Certified Information Security Manager (CISM) — Question 1017

When an organization implements an information security governance framework, it is MOST important for executive leadership to have a direct role in:

Answer options

• A. reviewing the information security policy directing the organization.
• B. developing technical key risk indicators (KRIs) for information security.
• C. implementing information security metrics for the organization.
• D. approving information security standards and procedures for the organization.

Correct answer: A

Explanation

The correct answer is A because executive leadership must ensure that the information security policy aligns with the organization's goals and risk appetite. While developing KRIs, implementing metrics, and approving standards are important, these activities are typically handled by security teams rather than requiring direct involvement from executive leadership.