Certified Information Systems Auditor (CISA) — Question 12

Which of the following is the MAIN purpose of an information security management system?

Answer options

• A. To enhance the impact of reports used to monitor information security incidents
• B. To reduce the frequency and impact of information security incidents
• C. To identify and eliminate the root causes of information security incidents
• D. To keep information security policies and procedures up-to-date

Correct answer: B

Explanation

The correct answer is B because the main goal of an information security management system is to minimize both the likelihood and consequences of security incidents. Options A, C, and D, while important aspects of security management, focus on monitoring, root cause analysis, and policy maintenance rather than directly reducing incidents.