Certified Information Security Manager (CISM) — Question 1005

When determining key risk indicators (KRIs) for use in an information security program it is MOST important to select:

Answer options

• A. KRIs that track both short-term and long-term performance.
• B. KRIs that align with business processes.
• C. KRIs that are quantifiable.
• D. as many KRIs as possible to catch risk events from the broadest areas.

Correct answer: B

Explanation

The correct answer is B because aligning KRIs with business processes ensures that they are relevant and effective in managing risk. Options A and C, while important, do not prioritize business alignment as the most critical factor. Option D may lead to an overwhelming number of KRIs that dilute focus and effectiveness.