Question: An organization without any formal information security program that has decided to implement information security best practices should FIRST:
A.) invite an external consultant to create the security strategy.
B.) allocate budget based on best practices.
C.) benchmark similar organizations.
D.) define high-level business security requirements.

Download pdf (with explanations) edition of this exam.