Certified Information Security Manager (CISM) — Question 1123

Which of the following is MOST influential in driving the effectiveness of an information security program?

Answer options

• A. Policies and standards
• B. Organizational risk appetite
• C. Information security metrics
• D. Organizational culture

Correct answer: D

Explanation

Organizational culture plays a critical role in how effectively an information security program is implemented and adhered to, as it shapes employee behavior and attitudes towards security practices. While policies and standards, risk appetite, and security metrics are important, they often rely on a strong culture to be effectively enforced and followed.