Certified Information Security Manager (CISM) — Question 1128

Which of the following would be MOST useful to determine the current status of an information security program's maturity level?

Answer options

• A. Business impact analysis (BIA)
• B. Cost-benefit analysis
• C. Benchmark analysis
• D. Risk assessment

Correct answer: C

Explanation

Benchmark analysis is the most effective way to evaluate the maturity level of an information security program, as it compares the program against industry standards and best practices. While a Business Impact Analysis (BIA), Cost-Benefit Analysis, and Risk Assessment are important for understanding specific aspects of security, they do not provide a comprehensive view of maturity like benchmark analysis does.