Which of the following is an initial consideration when developing an information security management system?
A. Identify the contractual security obligations that apply to the organizations
B. Understand the value of the information assets
C. Identify the level of residual risk that is tolerable to management
D. Identify relevant legislative and regulatory compliance requirements
Looks like A is correct
The information security system objectives should be determined by the top management, and reflect the business and regulatory needs of the organisation.
https://ins2outs.com/implement-information-security-management-system/