During a merger, the acquiring company's CISO must integrate the security governance of the target company. The target company has no formal security governance. What is the FIRST step the CISO should take?
Initial assessment informs integration strategy.
Why this answer
Without a formal security governance structure, the CISO must first understand the target company's current security posture through a comprehensive risk assessment. This step identifies vulnerabilities, threats, and gaps in controls, providing the baseline data needed to prioritize integration efforts and align with the acquirer's governance framework. Skipping this assessment risks implementing policies that are irrelevant or ineffective against the target's actual risks.
Exam trap
ISACA often tests the principle that governance integration must begin with understanding the current state (risk assessment) rather than jumping to policy alignment or implementation, which is a common mistake candidates make by assuming immediate enforcement is the first step.
How to eliminate wrong answers
Option A is wrong because conducting security awareness training before understanding the target's risk profile and existing security gaps is premature; training should be tailored to identified risks and policies, not implemented in a vacuum. Option C is wrong because aligning security policies without first assessing the target's current state can result in policies that conflict with existing technical controls or fail to address critical vulnerabilities. Option D is wrong because immediately implementing the acquirer's governance framework without a risk assessment may disrupt operations, miss unknown threats, and create resistance due to lack of contextual understanding.