Certified Information Systems Auditor (CISA) — Question 503
An organization's information security department has recently created a centralized governance model to ensure that network-related findings are remediated within the service level agreement (SLA). What should the IS auditor use to assess the maturity and capability of this governance model?
Answer options
- A. Key risk indicators (KRIs)
- B. Key process controls
- C. Key data elements
- D. Key performance indicators (KPIs)
Correct answer: D
Explanation
The correct answer is D, as Key Performance Indicators (KPIs) are specifically designed to measure the effectiveness and efficiency of processes, including governance models. Options A, B, and C do not directly measure performance in the context of governance models, making them less suitable for assessing maturity and capability.