Comprehensive and Detailed Explanation (250–350 words)
===========
According to EC-Council CCISO documentation, information security controls are broadly categorized into administrative (organizational), technical, and physical controls. When information assurance requirements are assigned to an independent security group, this action represents a governance and structural decision, not a technical or operational one.
The CCISO program clearly defines organizational (administrative) controls as controls that establish roles, responsibilities, separation of duties, governance structures, policies, and oversight mechanisms. Assigning information assurance responsibilities to an independent security group ensures objectivity, accountability, and independence, which are foundational principles emphasized in CCISO governance and leadership modules.
Detective controls are designed to identify incidents after they occur, such as logging and monitoring. Preemptive and proactive controls focus on anticipating or preventing threats through actions like threat intelligence or predictive analytics. None of these describe the act of structuring authority or responsibility within the organization.
CCISO materials further emphasize that independence of the security function is essential to avoid conflicts of interest and to ensure unbiased risk reporting to senior leadership and the board. This aligns with industry governance best practices and standards such as ISO/IEC 27001, which require defined roles and responsibilities for information security.
Therefore, assigning information assurance requirements to an independent security group is a governance-driven organizational control, making Option B the correct answer.
