When designing security controls, it is MOST important to:
A.
Apply a risk-based approach
B.
Apply technical controls for sensitive data
C.
Consider business impact analysis (BIA) results
D.
Focus on preventive controls
The Answer Is:
A
This question includes an explanation.
Explanation:
A risk-based approach (A) is fundamental to control design in CISM. Controls must be proportionate to risk, aligned with business objectives, and consistent with risk appetite. Focusing solely on technical controls (B), BIA results (C), or preventive controls (D) limits effectiveness. A risk-based approach ensures balanced use of preventive, detective, and corrective controls.