An organization is developing a new information security program and wants to ensure it aligns with business objectives. Which of the following is the MOST critical first step?
Aligning with business strategy ensures security enables rather than hinders the business.
Why this answer
Identifying business strategy and risk appetite is the most critical first step because the information security program must be designed to support the organization's objectives and operate within the risk tolerance defined by leadership. Without this alignment, subsequent security controls and investments may conflict with business goals or fail to address the risks the organization is willing to accept. This ensures that security is a business enabler rather than a technical silo.
Exam trap
The trap here is that candidates often mistake conducting a comprehensive risk assessment (Option D) as the first step, but without a defined risk appetite and business strategy, the assessment lacks the context needed to evaluate risk severity and prioritize remediation effectively.
How to eliminate wrong answers
Option A is wrong because developing a security awareness training program is an operational control that should be implemented only after the program's strategic direction, risk appetite, and governance structure are defined; starting with training assumes a baseline of security culture that does not yet exist. Option C is wrong because designing security architecture based on industry frameworks (e.g., NIST, ISO 27001) without first understanding the business strategy and risk appetite can lead to over-engineering or misalignment, wasting resources on controls that do not address the organization's specific risk profile. Option D is wrong because conducting a comprehensive risk assessment requires a predefined risk appetite and business context to determine which risks are acceptable and which require mitigation; without this, the assessment lacks the criteria to prioritize findings effectively.