Certified Information Systems Auditor (CISA) — Question 550

Which of the following key performance indicators (KPIs) provides stakeholders with the MOST useful information about whether information security risk is being managed?

Answer options

• A. The number of security controls implemented
• B. Time from identifying security threats to implementing solutions
• C. Time from security log capture to log analysis
• D. The number of entries in the security risk register

Correct answer: B

Explanation

The correct answer, B, is significant because it measures the responsiveness of an organization to security threats, indicating how effectively risks are managed. The other options focus on different aspects of security management, such as the volume of controls or log analysis times, which do not directly reflect the effectiveness of risk management.