tolerance.

upvoted 0 times

...

Owen

4 months ago

C) wait, how do you even define risk tolerance?

upvoted 0 times

...

Carin

4 months ago

A) Obtain consensus on the strategy from the executive board. Can't move forward without their buy-in.

upvoted 0 times

...

Aleta

5 months ago

I'm a bit unsure here. Should we be focusing on aligning with business goals first, or is defining risk tolerance more important? I'm torn between B and C.

upvoted 0 times

...

Franklyn

5 months ago

Hmm, I think I'd go with option D. Developing a project plan to implement the strategy seems like the logical next step after creating the roadmap.

upvoted 0 times

Melina

4 months ago

I agree, option D makes sense. A project plan is essential.

upvoted 0 times

...