Certified Information Security Manager (CISM) — Question 1079

Which of the following is the MOST important consideration when evaluating the performance of existing security controls?

Answer options

• A. Interviewing control owners to accurately collect metrics data
• B. Establishing testing scenarios based on international standards
• C. Selecting testing methods that match the purpose of the testing
• D. Obtaining senior management support to facilitate testing

Correct answer: C

Explanation

The correct answer is C because selecting appropriate testing methods ensures that the evaluation aligns with the specific objectives of the security controls being assessed. Options A and B are important but secondary to the actual testing methods used, while D, though supportive, does not directly influence the effectiveness of the testing itself.