The initial step in establishing an information security program is the: 
A、development and implementation of an information security standards manual. 
B、performance of a comprehensive security control review by the IS auditor. 
C、adoption of a corporate information security policy statement. 
D、purchase of security access control software.